Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: Install and configure snort  (Read 1753 times)

0 Members and 1 Guest are viewing this topic.

akhilt

  • Guest
Install and configure snort
« on: August 05, 2018, 11:39:53 am »
Install and configure snort

Snort is a free lightweight network intrusion detection system for both UNIX and Windows.

In this article, let us review how to install snort from source, write rules, and perform basic testing.

1. Download and Extract Snort

Download the latest snort free version from snort website(https://www.snort.org/downloads). Extract the snort source code to the /usr/src directory as shown below.

Code: [Select]
# cd /usr/src

# wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz

# tar -xvf snort-2.9.11.1.tar.gz
2. Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.

Code: [Select]
# apt-cache policy libpcap0.8-dev
libpcap0.8-dev:
  Installed: 1.0.0-2ubuntu1
  Candidate: 1.0.0-2ubuntu1

# apt-cache policy libpcre3-dev
libpcre3-dev:
  Installed: 7.8-3
  Candidate: 7.8-3
Follow the steps below to install snort.

Code: [Select]
# cd snort-2.8.6.1

# ./configure

# make

# make install
3. Verify the Snort Installation

Verify the installation as shown below.
Code: [Select]
# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05
4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.

Create the following directories:

Code: [Select]
# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /var/log/snort
Create the following snort.conf and icmp.rules files:

Code: [Select]
# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules

# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).

Following is the structure of the alert:
<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)


5. Execute snort

Execute snort from command line, as mentioned below.
Code: [Select]
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.

Code: [Select]
# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO

Alert Explanation

A couple of lines are added for each alert, which includes the following:

    - Message is printed in the first line.
    - Source IP
    - Destination IP
    - Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.

Code: [Select]
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/
Execute snort as Daemon

Add -D option to run snort as a daemon.
Code: [Select]
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/
Additional Snort information

    - Default config file will be available at snort-2.8.6.1/etc/snort.conf
    - Default rules can be downloaded from: http://www.snort.org/snort-rules
Logged
Pages: [1]   Go Up
« previous next »