Skip to content disloops

Snort 2.9.8.3 on Ubuntu 16.04

I recently installed Snort 2.9.8.3 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.

Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort's Shared Object libraries, which need to be compiled differently for ARM.

Changes to Ubuntu

Newer versions of Ubuntu require some changes that aren't covered in the PDF guide on the Snort website. The web-based instructions cited above have more details.

For example, network interfaces no longer have names like eth0 on Ubuntu 16.04. This wasn't captured in the PDF guide but it was covered in the web-based instructions cited above. I also found this guide to be reliable. My default network interface is called ens2 now and it had to be changed throughout the directions.

Also – I added a line to /etc/rc.local to make sure the interface was started in promiscuous mode by default:

ip link set ens2 promisc on

Newer Software Versions

A few of the wget links in the instructions pointed to old versions of software (sometimes intentionally). However I tried to use the latest versions of everything wherever possible, beginning with Snort:

wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz

I also got the latest version of Barnyard2, which was "Build 337" at the time of installation:

wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-2-1.14-337.tar.gz

Lastly I grabbed the latest "Build 219" for PulledPork:

wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-0.7.2-219.tar.gz

Obviously every other reference in the instructions has to be changed to match your versions. The web instructions have conflicting version numbers throughout, so this needs to be done in any case.

Other Issues

The Barnyard2 daemon took forever to load completely on my system, sometimes up to three hours. This gave the appearance of an error when I was testing. So watch syslog for the daemon's full output before testing to see if it works.

In the section on PulledPork, a cronjob is created that updates the Snort rules each night. However, without restarting Snort after downloading new rules, syslog will fill up with errors such as:

Dynamic Rule [3:16533] was not initialized properly.

The solution is to restart Snort each time PulledPork downloads new rules. Use the following cronjob in place of what the guide recommends:

01 04 * * * /usr/sbin/service snort stop && /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l && /usr/sbin/service snort start

Also make sure to un-comment the disabledids.conf line in pulledpork.conf if you're going to use it for tuning the IDS.

Installing Snorby

The most difficult part about this installation was adding the interface. I tried to install BASE but nothing works now that PHP 7.0 came out. Rather than install an old version of PHP from a third-party repository, I backtracked and installed Snorby according to the directions. This also required some fixing, and will likely change again by the time you read this.

I installed Ruby from apt rather than build it from source. I had to install the ruby-dev package, and I installed the latest version of rake despite what the guide recommends. Similarly, I used the latest version of Snorby:

https://github.com/Snorby/snorby/archive/master.tar.gz -O snorby-2.6.3.tar.gz

The first error I encountered is covered in this issue. When running the following command:

sudo bundle exec rake snorby:setup

I got an error message that says:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

I had to manually edit the /var/www/html/snorby/Gemfile.lock file as follows:

- do_mysql (~> 0.10.6)
+ do_mysql (~> 0.10.17)

- do_mysql (0.10.16)
+ do_mysql (0.10.17)

Note that the guide says to use 'PASSWORD123' for the snorby user's password in the database. You can use whatever password you want though.

When creating a daemon for the Snorby worker process, the guide lists a few lines of text that must be pasted into the following file:

sudo vi /lib/systemd/system/snorby_worker.service

One of the paths in this block of text was wrong, which prevented my Snorby worker from starting correctly. The line was originally:

ExecStart=/usr/local/bin/ruby script/delayed_job start

...but on my system it was necessary to change it to:

ExecStart=/usr/bin/ruby script/delayed_job start

Conclusion

Snorby continues to exhibit some issues with counting my alerts on its dashboard, but I think it's preferable to installing old versions of everything for BASE. The current state of free Snort GUIs is somewhat lacking.

Still, Snort is up and running again in its latest version. I will try to respond to any questions you have or issues you encounter trying to accomplish the same!

Leave a Reply

Your email address will not be published. Required fields are marked *