Intrusion detection in a network is important for IT security. Intrusion Detection System used for the detection of illegal and malicious attempts in the network. Snort is well-known open source intrusion detection system. Web interface (Snorby) can be used for better analysis of alerts. Snort can be used as an intrusion prevention system with iptables/pf firewall. In this article, we will install and configure an open source IDS system snort.
Data Acquisition library (DAQ) is used by the snort for abstract calls to packet capture libraries. It is available on snort website. Downloading process is shown in the following screenshot.
Extract it and run ./configure, make and make install commands for DAQ installation. However, DAQ required other tools therefore ./configure script will generate following errors .
flex and bison error
Therefore first install flex/bison and libcap before DAQ installation which is shown in the figure.
Installation of libpcap development library is shown below
After installation of necessary tools, again run ./configure script which will show following output.
make and make install commands result is shown in the following screens.
After successful installation of DAQ, now we will install snort. Downloading using wget is shown in the below figure.
Extract compressed package using below given command.
#tar -xvzf snort-22.214.171.124.tar.gz
Create installation directory and set prefix parameter in the configure script. It is also recommended to enable sourcefire flag for Packet Performance Monitoring (PPM).
#./configure --prefix=/usr/local/snort/ --enable-sourcefire
Configure script generates error due to missing libpcre-dev , libdumbnet-dev and zlib development libraries.
error due to missing libpcre library.
error due to missing dnet (libdumbnet) library.
configure script generate error due to missing zlib library.
Installation of all required development libraries is shown in the next screenshots.
# aptitude install libpcre3-dev
# aptitude install libdumbnet-dev
# aptitude install zlib1g-dev
After installation of above required libraries for snort, again run the configure scripts without any error.
Run make & make install commands for the compilation and installations of snort in /usr/local/snort directory.
Finally snort running from /usr/local/snort/bin directory. Currently it is in promisc mode (packet dump mode) of all traffic on eth0 interface.
Traffic dump by the snort interface is shown in following figure.
Rules and Configuration of Snort
Snort installation from source code required rules and configuration setting therefore now we will copy rules and configuration under /etc/snort directory. We have created single bash scripts for rules and configuration setting. It is used for following snort setting.
- Creation of snort user for snort IDS service on linux.
- Creation of directories and files under /etc directory for snort configuration.
- Permission setting and copying data from etc directory of snort source code.
- Remove # (comment sign) from rules path in snort.conf file.
#!/bin/bash##PATH of source code of snort
echo "adding group and user for snort..."
groupadd snort &> /dev/null
useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &> /dev/null#snort configuration
echo "Configuring snort..."mkdir -p /etc/snort
mkdir -p /etc/snort/rules
mkdir -p /usr/local/lib/snort_dynamicrules
chmod -R 775 /etc/snort
chmod -R 775 /var/log/snort
chmod -R 775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules###copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to /etc/snort ....."
cp $snort_src/etc/*.conf* /etc/snort
cp $snort_src/etc/*.map /etc/snort##enable rules
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.confecho "---DONE---"
ipvar HOME_NET 192.168.1.0/24 # LAN side
ipvar EXTERNAL_NET !$HOME_NET # WAN side
var RULE_PATH /etc/snort/rules # snort signature path
var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
var WHITE_LIST_PATH /etc/snort/rules # dont scan
var BLACK_LIST_PATH /etc/snort/rules # Must scan
include $RULE_PATH/local.rules# file for custom rules
#snort -T -c /etc/snort/snort.conf
In this article our focus was on the installation and configuration of an open source IDPS system snort on Ubuntu distribution. By default it is used for the monitoring of events however it can con configured inline mode for the protection of network. Snort rules can be tested and analysed in offline mode using pcap capture file.