Snort is a free network intrusion detection system (IDS). In less official terms, it lets you to monitor your network for suspicious activity in real time. Currently, Snort has packages for Fedora, CentOS, FreeBSD, and Windows-based systems. Exact installation method varies between OSes. In this tutorial, we will be installing directly from the source files for Snort. This guide was written for Debian.
Update, Upgrade, and Reboot
Before we actually get our hands on the Snort sources, we need to make sure that our system is up to date. We can do this by issuing the commands below.
sudo apt-get update
sudo apt-get upgrade -y
sudo reboot
Pre-install configuration
Once your system has rebooted, we need to install a number of packages to make sure that we can install SBPP. I was able to figure out that a number of the packages that were needed, so the base command is below.
sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libnetfilter-queue-dev iptables-dev libdumbnet-dev zlib1g-dev -y
Once all of the packages are installed, you will need to create a temporary directory for your source files – they can be anywhere you’d like. I’ll be using /usr/src/snort_src
. To create this folder, you’ll need to be logged in as the root
user, or have sudo
permissions – root
just makes it easier.
sudo mkdir /usr/src/snort_src
cd /usr/src/snort_src
Installing the Data Acquisition Library (DAQ)
Before we can get the source for Snort, we need to install the DAQ. It’s fairly simple to install.
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
Extract the files from the tarball.
tar xvfz daq-2.0.6.tar.gz
Change into the DAQ directory.
cd daq-2.0.6
Configure and install the DAQ.
./configure; make; sudo make install
That last line, will execute ./configure
first. Then it will execute make
. Lastly, it will execute make install
. We use the shorter syntax here just to save a little bit on typing.
Installing Snort
We want to make sure we’re in the /usr/src/snort_src
directory again, so be sure to change into that directory with:
cd /usr/src/snort_src
Now that we are in the directory for the sources, we will download the tar.gz
file for the source. At the time of this writing, the most recent version of Snort is 2.9.8.0
.
wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
The commands to actually install snort are very similar to the ones used for the DAQ, but they have different options.
Extract the Snort source files.
tar xvfz snort-2.9.8.0.tar.gz
Change into the source directory.
cd snort-2.9.8.0
Configure and install the sources.
./configure --enable-sourcefire; make; sudo make install
Post-install of Snort
Once we have Snort installed, we need to make sure that our shared libraries are up to date. We can do this using the command:
sudo ldconfig
After we do that, test your Snort installation:
snort --version
If this command does not work, you will need to create a symlink. You can do this by typing:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
snort --version
The resulting output will resemble the following:
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.5 GRE (Build 262)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.6.2
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8
Un-rooting Snort
Now that we have snort installed, we don’t want it running as root
, so we need to create a snort
user and group. To create a new user and group, we can use these two commands:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Since we have installed the program using the source, we need to create the configuration files and the rules for snort.
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/preproc_rules
sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
After we create the directories and the rules, we now need to create the log directory.
sudo mkdir /var/log/snort
And lastly, before we can add any rules, we need a place to store the dynamic rules.
sudo mkdir /usr/local/lib/snort_dynamicrules
Once all of the previous files have been created, set the proper permissions on them.
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
Setting up the config files
To save a bunch of time and to keep from having to copy and paste everything, lets just copy all of the files into the configuration directory.
sudo cp /usr/src/snort_src/snort*/etc/*.conf* /etc/snort
sudo cp /usr/src/snort_src/snort*/etc/*.map /etc/snort
Now that the config files are there, you can do one of two things:
- You can enable Barnyard2
- Or you can just leave the config files alone and selectively enable the desired rules.
Either way, you’re still going to want to change a few things. Keep reading.
Configuration
In the /etc/snort/snort.conf
file, you will need to change the variable HOME_NET
. It should be set to your internal network’s IP block so it won’t log your own network’s attempts to log into the server. This may be 10.0.0.0/24
or 192.168.0.0/16
. On line 45 of /etc/snort/snort.conf
change the variable HOME_NET
to that value of your network’s IP block.
On my network, it looks like this:
ipvar HOME_NET 192.168.0.0/16
Then, you’ll have to set the EXTERNAL_NET
variable to:
any
Which just turns EXERNAL_NET
into whatever your HOME_NET
is not.
Setting the rules
Now that a large majority of the system is set up, we need to configure our rules for this little piggy. Somewhere around line 104 in your /etc/snort/snort.conf
file, you should see a “var” declaration and the variables RULE_PATH
, SO_RULE_PATH
, PREPROC_RULE_PATH
, WHITE_LIST_PATH
, and BLACK_LIST_PATH
. Their values should be set to the paths we used in Un-rooting Snort
.
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Once those values are set, delete or comment out the current rules starting on about line 548.
Now, lets check to make sure that your configuration is correct. You can verify it with snort
.
# snort -T -c /etc/snort/snort.conf
You will see output similar to the following (truncated for brevity).
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
.....
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Snort successfully validated the configuration!
Snort exiting
Now that everything is configured without errors, we are ready to start testing Snort.
Testing Snort
The easiest way to test Snort is by enabling the local.rules
. This is a file that contains your custom rules.
If you’ve noticed in the snort.conf
file, somewhere around line 546, this line exists:
include $RULE_PATH/local.rules
If you don’t have it, please add it around 546. You can then use the local.rules
file for testing. As a basic test, I just have Snort keep track of a ping request (ICMP request). You can do that by adding in the following line to your local.rules
file.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
Once you have that in your file, save it, and continue reading.
Run the test
The following command will start Snort and print “fast mode” alerts, as the user snort, under the group snort, using the config /etc/snort/snort.conf
, and it will listen on the network interface eno1
. You will need to change eno1
to whatever network interface your system is listening on.
$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eno1
Once you have it running, ping that computer. You will start to see output that looks like the following:
01/07−16:03:30.611173 [**] [1:10000001:0] ICMP test [**] [Priority: 0] 192.168.1.105 -> 192.168.1.104
01/07−16:03:31.612174 [**] [1:10000001:0] ICMP test [**] [Priority: 0] 192.168.1.104 -> 192.168.1.105
01/07−16:03:31.612202 [**] [1:10000001:0] ICMP test [**] [Priority: 0] 192.168.1.105 -> 192.168.1.104
^C*** Caught Int−Signal
You can press Ctrl+C to exit the program, and that’s it. Snort is all set up. You may now use any rules that you desire.
Lastly, I want to note that there are some public rules made by the community you can download from the official site under the “Community” tab. Look for “Snort”, then just under that there is a community link. Download that, extract it, and look for the community.rules
file.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article