Scribd Logo
Upload

Welcome to Scribd!

  • How To Install Snort NIDS On Ubuntu Linux

    Uploaded by

    rosslovelady
    78 views9 pages
    How to Install Snort NIDS on Ubuntu Linux

    Original Title

    How to Install Snort NIDS on Ubuntu Linux

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    How to Install Snort NIDS on Ubuntu Linux

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    78 views9 pages

    How To Install Snort NIDS On Ubuntu Linux

    Uploaded by

    rosslovelady
    How to Install Snort NIDS on Ubuntu Linux

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    Synopsis
    Security is a major issue in today’s enterprise environments. There are lots of tools
    available to secure network infrastructure and communication over the internet.
    Snort is a free and open source lightweight network intrusion detection and
    prevention system. Snort is the most widely-used NIDS (Network Intrusion and
    Detection System) that detects and prevent intrusions by searching protocol, content
    analysis, and various pre-processors. Snort provides a wealth of features, like buffer
    overflow, stealth port scans, and CGI attacks, just to name a few. Snort tries to
    detect malicious activity, denial of service attacks, and port scans by monitoring
    network traffic. It's divided into five major components: Packet decoder,
    Preprocessor, Detection engine, Logging and Alerting system, and Output modules.

    Here, we will explain how to install from source, create a configuration file for Snort,
    create sample rules, and finally test on Ubuntu 16.04.

    System Requirements
    Newly deployed Ubuntu 16.04 server.

    Minimum 4 GB RAM and multicore CPU for better performance.

    At least 1 TB hard disk.

    Prepare the System for Deployment


    Before starting, ensure your system is up to date and all installed software is running
    the latest version.

    First, log in to root user and update your system by running the following command:

    apt-get update -y
    apt-get upgrade -y

    Install Required Dependencies

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 1/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    Before installing Snort, you will need to install required dependencies on your
    system.

    apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-de

    You will also need to install DAQ. To do this, first download the latest version of DAQ
    with the following command:

    wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

    Once the download is completed, extract the downloaded file with the following
    command:

    tar -zxvf daq-2.0.6.tar.gz

    Next, change the directory to daq-2.0.6 :

    cd daq-2.0.6

    Now run the following command to compile and install DAQ:

    ./configure && make && make install

    Install Snort from Source


    You can install Snort from its source code or deb packages on Ubuntu. It is
    recommended to build Snort from source code, because the latest version of Snort
    may not be available in Linux distro repositories. Also note that the following
    examples use eth0 for the network interface. Your main network interface may
    differ.

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 2/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    First, download the latest version of the Snort source code with the following
    command:

    wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz

    Once the download is completed, extract the downloaded file with the following
    command:

    tar -xvzf snort-2.9.8.3.tar.gz

    Change the directory to snort-2.9.8.3:

    cd snort-2.9.8.3

    Then run the following command to compile and install Snort:

    ./configure --enable-sourcefire && make && make install

    Next, you will need to update the shared libraries, otherwise you will get an error
    when you try to run Snort:

    ldconfig

    Next, create a symlink to the Snort binary:

    ln -s /usr/local/bin/snort /usr/sbin/snort

    Finally, you can verify the installation and configuration with the following command:

    snort -V

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 3/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    You should see the following output:

    ,,_ -*> Snort! <*-


    o" )~ Version 2.9.8.3 GRE (Build 383)
    '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
    Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
    Copyright (C) 1998-2013 Sourcefire, Inc., et al.
    Using libpcap version 1.7.4
    Using PCRE version: 8.38 2015-11-23
    Using ZLIB version: 1.2.8

    Configure Snort
    You can configure Snort in three modes: Sniffer mode, Packet logger mode, and
    Network IDS mode. Here, we will configure Snort for Network IDS Mode.

    Before configuring Snort, you will need to create a directory structure for Snort.

    To do this, create the following directories and files:

    mkdir /etc/snort
    mkdir /etc/snort/preproc_rules
    mkdir /etc/snort/rules
    mkdir /var/log/snort
    mkdir /usr/local/lib/snort_dynamicrules
    touch /etc/snort/rules/white_list.rules
    touch /etc/snort/rules/black_list.rules
    touch /etc/snort/rules/local.rules

    Now set proper permission to the following directories:

    chmod -R 5775 /etc/snort/


    chmod -R 5775 /var/log/snort/
    chmod -R 5775 /usr/local/lib/snort

    chmod -R 5775 /usr/local/lib/snort_dynamicrules/

    Next, you will need to copy configuration files from Nnort source:
    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 4/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    Change the directory to snort-2.9.8.3 :

    cd snort-2.9.8.3

    Then, copy .conf , .map and .dtd files to the /etc/snort/ directory:

    cp -avr *.conf *.map *.dtd /etc/snort/

    You will also need to copy the dynamic preprocessors files:

    cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocesso

    Now we will edit the Snort configuration file. First, comment out all rulesets with the
    following command:

    sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

    Next, open /etc/snort/snort.conf file in your favorite editor:

    nano /etc/snort/snort.conf

    Change the file as shown below:

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 5/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    # Setup the network addresses you are protecting


    ipvar HOME_NET 192.168.15.0/24

    # Set up the external network addresses. Leave as "any" in most situations


    ipvar EXTERNAL_NET any

    var RULE_PATH /etc/snort/rules


    var SO_RULE_PATH /etc/snort/so_rules
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    var WHITE_LIST_PATH /etc/snort/rules
    var BLACK_LIST_PATH /etc/snort/rules
    include $RULE_PATH/local.rules

    Save and close the file when you are done.

    Next, validate the configuration file with the following command:

    snort -T -i eth0 -c /etc/snort/snort.conf

    If everything is okay, you should see the following output:

    Snort successfully validated the configuration!


    Snort exiting

    Testing Snort
    Snort is now ready for testing—but before starting, you will need to create a rule set.

    Let’s create a rule to test Snort.

    Edit the local.rules file:

    nano /etc/snort/rules/local.rules

    Add the following lines:

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 6/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001;
    alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:10000
    alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:10000

    Save and close the file.

    The above rules will generate an alert when someone tries to Ping, FTP, or Telnet to
    the server.

    Now start Snort in Network IDS mode from the terminal and tell it to output any alert
    to the console:

    snort -A console -q -c /etc/snort/snort.conf -i eth0

    Specification of all the options are listed below:

    -A console: Prints fast mode alerts to stdout

    -q : Quiet mode. Don’t show banner and status report

    -c : The path to our snort.conf file

    -i : The interface to listen on

    Now, since Snort is up and listening on interface eth0 , so let’s try to Ping, FTP, and
    Telnet from remote machine.

    On the remote machine run the following command:

    ping 192.168.15.189
    ftp 192.168.15.189
    telnet 192.168.15.189 80

    Note: 192.168.15.189 is the IP address of Snort server

    On the Snort server, you should see the output something like this:

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 7/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priori


    12/14-23:36:34.982502 [**] [1:1000001:1] FTP connection attempt [**] [Priorit
    12/14-23:36:45.907427 [**] [1:1000003:1] TELNET connection attempt [**] [Prio

    You can stop Snort at any time by pressing Ctrl+c from your keyboard.

    Create Snort Startup Script


    You will also need to create a startup script to run Snort at boot time. You can do this
    by creating snort.service file:

    nano /lib/systemd/system/snort.service

    Add the following lines:

    [Unit]
    Description=Snort NIDS Daemon
    After=syslog.target network.target
    [Service]
    Type=simple
    ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
    [Install]
    WantedBy=multi-user.target

    Save the file, then enable the script to run at boot time:

    systemctl enable snort

    Finally, start Snort:

    systemctl start snort

    You can check the status of Snort by running the following command:

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 8/9
    5/9/2019 How to Install Snort NIDS on Ubuntu Linux

    systemctl status snort

    You should see the following output:

    ● snort.service - Snort NIDS Daemon


    Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor prese
    Active: active (running) since Wed 2016-12-14 23:45:56 IST; 15s ago
    Main PID: 16129 (snort)
    CGroup: /system.slice/snort.service
    └─16129 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0

    Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.

    References

    Install Snort

    Snort Rules

    https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/ 9/9

    You might also like