Synopsis

Security is a major issue in today’s enterprise environments. There are lot’s of tools are available to secure network infrastructure and communication over the internet. Snort is an open source, free and lightweight network intrusion detection and network intrusion prevention system that can be used to detect and prevent intrusions over the network. Snort is the most widely used NIDS (Network Intrusion and Detection System) that detects and prevent intrusions by searching protocol, content analysis and various pre-processors. Snort provides lot’s of features such as buffer overflow, stealth port scans, CGI Attacks etc. Snort tries to detect malicious activity, denial of service attacks and port scans by monitoring network traffic. Snort is divided into the five major components such as Packet decoder, Preprocessor, Detection engine, Logging and Alerting system and Output modules.

Here, we will explain how to install Snort from source, create configuration file for Snort, create sample rules, and finally test Snort on Ubuntu 16.04.

System Requirements

  • Newly deployed Ubuntu 16.04 server.
  • Minimum 4 GB RAM and multicore CPU for better performance.
  • At least 1 TB hard disk.

Prepare the System for Deployment

Before starting with the snort, your system should be up to date and all installed software is running the latest version.

First, log in to root user and update your system by running the following command:

apt-get update -y 
apt-get upgrade -y

Install required Dependencies

Before installing snort, you will need to install required dependencies on your system.

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

Next, you will also need to install DAQ.

To do so, first download the latest version of DAQ with the following command:

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -zxvf daq-2.0.6.tar.gz

Next, change the directory to daq-2.0.6:

cd daq-2.0.6

Next, run the following command to compile and install DAQ:

./configure && make && make install

Install Snort from Source

You can install snort from it’s source code or deb packages on Ubuntu. It is recommended to build snort from source code, because the latest version of the snort may not be available in Linux distro repositories.

First, download the latest version of the snort source code with the following command:

wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf snort-2.9.8.3.tar.gz

Next, change the directory to snort-2.9.8.3

cd snort-2.9.8.3

Next, run the following command to compile and install Snort:

./configure --enable-sourcefire && make && make install

Next, you will need to update the shared libraries, otherwise you will get an error when you try to run Snort:

ldconfig

Next, create a symlink to the Snort binary:

ln -s /usr/local/bin/snort /usr/sbin/snort

Finalyl, you can verify the installation and configuration with the following command:

snort -V

You should see the following output:

 ,,_ -*> Snort! <*- 
 o" )~ Version 2.9.8.3 GRE (Build 383) 
 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team 
     Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. 
     Copyright (C) 1998-2013 Sourcefire, Inc., et al. 
     Using libpcap version 1.7.4 
     Using PCRE version: 8.38 2015-11-23 
     Using ZLIB version: 1.2.8

Configure Snort

You can configure Snort in three modes: Sniffer mode, Packet logger mode and Network IDS mode. Here, we will configure Snort for Network IDS Mode.

Before configuring Snort, you will need to create a directory structure for Snort.

First, create the following directories and files:

 mkdir /etc/snort mkdir /etc/snort/preproc_rules mkdir /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules

Next, set proper permission to the following directories:

 chmod -R 5775 /etc/snort/ 
 chmod -R 5775 /var/log/snort/ 
 chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/

Next, you will need to copy configuration files from snort source:

First, change the directory to snort-2.9.8.3:

cd snort-2.9.8.3

Then, copy .conf, .map and .dtd files to the /etc/snort/ directory:

cp -avr *.conf *.map *.dtd /etc/snort/

Next, you will also need to copy the dynamic preprocessors files:

cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

Now, we will edit the Snort configuration file.

First, comment out all rulesets with the following command:

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

Next, open /etc/snort/snort.conf file in your favourite editor:

nano /etc/snort/snort.conf

Change the file as shown below:

 # Setup the network addresses you are protecting 
 ipvar HOME_NET 192.168.15.0/24
 
 # Set up the external network addresses. Leave as "any" in most situations 
 ipvar EXTERNAL_NET any
 
 var RULE_PATH /etc/snort/rules 
 var SO_RULE_PATH /etc/snort/so_rules 
 var PREPROC_RULE_PATH /etc/snort/preproc_rules 
 var WHITE_LIST_PATH /etc/snort/rules 
 var BLACK_LIST_PATH /etc/snort/rules 
 include $RULE_PATH/local.rules

Save and close the file, when you are done.

Next, validate the configuration file with the following command:

snort -T -i eth0 -c /etc/snort/snort.conf

If everything is ok, you should see the following output:

 Snort successfully validated the configuration! 
 Snort exiting

Testing Snort

Snort is now ready for testing. Before starting, you will need to create a rule set for testing Snort.

Let’s create a rule to test Snort.

First, edit the local.rules file:

nano /etc/snort/rules/local.rules

Add the following lines:

 alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;) 
 alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
 alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

Save and close the file, when you are done.

The above rules will generate an alert when someone try to Ping, FTP and Telnet to the server.

Now, start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:

snort -A console -q -c /etc/snort/snort.conf -i eth0

Specification of all the options are listed below:

  • -A console: Prints fast mode alerts to stdout
  • -q: Quiet mode. Don’t show banner and status report
  • -c: The path to our snort.conf file
  • -i: The interface to listen on

Now, Snort is up and listening on interface eth0, let’s try to Ping, FTP and Telnet from remote machine:

On the remote machine run the following command:

 ping 192.168.15.189 
 ftp 192.168.15.189 
 telnet 192.168.15.189 80

Note: 192.168.15.189 is the IP address of snort server

On the Snort server, you should see the output something like this:

 12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.15.196 -> 192.168.15.189 
 12/14-23:36:34.982502 [**] [1:1000001:1] FTP connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:60392 -> 192.168.15.189:21 
 12/14-23:36:45.907427 [**] [1:1000003:1] TELNET connection attempt [**] [Priority: 0] {TCP} 192.168.15.196:56076 -> 192.168.15.189:80

You can stop Snort at any time by pressing Ctrl+c from your keyboard.

Create Snort Startup Script

You will also need to create a startup script to run Snort at boot time.

You can do this by creating snort.service file:

nano /lib/systemd/system/snort.service

Add the following lines:

 [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target

Save the file, then enable the script to run at boot time:

systemctl enable snort

Finally start the snort service:

systemctl start snort

You can check the status of snort by running the following command:

systemctl status snort

You should see the following output:

 ● snort.service - Snort NIDS Daemon 
     Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: enabled) 
     Active: active (running) since Wed 2016-12-14 23:45:56 IST; 15s ago 
 Main PID: 16129 (snort) 
     CGroup: /system.slice/snort.service 
         └─16129 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
 
 Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.

References