Snort is a signature based intrusion detection system, it either drop or accept the packets coming on a certain interface depending on the rules you have used. In a signature based intrusion detection system packets headers and their payloads are matched against specific predefined rules/strings to see if they contain a malicious content. Snort can run in two modes:
- Packet Sniffing
- This mode have no special use, all you can do is just look at the traffic coming at the interface.
- Network Intrusion detection
- This mode is the actual use of snort, in this mode snort monitor the traffic and block any unwanted traffic using the rules.
Installing snort from source is a bit tricky, let see how we can install snort intrusion detection system on Ubuntu from its source code.
Step 1: Prepare to install
Before actually installing snort, their are some of its per-requisites, you can run following commands to install all the required per-requisites.
|
1 2 |
sudo apt-get update sudo apt-get dist-upgrade |
Reboot after running the above commands.
|
1 2 3 4 |
sudo apt-get install build-essential sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev sudo apt-get bison flex |
After running these commands you are ready to install snort.
Step 2: Install Daq
Next step is to install daq (snort require daq to run), daq source code is available on their site for download.
You can create a separate folder for all your downloads mkdir ~/snort (Just to keep all downloads at one place), you need to download and extract daq.
|
1 2 3 4 5 6 7 |
cd ~/snort wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install |
Commands above will download the daq source code and then install it.
Step 3: Install Snort
You are now ready to download snort source code.
|
1 2 3 4 5 6 7 8 9 |
cd ~/snort wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz tar -xvzf snort-2.9.8.3.tar.gz cd snort-2.9.8.3 ./configure make sudo make install sudo ldconfig sudo ln -s /usr/local/bin/snort /usr/sbin/snort |
Snort is now installed on your system, but you need to configure snort to make use of it. To make sure snort is installed on your system, run snort -V , if you see the following output, then you are on right track.
Step 4: Create some required directories
Snort need some folder and files to place its logs,errors and rules files, you can create a bash script and run these commands at once or you can just execute them one by one.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules cd ~/snort/snort-2.9.8.3/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort/snort-2.9.8.3/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/ |
Please do not ignore these commands.
Step 6: Editing snort configuration files
We need to modify some configuration files to run snort in network intrusion detection mode, first comment out all the rules in snort configuration file using
|
1 |
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf |
Find your network details using ifconfig
Here “ens” is the interface I am capturing traffic on, my mask is 255.255.255.0, so my network is : 192.168.122.0/24
You need to find this details to put in snort.conf file.
|
1 |
sudo vi +45 /etc/snort/snort.conf |
This command will open the snort.conf file and move you to 45th line, make sure your following line look like this
ipvar HOME_NET 192.168.122.0/24
The underlined part should be your network details. (Adjust appropriately).
|
1 2 3 |
#open file and move to line 104 sudo vi +104 /etc/snort/snort.conf |
Following the line at 104, make sure your paths look like this.
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
|
1 2 3 |
#open file and move to line 545 sudo vi +545 /etc/snort/snort.conf |
UN-comment the 545th line and make it look like this
include $RULE_PATH/local.rules
Step 7: Test Snort
As a final step we need to make sure that snort is running in network intrusion detection mode, for that we need to insert a rule in our “/etc/snort/rules/local.rules” file.
Open this file and paste the following rule
|
1 2 |
alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;) |
Now run snort using
|
1 |
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens3 |
Note : It will start listening on interface ens3, make sure you replace it with your interface name. After running snort, open another ssh connection to the server and run this command:
|
1 |
ping -b 255.255.255.255 -p "7569643d3028726f6f74290a" -c3 |
You should now be able to see alerts on ssh where you have started snort, it should look something like this:
