How to install snort intrusion detection system on Ubuntu!

banner_525x75

Snort is a signature based intrusion detection system, it either drop or accept the packets coming on a certain interface depending on the rules you have used. In a signature based intrusion detection system packets headers and their payloads are matched against specific predefined rules/strings to see if they contain a malicious content. Snort can run in two modes:

  • Packet Sniffing
    • This mode have no special use, all you can do is just look at the traffic coming at the interface.
  • Network Intrusion detection
    • This mode is the actual use of snort, in this mode snort monitor the traffic and block any unwanted traffic using the rules.

Installing snort from source is a bit tricky, let see how we can install snort intrusion detection system on Ubuntu from its source code.

Step 1: Prepare to install

Before actually installing snort, their are some of its per-requisites, you can run following commands to install all the required per-requisites.

Reboot after running the above commands.

After running these commands you are ready to install snort.

Step 2: Install Daq

Next step is to install daq (snort require daq to run), daq source code is available on their site for download.

You can create a separate folder for all your downloads  mkdir ~/snort  (Just to keep all downloads at one place), you need to download and extract daq.

Commands above will download the daq source code and then install it.

Step 3: Install Snort

You are now ready to download snort source code.

Snort is now installed on your system, but you need to configure snort to make use of it. To make sure snort is installed on your system, run  snort -V , if you see the following output, then you are on right track.

snort

Step 4: Create some required directories

Snort need some folder and files to place its logs,errors and rules files, you can create a bash script and run these commands at once or you can just execute them one by one.

Please do not ignore these commands.

Step 6: Editing snort configuration files

We need to modify some configuration files to run snort in network intrusion detection mode, first comment out all the rules in snort configuration file using

Find your network details using  ifconfig

interface

Here “ens” is the interface I am capturing traffic on, my mask is 255.255.255.0, so my network is : 192.168.122.0/24

You need to find this details to put in snort.conf file.

This command will open the snort.conf file and move you to 45th line, make sure your following line look like this

ipvar HOME_NET 192.168.122.0/24

The underlined part should be your network details. (Adjust appropriately).

Following the line at 104, make sure your paths look like this.

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists

UN-comment the 545th line and make it look like this

include $RULE_PATH/local.rules

Step 7: Test Snort

As a final step we need to make sure that snort is running in network intrusion detection mode, for that we need to insert a rule in our “/etc/snort/rules/local.rules” file.

Open this file and paste the following rule

Now run snort using

Note : It will start listening on interface ens3, make sure you replace it with your interface name. After running snort, open another ssh connection to the server and run this command:

You should now be able to see alerts on ssh where you have started snort, it should look something like this:

attack-capture

o5bu5fjle5fwjn6ozf75la

Leave a comment

Your email address will not be published. Required fields are marked *