I recently installed Snort 220.127.116.11 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.
Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort's Shared Object libraries, which need to be compiled differently for ARM.
Changes to Ubuntu
Newer versions of Ubuntu require some changes that aren't covered in the PDF guide on the Snort website. The web-based instructions cited above have more details.
For example, network interfaces no longer have names like
eth0 on Ubuntu 16.04. This wasn't captured in the PDF guide but it was covered in the web-based instructions cited above. I also found this guide to be reliable. My default network interface is called
ens2 now and it had to be changed throughout the directions.
Also – I added a line to
/etc/rc.local to make sure the interface was started in promiscuous mode by default:
ip link set ens2 promisc on
Newer Software Versions
A few of the
wget links in the instructions pointed to old versions of software (sometimes intentionally). However I tried to use the latest versions of everything wherever possible, beginning with Snort:
I also got the latest version of Barnyard2, which was "Build 337" at the time of installation:
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-2-1.14-337.tar.gz
Lastly I grabbed the latest "Build 219" for PulledPork:
wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-0.7.2-219.tar.gz
Obviously every other reference in the instructions has to be changed to match your versions. The web instructions have conflicting version numbers throughout, so this needs to be done in any case.
The Barnyard2 daemon took forever to load completely on my system, sometimes up to three hours. This gave the appearance of an error when I was testing. So watch
syslog for the daemon's full output before testing to see if it works.
In the section on PulledPork, a cronjob is created that updates the Snort rules each night. However, without restarting Snort after downloading new rules,
syslog will fill up with errors such as:
Dynamic Rule [3:16533] was not initialized properly.
The solution is to restart Snort each time PulledPork downloads new rules. Use the following cronjob in place of what the guide recommends:
01 04 * * * /usr/sbin/service snort stop && /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l && /usr/sbin/service snort start
Also make sure to un-comment the
disabledids.conf line in
pulledpork.conf if you're going to use it for tuning the IDS.
The most difficult part about this installation was adding the interface. I tried to install BASE but nothing works now that PHP 7.0 came out. Rather than install an old version of PHP from a third-party repository, I backtracked and installed Snorby according to the directions. This also required some fixing, and will likely change again by the time you read this.
I installed Ruby from
apt rather than build it from source. I had to install the
ruby-dev package, and I installed the latest version of
rake despite what the guide recommends. Similarly, I used the latest version of Snorby:
https://github.com/Snorby/snorby/archive/master.tar.gz -O snorby-2.6.3.tar.gz
The first error I encountered is covered in this issue. When running the following command:
sudo bundle exec rake snorby:setup
I got an error message that says:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
I had to manually edit the
/var/www/html/snorby/Gemfile.lock file as follows:
- do_mysql (~> 0.10.6) + do_mysql (~> 0.10.17) - do_mysql (0.10.16) + do_mysql (0.10.17)
Note that the guide says to use 'PASSWORD123' for the
snorby user's password in the database. You can use whatever password you want though.
When creating a daemon for the Snorby worker process, the guide lists a few lines of text that must be pasted into the following file:
sudo vi /lib/systemd/system/snorby_worker.service
One of the paths in this block of text was wrong, which prevented my Snorby worker from starting correctly. The line was originally:
ExecStart=/usr/local/bin/ruby script/delayed_job start
...but on my system it was necessary to change it to:
ExecStart=/usr/bin/ruby script/delayed_job start
Snorby continues to exhibit some issues with counting my alerts on its dashboard, but I think it's preferable to installing old versions of everything for BASE. The current state of free Snort GUIs is somewhat lacking.
Still, Snort is up and running again in its latest version. I will try to respond to any questions you have or issues you encounter trying to accomplish the same!