Last updated at Tue, 27 Oct 2020 14:07:47 GMT
Synopsis
Security is a major issue in today’s enterprise environments. There are lots of tools available to secure network infrastructure and communication over the internet. Snort is a free and open source lightweight network intrusion detection and prevention system. Snort is the most widely-used NIDS (Network Intrusion and Detection System) that detects and prevent intrusions by searching protocol, content analysis, and various pre-processors. Snort provides a wealth of features, like buffer overflow, stealth port scans, and CGI attacks, just to name a few. Snort tries to detect malicious activity, denial of service attacks, and port scans by monitoring network traffic. It's divided into five major components: Packet decoder, Preprocessor, Detection engine, Logging and Alerting system, and Output modules.
Here, we will explain how to install from source, create a configuration file for Snort, create sample rules, and finally test on Ubuntu 16.04.
System Requirements
- Newly deployed Ubuntu 16.04 server.
- Minimum 4 GB RAM and multicore CPU for better performance.
- At least 1 TB hard disk.
Prepare the System for Deployment
Before starting, ensure your system is up to date and all installed software is running the latest version.
First, log in to root user and update your system by running the following command:
apt-get update -y
apt-get upgrade -y
Install Required Dependencies
Before installing Snort, you will need to install required dependencies on your system.
apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
You will also need to install DAQ. To do this, first download the latest version of DAQ with the following command:
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -zxvf daq-2.0.6.tar.gz
Next, change the directory to daq-2.0.6:
cd daq-2.0.6
Now run the following command to compile and install DAQ:
./configure && make && make install
Install Snort from Source
You can install Snort from its source code or deb packages on Ubuntu. It is recommended to build Snort from source code, because the latest version of Snort may not be available in Linux distro repositories. Also note that the following examples use eth0 for the network interface. Your main network interface may differ.
First, download the latest version of the Snort source code with the following command:
wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf snort-2.9.8.3.tar.gz
Change the directory to snort-2.9.8.3:
cd snort-2.9.8.3
Then run the following command to compile and install Snort:
./configure --enable-sourcefire && make && make install
Next, you will need to update the shared libraries, otherwise you will get an error when you try to run Snort:
ldconfig
Next, create a symlink to the Snort binary:
ln -s /usr/local/bin/snort /usr/sbin/snort
Finally, you can verify the installation and configuration with the following command:
snort -V
You should see the following output:
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.3 GRE (Build 383)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
Configure Snort
You can configure Snort in three modes: Sniffer mode, Packet logger mode, and Network IDS mode. Here, we will configure Snort for Network IDS Mode.
Before configuring Snort, you will need to create a directory structure for Snort.
To do this, create the following directories and files:
mkdir /etc/snort
mkdir /etc/snort/preproc_rules
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules
Now set proper permission to the following directories:
chmod -R 5775 /etc/snort/
chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/
Next, you will need to copy configuration files from Nnort source:
Change the directory to snort-2.9.8.3:
cd snort-2.9.8.3
Then, copy .conf, .map and .dtd files to the /etc/snort/ directory:
cp -avr *.conf *.map *.dtd /etc/snort/
You will also need to copy the dynamic preprocessors files:
cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
Now we will edit the Snort configuration file. First, comment out all rulesets with the following command:
sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
Next, open /etc/snort/snort.conf file in your favorite editor:
nano /etc/snort/snort.conf
Change the file as shown below:
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.15.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
include $RULE_PATH/local.rules
Save and close the file when you are done.
Next, validate the configuration file with the following command:
snort -T -i eth0 -c /etc/snort/snort.conf
If everything is okay, you should see the following output:
Snort successfully validated the configuration!
Snort exiting
Testing Snort
Snort is now ready for testing—but before starting, you will need to create a rule set.
Let’s create a rule to test Snort.
Edit the local.rules file:
nano /etc/snort/rules/local.rules
Add the following lines:
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)
Save and close the file.
The above rules will generate an alert when someone tries to Ping, FTP, or Telnet to the server.
Now start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:
snort -A console -q -c /etc/snort/snort.conf -i eth0
Specification of all the options are listed below:
-Aconsole: Prints fast mode alerts to stdout-q: Quiet mode. Don’t show banner and status report-c: The path to our snort.conf file-i: The interface to listen on
Now, since Snort is up and listening on interface eth0, so let’s try to Ping, FTP, and Telnet from remote machine.
On the remote machine run the following command:
ping 192.168.15.189
ftp 192.168.15.189
telnet 192.168.15.189 80
Note: 192.168.15.189 is the IP address of Snort server
On the Snort server, you should see the output something like this:
12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.15.196 -> 192.168.15.189
12/14-23:36:34.982502 [**] [1:1000001:1] FTP connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:60392 -> 192.168.15.189:21
12/14-23:36:45.907427 [**] [1:1000003:1] TELNET connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:56076 -> 192.168.15.189:80
You can stop Snort at any time by pressing Ctrl+c from your keyboard.
Create Snort Startup Script
You will also need to create a startup script to run Snort at boot time. You can do this by creating snort.service file:
nano /lib/systemd/system/snort.service
Add the following lines:
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
[Install]
WantedBy=multi-user.target
Save the file, then enable the script to run at boot time:
systemctl enable snort
Finally, start Snort:
systemctl start snort
You can check the status of Snort by running the following command:
systemctl status snort
You should see the following output:
● snort.service - Snort NIDS Daemon
Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2016-12-14 23:45:56 IST; 15s ago
Main PID: 16129 (snort)
CGroup: /system.slice/snort.service
└─16129 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.
