How to Install Snort and Usage in Ubuntu 15.04

Intrusion detection in a network is important for IT security. Intrusion Detection System used for the detection  of illegal and malicious attempts in the network. Snort is well-known  open source intrusion detection system. Web interface (Snorby) can be used  for better analysis of alerts.  Snort can be used as an intrusion prevention system with iptables/pf firewall.  In this article, we will install and configure an open source IDS system snort.

Snort Installation

Prerequisite

Data Acquisition library (DAQ) is used by the snort for abstract calls to packet capture libraries.  It is available on snort website.  Downloading process is shown in the following screenshot.

downloading_daq

Extract it and run ./configure, make and make install commands for DAQ installation.  However, DAQ required other tools therefore ./configure script will generate following errors .

flex and bison error

flexandbison_error

libpcap error.

libpcap error

Therefore first install flex/bison and libcap before DAQ installation which is shown in the figure.

install_flex

Installation of libpcap development library is shown below

libpcap-dev installation

After installation of necessary tools, again run ./configure script which will show following output.

without_error_configure

make and make install commands result is shown in the following screens.

make install
make

After successful installation of DAQ, now we will install snort.   Downloading using wget is shown in the below figure.

downloading_snort

Extract compressed package using  below given command.

#tar -xvzf  snort-2.9.7.3.tar.gz
snort_extraction

Create installation directory and set prefix parameter in the configure script. It is also recommended to enable sourcefire flag for Packet Performance Monitoring (PPM).

#mkdir /usr/local/snort

#./configure --prefix=/usr/local/snort/ --enable-sourcefire
snort_installation

Configure script generates error due to missing libpcre-dev , libdumbnet-dev and zlib development libraries.

error due to missing libpcre library.

pcre-error

error due to missing dnet (libdumbnet) library.

libdnt error

configure script generate error due to missing zlib library.

zlib error

Installation of all required development libraries is shown in the next screenshots.

 # aptitude install libpcre3-dev
libpcre3-dev install

# aptitude install libdumbnet-dev
libdumnet-dev installation

# aptitude install zlib1g-dev
zlibg-dev installation

After installation of above required libraries for snort, again run the configure scripts without any error.

Run make & make install commands for the  compilation and installations of snort in /usr/local/snort directory.

#make
make snort
#make install
make install snort

Finally snort running from /usr/local/snort/bin directory.  Currently it is in promisc mode (packet dump mode) of all traffic on eth0 interface.

snort running

Traffic  dump by the snort interface is shown  in following figure.

traffic

Rules and Configuration of Snort

Snort installation from source code required rules and configuration setting therefore now we will copy rules and configuration under /etc/snort directory. We have created single bash scripts for rules and configuration setting. It is used for following snort setting.

  • Creation of snort user for snort IDS service on linux.
  • Creation of directories and files under /etc directory for snort configuration.
  • Permission setting and copying data from etc directory of snort source code.
  • Remove # (comment sign) from rules path in snort.conf file.
#!/bin/bash##PATH of source code of snort snort_src="/home/test/Downloads/snort-2.9.7.3" echo "adding group and user for snort..." groupadd snort &> /dev/null useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &> /dev/null#snort configuration echo "Configuring snort..."mkdir -p /etc/snort mkdir -p /etc/snort/rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/local.rules mkdir /etc/snort/preproc_rules mkdir /var/log/snort mkdir -p /usr/local/lib/snort_dynamicrules chmod -R 775 /etc/snort chmod -R 775 /var/log/snort chmod -R 775 /usr/local/lib/snort_dynamicrules chown -R snort:snort /etc/snort chown -R snort:snort /var/log/snort chown -R snort:snort /usr/local/lib/snort_dynamicrules

 

###copy  configuration and rules from  etc directory under source code of snort echo "copying from snort source to /etc/snort ....." echo $snort_src echo "-------------" cp $snort_src/etc/*.conf* /etc/snort cp $snort_src/etc/*.map /etc/snort##enable rules sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

 

echo "---DONE---"
Change the snort source directory in the script and run it.  Following output appear in case of success.
running script
 Above script copied following files/directories from snort source into /etc/snort configuration file.
files copied
Snort configuration file is very complex however following necessary changes are required in snort.conf for IDS proper working.
ipvar HOME_NET 192.168.1.0/24  # LAN side
ipvar EXTERNAL_NET !$HOME_NET   # WAN side
veriable set
var RULE_PATH /etc/snort/rules     # snort signature path

 

var SO_RULE_PATH /etc/snort/so_rules        #rules in shared libraries

 

var PREPROC_RULE_PATH /etc/snort/preproc_rules  # Preproces path

 

var WHITE_LIST_PATH /etc/snort/rules        # dont scan

 

var BLACK_LIST_PATH /etc/snort/rules        #  Must scan
main path
include $RULE_PATH/local.rules   # file for custom rules
remove comment sign (#) from other rules such as ftp.rules,exploit.rules etc.
 path rules
Now Download community rules  and extract under /etc/snort/rules directory. Enable community and emerging threats  rules  in snort.conf file.
wget_rules
community rules
 Run following command to test the configuration file after above mentioned changes.
#snort -T -c /etc/snort/snort.conf
snort running

Conclusion

In this article our focus was on the installation and configuration of an open source IDPS system snort on Ubuntu distribution. By default it is used for the monitoring of events however it can con configured inline mode for the protection of network. Snort rules can be tested and analysed in offline mode using pcap capture file.

Shah 3:00 am

Comments

Your email address will not be published. Required fields are marked *