Skip to content disloops

Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox

Note: This article is outdated now. I published a new one for the latest versions of Snort (2.9.8.3) and Ubuntu (16.04). You can also probably visit sublimerobots.com for the most up-to-date information on this process.

I've been playing with Snort a lot lately. I installed it on my home network using a switch that does port mirroring. I also created a Snort virtual machine that I can use with a laptop and a network tap to diagnose other people's problems. I picked up a SharkTap Gigabit Network Tap for that. It's really just a hub though, and I had to make sure I wasn't sending any traffic back into a tapped network with it.

First I'll explain how I installed Snort at home.

Snort on Ubuntu

I used a guide on Snort's website for installation on Ubuntu 14.04 LTS. I had some issues with it, which I will describe below. Note: The author's website makes some of these corrections and may have the most recent information.

On page 2, the guide instructs users to turn off GRO and LRO. However, the commands listed will not create settings that will survive a reboot. Adding the commands to the /etc/rc.local file will ensure that they are executed every time the machine starts. Make sure to add them above the exit 0 line:

ethtool -K eth0 gro off
ethtool -K eth0 lro off

On page 4, there are newer versions of both DAQ and Snort that can be downloaded. As of writing this they are:

wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

On page 6, users are instructed to set the EXTERNAL_NET variable to !$HOME_NET in the /etc/snort/snort.conf config file. Updated guidance says that this can cause Snort to miss alerts, so EXTERNAL_NET should remain set to any.

The next section is on installing Barnyard2, which processes the packets that Snort collects and saves them in a database. Downloading and using Barnyard2 from the master branch link, as the guide instructs, will eventually result in an error. The cause is discussed in detail here and the solution is to directly download a more recent version:

wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz

The next section is about setting up PulledPork, which downloads the latest Snort rules automatically. The link in the guide is outdated – the Google Code project for PulledPork is no longer updated. The correct link is here on GitHub:

wget https://github.com/shirkdog/pulledpork/archive/master.zip

There are a couple changes to the settings that the guide recommends for the /etc/snort/pulledpork.conf file:

Line 96: change to: sid_msg_version=2
Line 133: change to: distro=Ubuntu-12-04

At the end of this section, the guide sets up a cronjob that runs PulledPork each night. However, without restarting Snort after downloading new rules, the /var/log/syslog file will fill up with errors such as:

Dynamic Rule [3:16533] was not initialized properly.

The solution is to restart Snort each time PulledPork downloads new rules. Use the following cronjob in place of what the guide recommends:

01 04 * * * /usr/sbin/service snort stop && /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l && /usr/sbin/service snort start

The next section is on setting up services that will run Snort and Barnyard2 on startup. The guide recommends creating a couple config files in /etc/init and making them executable. I found that instead of making these files executable, it's actually necessary to create symlinks in the /etc/init.d folder to get the services to run. Create them as follows:

sudo chmod 644 /etc/init/snort.conf
sudo chmod 644 /etc/init/barnyard2.conf
sudo ln -s /etc/init/snort.conf /etc/init.d/snort
sudo ln -s /etc/init/barnyard2.conf /etc/init.d/barnyard2

I didn't have any issues with the last section on installing BASE, the web front-end for Snort alerts.

At some point it was necessary to follow the steps to delete and re-create the Snort database in Appendix B. This is sometimes necessary immediately after installing Barnyard2. The instructions in Appendix B are good, but one final command is missing which makes the /var/log/snort/barnyard2.waldo file accessible again:

sudo chown snort:snort /var/log/snort/barnyard2.waldo

The last thing I did was to edit /etc/rc.local again to make sure that eth0 is started in promiscuous mode by default:

ip link set eth0 promisc on

This was everything required to monitor my home network from a physical machine running Snort.

Snort on VirtualBox

The steps on VirtualBox were basically the same. I made the edits to /etc/rc.local on both the host and guest machine to enable promiscuous mode and turn off LRO and GRO.

I wanted to use the Snort virtual machine from a laptop to passively monitor traffic on other networks. It was important to make sure that I wasn't sending any traffic back to the network interface. On the host and guest machines, I edited the default connection in Network Manager to prevent them from connecting automatically. Still, just plugging in an ethernet cable generated some IPv6 traffic. I disabled that by adding the following line to the host and guest /etc/sysctl.conf files:

net.ipv6.conf.eth0.disable_ipv6 = 1

From the VirtualBox network settings, I used a bridged network adapter and set promiscuous mode to "Allow All". Now just plugging the laptop into a network will show passive Snort alerts on the virtual machine.

Ubuntu guest machines on VirtualBox require a couple general changes to work correctly. I had to run the following for the shared clipboard to work:

sudo apt-get install virtualbox-guest-dkms

And I had to do the following to increase the resolution:

sudo apt-get remove libcheese-gtk23
sudo apt-get install xserver-xorg-core
sudo apt-get install -f virtualbox-guest-x11

Afterward I got the following error:

VBoxClient:Failed to connect to the VirtualBox kernel service, rc=VERR_ACCESS_DENIED

I was able to fix this by going to "Devices" from the menu, selecting "Insert Guest Additions CD image..." and allowing it to run, then restarting.

Conclusion

You can likely visit sublimerobots.com for the most up-to-date information on installing and configuring Snort. Leave a comment if you have any feedback about the steps I took to get up and running.

4 thoughts on “Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox

  1. Atif Rasheed

    In your virtualbox setup, did you install SNORT on the same server where you have your webapp and database or it's a seperate instance silently listening to the traffic or sniffing traffic inline?

    Reply
    1. matt

      Hi Atif – I did install everything on the same virtual server. Using VMs creates an opportunity to separate the IDS sensor node from the management server but I wanted to do the absolutely easiest thing. You might want to check out Security Onion – from what I recall, it simplifies the process of creating individual IDS nodes that feed data into a management server.

      Reply
  2. Andreas

    Hello,

    After following your steps, I am still getting the same error:

    "VBoxClient: Failed to connect to the Virtual Box kernel service rc=VERR_ACESS_DENIED".

    Also, the seamless mode does not seem to work correctly and I get scrambled images every now and then. I use Ubuntu 16.04 in the Virtual Box on Win 10 host. Thank you for the help.

    Best,
    Andreas

    Reply
    1. matt

      Hey Andreas – I used Ubuntu 14.04 for both the host and guest which is different than your setup. Still, every result on Google suggests using the "Guest Additions CD" to resolve this error in most cases. Sounds stupid but doing the steps twice is what worked for some people. See here: http://askubuntu.com/a/645759

      Reply

Leave a Reply to matt Cancel reply

Your email address will not be published. Required fields are marked *