Synopsis

Security is a major issue in today’s enterprise environments. There are lots of tools available to secure network infrastructure and communication over the internet. Snort is a free and open source lightweight network intrusion detection and prevention system. Snort is the most widely-used NIDS (Network Intrusion and Detection System) that detects and prevent intrusions by searching protocol, content analysis, and various pre-processors. Snort provides a wealth of features, like buffer overflow, stealth port scans, and CGI attacks, just to name a few. Snort tries to detect malicious activity, denial of service attacks, and port scans by monitoring network traffic. It's divided into five major components: Packet decoder, Preprocessor, Detection engine, Logging and Alerting system, and Output modules.

Here, we will explain how to install from source, create a configuration file for Snort, create sample rules, and finally test on Ubuntu 16.04.

System Requirements

  • Newly deployed Ubuntu 16.04 server.
  • Minimum 4 GB RAM and multicore CPU for better performance.
  • At least 1 TB hard disk.

Prepare the System for Deployment

Before starting, ensure your system is up to date and all installed software is running the latest version.

First, log in to root user and update your system by running the following command:

apt-get update -y 
apt-get upgrade -y

Install Required Dependencies

Before installing Snort, you will need to install required dependencies on your system.

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

You will also need to install DAQ. To do this, first download the latest version of DAQ with the following command:

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -zxvf daq-2.0.6.tar.gz

Next, change the directory to daq-2.0.6:

cd daq-2.0.6

Now run the following command to compile and install DAQ:

./configure && make && make install

Install Snort from Source

You can install Snort from its source code or deb packages on Ubuntu. It is recommended to build Snort from source code, because the latest version of Snort may not be available in Linux distro repositories. Also note that the following examples use eth0 for the network interface. Your main network interface may differ.

First, download the latest version of the Snort source code with the following command:

wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf snort-2.9.8.3.tar.gz

Change the directory to snort-2.9.8.3:

cd snort-2.9.8.3

Then run the following command to compile and install Snort:

./configure --enable-sourcefire && make && make install

Next, you will need to update the shared libraries, otherwise you will get an error when you try to run Snort:

ldconfig

Next, create a symlink to the Snort binary:

ln -s /usr/local/bin/snort /usr/sbin/snort

Finally, you can verify the installation and configuration with the following command:

snort -V

You should see the following output:

 ,,_ -*> Snort! <*- 
 o" )~ Version 2.9.8.3 GRE (Build 383) 
 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team 
     Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. 
     Copyright (C) 1998-2013 Sourcefire, Inc., et al. 
     Using libpcap version 1.7.4 
     Using PCRE version: 8.38 2015-11-23 
     Using ZLIB version: 1.2.8

Configure Snort

You can configure Snort in three modes: Sniffer mode, Packet logger mode, and Network IDS mode. Here, we will configure Snort for Network IDS Mode.

Before configuring Snort, you will need to create a directory structure for Snort.

To do this, create the following directories and files:

 mkdir /etc/snort
 mkdir /etc/snort/preproc_rules
 mkdir /etc/snort/rules
 mkdir /var/log/snort
 mkdir /usr/local/lib/snort_dynamicrules
 touch /etc/snort/rules/white_list.rules
 touch /etc/snort/rules/black_list.rules
 touch /etc/snort/rules/local.rules

Now set proper permission to the following directories:

 chmod -R 5775 /etc/snort/ 
 chmod -R 5775 /var/log/snort/ 
 chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/

Next, you will need to copy configuration files from Nnort source:

Change the directory to snort-2.9.8.3:

cd snort-2.9.8.3

Then, copy .conf, .map and .dtd files to the /etc/snort/ directory:

cp -avr *.conf *.map *.dtd /etc/snort/

You will also need to copy the dynamic preprocessors files:

cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

Now we will edit the Snort configuration file. First, comment out all rulesets with the following command:

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

Next, open /etc/snort/snort.conf file in your favorite editor:

nano /etc/snort/snort.conf

Change the file as shown below:

 # Setup the network addresses you are protecting 
 ipvar HOME_NET 192.168.15.0/24
 
 # Set up the external network addresses. Leave as "any" in most situations 
 ipvar EXTERNAL_NET any
 
 var RULE_PATH /etc/snort/rules 
 var SO_RULE_PATH /etc/snort/so_rules 
 var PREPROC_RULE_PATH /etc/snort/preproc_rules 
 var WHITE_LIST_PATH /etc/snort/rules 
 var BLACK_LIST_PATH /etc/snort/rules 
 include $RULE_PATH/local.rules

Save and close the file when you are done.

Next, validate the configuration file with the following command:

snort -T -i eth0 -c /etc/snort/snort.conf

If everything is okay, you should see the following output:

 Snort successfully validated the configuration! 
 Snort exiting

Testing Snort

Snort is now ready for testing—but before starting, you will need to create a rule set.

Let’s create a rule to test Snort.

Edit the local.rules file:

nano /etc/snort/rules/local.rules

Add the following lines:

 alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;) 
 alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
 alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

Save and close the file.

The above rules will generate an alert when someone tries to Ping, FTP, or Telnet to the server.

Now start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:

snort -A console -q -c /etc/snort/snort.conf -i eth0

Specification of all the options are listed below:

  • -A console: Prints fast mode alerts to stdout
  • -q: Quiet mode. Don’t show banner and status report
  • -c: The path to our snort.conf file
  • -i: The interface to listen on

Now, since Snort is up and listening on interface eth0, so let’s try to Ping, FTP, and Telnet from remote machine.

On the remote machine run the following command:

 ping 192.168.15.189 
 ftp 192.168.15.189 
 telnet 192.168.15.189 80

Note: 192.168.15.189 is the IP address of Snort server

On the Snort server, you should see the output something like this:

 12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.15.196 -> 192.168.15.189 
 12/14-23:36:34.982502 [**] [1:1000001:1] FTP connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:60392 -> 192.168.15.189:21 
 12/14-23:36:45.907427 [**] [1:1000003:1] TELNET connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:56076 -> 192.168.15.189:80

You can stop Snort at any time by pressing Ctrl+c from your keyboard.

Create Snort Startup Script

You will also need to create a startup script to run Snort at boot time. You can do this by creating snort.service file:

nano /lib/systemd/system/snort.service

Add the following lines:

 [Unit]
   Description=Snort NIDS Daemon
   After=syslog.target network.target
 [Service]
   Type=simple
   ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
 [Install]
  WantedBy=multi-user.target

Save the file, then enable the script to run at boot time:

systemctl enable snort

Finally, start Snort:

systemctl start snort

You can check the status of Snort by running the following command:

systemctl status snort

You should see the following output:

 ● snort.service - Snort NIDS Daemon 
     Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: enabled) 
     Active: active (running) since Wed 2016-12-14 23:45:56 IST; 15s ago 
 Main PID: 16129 (snort) 
     CGroup: /system.slice/snort.service 
         └─16129 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
 
 Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.

References