Skip to content disloops

For the longest time I've gotten the following error from Snort's barnyard2 spooler process:

barnyard2: Could not remove pid file /var/run//barnyard2_NULL.pid: Permission denied

On Ubuntu 16.04, the barnyard2 process is created in this systemd unit file:

/lib/systemd/system/barnyard2.service

This process creates the pid file in the /var/run directory before the user permissions drop to the level provided by the '-u' option. Then when exiting, the process attempts to delete the pid file that was created with elevated privileges.

To fix this, I modified the process's systemd file:

...continue reading "Fixing the Barnyard2 PID File Problem"

I recently installed Snort 2.9.8.3 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.

Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort's Shared Object libraries, which need to be compiled differently for ARM.

Changes to Ubuntu

Newer versions of Ubuntu require some changes that aren't covered in the PDF guide on the Snort website. The web-based instructions cited above have more details.

For example, network interfaces no longer have names like eth0 on Ubuntu 16.04. This wasn't captured in the PDF guide but it was covered in the web-based instructions cited above. I also found this guide to be reliable. My default network interface is called ens2 now and it had to be changed throughout the directions.

...continue reading "Snort 2.9.8.3 on Ubuntu 16.04"

4

Note: This article is outdated now. I published a new one for the latest versions of Snort (2.9.8.3) and Ubuntu (16.04). You can also probably visit sublimerobots.com for the most up-to-date information on this process.

I've been playing with Snort a lot lately. I installed it on my home network using a switch that does port mirroring. I also created a Snort virtual machine that I can use with a laptop and a network tap to diagnose other people's problems. I picked up a SharkTap Gigabit Network Tap for that. It's really just a hub though, and I had to make sure I wasn't sending any traffic back into a tapped network with it.

First I'll explain how I installed Snort at home.

Snort on Ubuntu

I used a guide on Snort's website for installation on Ubuntu 14.04 LTS. I had some issues with it, which I will describe below. Note: The author's website makes some of these corrections and may have the most recent information.

...continue reading "Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox"

I had to investigate this Snort alert (3:31738):

PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected

DGA here means "domain generation algorithm" – malware will often find its command and control servers using dynamically-generated domain names. It makes it harder for an infected victim to sinkhole the domains, and a malware author can spin up new ones according to the algorithm as necessary.

The DNS requests causing the alerts looked innocuous to me. It turns out that Chrome purposely issues invalid DNS requests every time it starts in order to root out malicious DNS servers. Discussed here:

https://isc.sans.edu/forums/diary/10312

These invalid requests occur independently of Chrome's prefetching behavior. This is a good Snort rule but it might be incompatible with Chrome.