Snort is a signature based intrusion detection system, it either drop or accept the packets coming on a certain interface depending on the rules you have used. In a signature based intrusion detection system packets headers and their payloads are matched against specific predefined rules/strings to see if they contain a malicious content. Snort can run in two modes:
- Packet Sniffing
- This mode have no special use, all you can do is just look at the traffic coming at the interface.
- Network Intrusion detection
- This mode is the actual use of snort, in this mode snort monitor the traffic and block any unwanted traffic using the rules.
Installing snort from source is a bit tricky, let see how we can install snort intrusion detection system on Ubuntu from its source code.
Step 1: Prepare to install
Before actually installing snort, their are some of its per-requisites, you can run following commands to install all the required per-requisites.
sudo apt-get update
sudo apt-get dist-upgrade
Reboot after running the above commands.
sudo apt-get install build-essential
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev
sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
sudo apt-get bison flex
After running these commands you are ready to install snort.
Step 2: Install Daq
Next step is to install daq (snort require daq to run), daq source code is available on their site for download.
You can create a separate folder for all your downloads
mkdir ~/snort (Just to keep all downloads at one place), you need to download and extract daq.
tar -xvzf daq-2.0.6.tar.gz
sudo make install
Commands above will download the daq source code and then install it.
Step 3: Install Snort
You are now ready to download snort source code.
tar -xvzf snort-18.104.22.168.tar.gz
sudo make install
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
Snort is now installed on your system, but you need to configure snort to make use of it. To make sure snort is installed on your system, run
snort -V , if you see the following output, then you are on right track.
Step 4: Create some required directories
Snort need some folder and files to place its logs,errors and rules files, you can create a bash script and run these commands at once or you can just execute them one by one.
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
Please do not ignore these commands.
Step 6: Editing snort configuration files
We need to modify some configuration files to run snort in network intrusion detection mode, first comment out all the rules in snort configuration file using
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
Find your network details using
Here “ens” is the interface I am capturing traffic on, my mask is 255.255.255.0, so my network is : 192.168.122.0/24
You need to find this details to put in snort.conf file.
sudo vi +45 /etc/snort/snort.conf
This command will open the snort.conf file and move you to 45th line, make sure your following line look like this
ipvar HOME_NET 192.168.122.0/24
The underlined part should be your network details. (Adjust appropriately).
#open file and move to line 104
sudo vi +104 /etc/snort/snort.conf
Following the line at 104, make sure your paths look like this.
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
#open file and move to line 545
sudo vi +545 /etc/snort/snort.conf
UN-comment the 545th line and make it look like this
Step 7: Test Snort
As a final step we need to make sure that snort is running in network intrusion detection mode, for that we need to insert a rule in our “/etc/snort/rules/local.rules” file.
Open this file and paste the following rule
alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root"; content: "uid=0(root)"; classtype:bad-unknown;
Now run snort using
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens3
Note : It will start listening on interface ens3, make sure you replace it with your interface name. After running snort, open another ssh connection to the server and run this command:
ping -b 255.255.255.255 -p "7569643d3028726f6f74290a" -c3
You should now be able to see alerts on ssh where you have started snort, it should look something like this: