I recently installed Snort 2.9.8.3 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.

Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort’s Shared Object libraries, which need to be compiled differently for ARM.

Note: This article is outdated now. I published a new one for the latest versions of Snort (2.9.8.3) and Ubuntu (16.04). You can also probably visit sublimerobots.com for the most up-to-date information on this process.

I’ve been playing with Snort a lot lately. I installed it on my home network using a switch that does port mirroring. I also created a Snort virtual machine that I can use with a laptop and a network tap to diagnose other people’s problems. I picked up a SharkTap Gigabit Network Tap for that. It’s really just a hub though, and I had to make sure I wasn’t sending any traffic back into a tapped network with it.

First I’ll explain how I installed Snort at home.

I had to investigate this Snort alert (3:31738):

PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected

DGA here means “domain generation algorithm” – malware will often find its command and control servers using dynamically-generated domain names. It makes it harder for an infected victim to sinkhole the domains, and a malware author can spin up new ones according to the algorithm as necessary.

The DNS requests causing the alerts looked innocuous to me. It turns out that Chrome purposely issues invalid DNS requests every time it starts in order to root out malicious DNS servers. Discussed here:

https://isc.sans.edu/forums/diary/10312

These invalid requests occur independently of Chrome’s prefetching behavior. This is a good Snort rule but it might be incompatible with Chrome.

I recently started using CloudWatch, Amazon’s host monitoring service. It has a number of features but I just wanted a way to view all my logs in one place. Configuring hosts to use CloudWatch was easy, and I described the process in an article on setting up Anonymous FTP.

I’m using a desktop that I got from System76 with an NVIDIA graphics card. Installing the NVIDIA drivers on Ubuntu wasn’t simple, so here are the steps that I’ve gotten to work across multiple installations.

I wanted to create an FTP server to share some of the media that I’ve saved over the years. I like the old protocols and services and I plan to stand up more of them. Because each service has its own inherent security issues, the deployment process becomes an exercise in mitigating the risks. Check it out at ftp.disloops.com

This site is being hosted in Amazon Web Services (AWS). It relies on a number of cloud services, including RDS, S3, and CloudFront. The following are some of the steps that were required to set it up.

I’m still using Ubuntu as my preferred Linux distro on personal machines. These are some of the settings that I configure each time I have to install it. Starting from the beginning: