Snort : Network Intrusion Detection System

snort really isn't hard to use,this article aims to make using snort easier for new users

snort can be configured to run in three modes:

• sniffer mode: which simply reads packets off the network

• packet logger mode: which logs the packets to disk 

• Network Intrusion Dectection system mode: The most complex and most configurable.

 This article will focus more on the installation and configuration of snort,if you are looking for detail description of snort,I would request you to please go thru the documentation.

Prerequisites 

•  Libpcap-1.2.1-dev 
•  daq-0.6.2
•  libdnet-1.12
•  libpcap-1.2.1
•  bison
•  flex 
•  PCRE 
•  libc6-dev
•  g++ 
•  gcc

 The first thing I like to do is grab all the dependant packages once your are done with the installation of all the dependencies we are ready for the next step.It's time to download tar package of snort and untar the packages.I would like to have all the tar packages at a single place,So I'm going to use edge's structure here:

  # cd /opt

  # mkdir snortpackage

  # cd /opt/snortpackage

Let's get snort. The latest version of snort at the time of writing is 2.9.2.1

Open a web browser and navigate to http://www.snort.org/; download the most recent release in /opt/snortpackages.It's time to untar the Snort package

 #tar -xzvf /opt/snortpackage/snort-2.9.2.1.tar.gz

 It's time to get snort rules.Change directories into the new snort-2.9.2.1 folder

# cd /opt/snortpackages/snort-2.9.2.1

Open a web browser and navigate to http://www.snort.org/snort-rules/#registered

Scroll down to the "Sourcefire VRT Certified Rules - The Official Snort Rule set (registered user release)" section and download the snort rules.

 Untar the Snort Rules

 # tar -xzvf /opt/snortpackages/snortrules-snapshot-2911.tar.gz

Now it's time start the installation of snort

# cd  /opt/snortpackages/snort-2.9.2.1

Here we will do the make/install

# ./configure -enable-dynamicplugin --with-mysql
# make
# make install

after the above commands are executed successfully.We need to create some folders in /etc for snort to function correctly and copy some files over to them

 # mkdir /etc/snort /etc/snort/rules /var/log/snort

 Let's move some files.

# cd /opt/snortpackages/snort-2.9.2.1/rules
# cp * /etc/snort/rules/

Let's get the /etc snort files also.

# cd /opt/snortpackages/snort-2.9.2.1/etc
# cp * /etc/snort/

We are done with the installation of snort and now we need to tweak some options to configure snort according to your requirement.

 We need to modify the snort.conf file to suite our needs.
Open /etc/snort/snort.conf with your favorite text editor.

# vim /etc/snort/snort.conf

Change "var HOME_NET any" to "var HOME_NET 192.168.1.0/24" (your home network may differ from 192.168.1.0)

Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)

Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Once you are done with changes in the config,you can test those changes with following command:
# snort -c /etc/snort/snort.conf

We are done. Congrats!!!

To start Snort in the terminal type:

 # snort -c /etc/snort/snort.conf -A fast -D

This starts snort  in a daemon mode.

To make sure it is running you can check with the following command:

# ps aux | grep snort

If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -A fast -D

Browse More Articles

Tweet

Written by Unknown

Experience running high-traffic web services, service configuration, monitoring,troubleshooting and change management.Expertise in Linux/Unix system administration, including configuration, troubleshooting, Python scripting language.