In today’s cybersecurity landscape, intrusion detection and prevention are critical to safeguarding your network. Snort, an open-source network intrusion detection system (IDS) and intrusion prevention system (IPS), is widely used by security professionals worldwide. It offers real-time traffic analysis and packet logging, making it a powerful tool for monitoring and protecting your network.
In this guide, we'll walk you through the steps to install and configure Snort on a Linux system (Ubuntu/Debian-based). The process involves installing necessary dependencies, compiling Snort, and setting it up as both an IDS and IPS.
- Ubuntu server (Installed in the VM)
- Another VM (Windows, or other Linux distros)
- Root or sudo privileges
- Basic understanding of Linux command line
First, ensure your system packages are up-to-date:
sudo apt update && sudo apt upgrade -y
Let's intall Snort by running the following command in your Ubuntu machine.
sudo apt-get install snort -y
In this tutorial we will be using Snort as Host based IDS (HIDS), so we should type the machine's IP address (check the VMs IP configuration).
During installation Snort will create these common directories.
- /etc/snort/: Contains the main configuration files, such as
snort.confand related rule files. - /etc/snort/rules/: Contains various rule files that define the detection patterns.
- /var/log/snort/: Store logs and alert files generated by Snort.
- /usr/lib/snort: Contains shared librariesor plugins used by Snort.
The snort.conf file is the main configuration file for Snort. It plays a crucial role in defining how Snort operates, what traffic it monitors, and how it responds to potential threats. This file can be found under /etc/snort/ directory. To open it, execute the following command on the terminal. We will be using the nano editor.
sudo nano /etc/snort/snort.conf
Find the ipvar HOME_NET and make sure it contains the IP address of our ubuntu machine. If it says any, replace it with the right one. To check the ip address of your machine, run ip a on the timerminal.
After editing, press Ctrl + x and press Y to save it. To make sure there's no error, let's test the configuration file by issuing the following command on the terminal. Supply which interface Snort will listen (In my case it's eth0).
At this point, Snort successfully validated the configuration file.
To monitor ping scan or ICMP based attacks, let's write a rule that will generate alert whenever incoming ICMP packets are detected to our Ubuntu machine. Let's open /etc/snort/rules/local.rules using nano and then add the following rule.
alert icmp any any -> $HOME_NET any (msg:”ICMP Packet Detected”; sid:100001;)
- alert: The action to take when the rule matches (generate an alert).
- icmp: Protocol to match.
- any any -> $HOME_NET any: Source and destination IP addresses.
- msg: The alert message that will be logged.
- sid:100001: Unique Snort rule ID.
Let's run the following command so that we can see Snort live in action in the terminal.
sudo snort -q -l /var/log/snort -i eth0 -A console -c /etc/snort/snort.conf
Now, let's ping our ubuntu machine from the other machine.
Awesome! Snort successfully detected the ICMP packet.
Installing Snort as an IDS and IPS provides robust network security capabilities. While this guide covers the basics, deploying Snort effectively involves ongoing rule management, tuning, and integration with other security tools.
Remember: Always test your configuration in a controlled environment before deploying it into production to avoid unintended network disruptions.
Happy Snorting! 🚨🦑
If you'd like, I can help you with more advanced configurations or integrating Snort with other SIEM tools.