Install and configure Snort in Linux

What is Snort?

Snort is an open-source network intrusion detection platform developed by Martin Roesch, the founder and former CTO of Sourcefire. Snort is presently developed and maintained by Cisco.

A packet sniffer called Snort keeps track of network traffic, closely inspecting each packet for a harmful payload or suspicious abnormalities. Snort, a long-standing pioneer in enterprise intrusion prevention and detection technologies, may be compiled on most Linux operating systems (OSes) or Unix. A Windows version is also available.
Network intrusion prevention system Snort is free and open source. It will monitor network traffic and compare it against a user-defined Snort rule set. This user-defined rule set will be stored in a file named  “snort.conf”. This is the most critical function that Snort can perform.

Snort applies rules to the traffic being monitored and sends out alerts when it identifies suspicious behavior on the network.

It can recognize several techniques of cyberattacks, such as operating system fingerprinting, denial of service attacks, buffer overflow attacks, common gateway interface attacks, stealth port scans, and Server Message Block probes.

What Are the Features of Snort?

Multiple features make Snort valuable for network administrators to monitor their systems and identify malicious activities. These consist of:

Real-time Traffic Monitor

A network’s incoming and outgoing traffic can be observed using Snort. When it finds potentially harmful packets or threats on Internet Protocol (IP) networks, it will monitor traffic in real-time and notify users.

Packet Logging

Snort makes it possible to log packets to the disk through its packet logger mode. In this mode, Snort gathers each packet and logs it according to the IP address of the host network in a hierarchical directory.

Analysis of Protocol

Snort is capable of protocol analysis, a network sniffing technique that collects protocol-level data for further examination. This makes it possible for the network administrator to look more closely at potentially harmful data packets, which is important for the Transmission Control Protocol/IP (TCP/IP) stack protocol specification, for instance.

Content Matching

Snort groups rules by ports, content-containing, and content-free rules, and protocols like IP and TCP. A multi-pattern matcher is used for rules with content, improving efficiency, especially for protocols like the Hypertext Transfer Protocol (HTTP). Performance is significantly impacted by the constant evaluation of rules with no content.

OS Fingerprinting

The idea behind the operating system (OS) fingerprinting is that every platform has a different TCP/IP stack. Snort can identify the OS platform utilized by a system that accesses a network through this procedure.

Installation Is Possible in Any Network Environment

Snort may be installed on any operating system, including Linux and Windows, and utilized in any network environment. It is also compatible with all network protocols.

Open Source

Anyone who wishes to utilize an IDS or IPS to monitor and secure their network can do so by using SNORT, which is free and open-source software.

Rules Are Easy to Implement

Network monitoring and protection can be set up quickly and easily using Snort rules. Network administrators can distinguish between normal internet activity and abnormal or malicious activity thanks to its rule language’s flexibility and ease of generating new rules.

What Is the Difference Between the Snort Modes?

Snort can be operated in one of three distinct modes. The particular one utilized is determined by the Snort command’s flags.

Packet Sniffer

In the packet sniffer mode of Snort, the software will read IP packets and then display the contents of those packets to the user on the console.

Packet Logger

In the mode known as “packet logger,” Snort will record every single IP packet that accesses the network. The network administrator will then observe who has visited their system and obtain information regarding the operating system and protocols that those users were employing.

NIPDS (Network Intrusion and Prevention Detection System)

Only malicious packets will be logged by Snort in NIPDS mode. It accomplishes this via rules that determine the default properties of malicious packets. The network administrator’s rules also specify the action that Snort takes.

What Are the Uses of Snort Rules?

The software may do a variety of tasks thanks to the criteria outlined in Snort, including:

Perform Packet Sniffing

Snort can be used to do packet sniffing, which compiles all data passing via a network both in and out. Individual packets sent and received by network devices can be collected in order to do a thorough analysis of the traffic flow.

Debug Network Traffic

Snort can be used to troubleshoot malicious packets and any configuration issues once it has logged traffic.

Generate Alerts

According to the rule actions created in its configuration file, Snort generates notifications for users. Snort rules must include criteria that specify when a packet should be regarded as odd or malicious, the dangers of vulnerabilities being exploited, and the possibility that it may violate the organization’s security policy or constitute a threat to the network to trigger warnings.

Create New Rules

Users of Snort can quickly add additional rules to the program. This enables network administrators to customize Snort conversion’s behavior and the procedures it should perform. They can add new rules that instruct Snort to, for instance, stop backdoor attacks, look for particular content in packets, display network data, choose which network to watch, and publish alarms in the console.

Installing Snort on Linux

Snort installation used to be a laborious manual procedure. Although there were several steps, it was simple enough to overlook one. The availability of Snort through the major Linux distributions’ software repositories has simplified matters.

Sometimes, the most recent version accessible on the Snort website is older than the versions in the repository. You can download and install it directly from the source if you want to. It doesn’t matter if your Snort isn’t the newest and best version as long as you have the most recent rules—as long as it isn’t outdated.

Use the following command to install Snort on Ubuntu:

sudo apt-get install snort

if you are using Ubuntu 22.04, note that Snort 2.9 is available in Ubuntu 22.04’s default Universe repos;

apt-cache policy snort

Install Snort 3 from source on Ubuntu 22.04

On Ubuntu 22.04, Snort 3 must be built from scratch to be installed and set up. Run a system package cache update first:

apt update
apt upgrade

Then, Install the required build tools:
A number of build tools and dependencies must be installed before the build process for Snort 3 to be successfully built and installed on Ubuntu 22.04. These are detailed on the Dependencies page:

apt install build-essential libpcap-dev libpcre3-dev \
libnet1-dev zlib1g-dev luajit hwloc libdnet-dev \
libdumbnet-dev bison flex liblzma-dev openssl libssl-dev \
pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev \
libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev \
libluajit-5.1-dev libunwind-dev libfl-dev -y

Install the most recent version of Snort DAQ (Data Acquisition library) on your computer. DAQ must be built and installed from the source code because it is not included in the standard Ubuntu repositories;

mkdir snort-source-files && cd snort-source-files
git clone https://github.com/snort3/libdaq.git
cd libdaq ./bootstrap ./configure make make install

Tcmalloc, a memory allocator intended for high concurrency conditions, can be downloaded and installed. It will offer faster performance at the expense of more memory usage. Although not required, this reliance is strongly advised.

cd ../ wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz tar xzf gperftools-2.9.1.tar.gz cd gperftools-2.9.1/ ./configure make make install

Install Snort 3 from the source code on Ubuntu 22.04

Download and install Snort 3 on Ubuntu 22.04 now that all necessary components are present;
Get the most recent Snort tarball release from the releases page and download it. The next application downloads Snort 3.1.38.0, the most recent version currently accessible.

cd ../ wget https://github.com/snort3/snort3/archive/refs/tags/3.1.38.0.tar.gz

Obtain the Snort 3 source code, extract it, and then compile and install it;

tar xzf 3.1.28.0.tar.gz cd snort3-3.1.28.0 ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

Install Snort 3 on Ubuntu 22.04 by compiling it from the source in the build directory;

cd build make make install

Update shared libraries after the installation is finished;

ldconfig

Checking the version will confirm the installation of Snort 3;

snort -V

Configuring Snort 3 on Ubuntu 22.04

Configure Network Interface Cards

In order to observe all network traffic transmitted to it rather than just that coming from the Snort 3 server alone, first switch the interface on which Snort is listening for network traffic to promiscuous mode.
ip link set dev enp0s8 promisc on

Verify

ip add sh enp0s8

To stop Snort from truncating big packets longer than 1518 bytes, disable Interface Offloading. You can verify whether this function is turned on;

ethtool -k enp0s8 | grep receive-offload

generic-receive-offload: on

large-receive-offload: off [fixed]

LRO cannot be modified because it is fixed while GRO is activated.

Next, disable;

ethtool -K enp0s8 gro off lro off

The two NIC adjustments are transient. Make and enable a systemd service unit to carry out the adjustments to ensure they last through system reboot;
reset the systemd configuration;

systemctl daemon-reload

On boot, start and enable the service;

systemctl enable --now snort3-nic.service

Setup Snort 3 Rulesets on Ubuntu 22.04

The key conduit for Snort’s intrusion detection engine is rulesets. Snort Rules come in three different varieties:

  • Community Rules
  • Registered Rules
  • Subscriber Rules

Make a directory for the Snort Rules. The default rules path (RULE PATH) is set to /usr/local/etc/rules in the configuration file /usr/local/etc/snort/snort defaults.lua.

mkdir /usr/local/etc/rules

From the Snort 3 downloads page, you can get the community rules;

wget -qO- \
https://www.snort.org/downloads/community/snort3-community-rules.tar.gz \
| tar xz -C /usr/local/etc/rules/

ls -1 /usr/local/etc/rules/snort3-community-rules/

AUTHORS
LICENSE
sid-msg.map
snort3-community.rules
VRT-License.txt

You need to set up Snort 3. Now that we have the rules, we need to get started. Start editing the main configuration file;

vim /usr/local/etc/snort/snort.lua

Set the HOME NET variable’s value to the networks that must be protected from assaults. It could be a single IP address or different subnets. I set this to the Snort 3 interface’s subnet for convenience. Anything different from our HOME NET is the EXTERNAL NET;

Save your changes, then close the document.

Next, modify the /usr/local/etc/snort/snort.lua configuration file’s routes to your rules.
Close the document after saving your modifications.

Next, adjust the routes to your rules in the /usr/local/etc/snort/snort.lua configuration file.

Installing Snort OpenAppID

Facebook, Netflix, Twitter, and Reddit are just a few of the many network-connected programs that Snort can identify, thanks to the application layer plugin known as OpenAppID. Run the scripts listed below to install Snort OpenAppID after downloading Snort 3;

wget https://www.snort.org/downloads/openappid/23020 -O OpenAppId-23020.tgz tar -xzvf OpenAppId-23020.tgz cp -R odp /usr/local/lib/

Next, specify the location of the OpenAppID libraries in the Snort 3 configuration file;

vim /usr/local/etc/snort/snort.lua

appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,

}

The configuration file is saved, then closed. Make a directory for the Snorts logs;

mkdir /var/log/snort

Run syntax checking after that;

snort -c /usr/local/etc/snort/snort.lua

To test our Snort configuration, create local custom rules.

vim /usr/local/etc/rules/local.rules

Establish a rule to recognize ping testing;

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

Save the local rules file, then quit. examine the syntax;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Run the test after that by issuing the following command;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s8 -A alert_fast -s 65535 -k none

Ping your Snort server using a different terminal. The alarm lines should be written to standard output as the ping is running; You should observe Packet statistics after cancellation;

Configure Snort 3 Logging

Configuring alert settings is necessary to write Snort 3 events to log files. The Snort 3 manual’s Logger Modules section thoroughly explains the various Snort logging options. Open the snort.lua configuration and go to the outputs section to output the event data to a file in short format (as specified in the command line above by option -A alert type).

vim /usr/local/etc/snort/snort.lua

Snort will write logs to the alert fast.txt file due to the setting. Run syntax checking, then save and quit the configuration.

snort -c /usr/local/etc/snort/snort.lua

Run the command again, but this time without the option

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s8 -s 65535 -k none -l /var/log/snort/

Repeat the ping test. An alert fast.txt file ought to have been created, as you can see from the logs directory. This file can be followed;

tail -f /var/log/snort/alert_fast.txt

Running Snort as a Service

With the command line option -D, Snort can run in the background as a daemon, but it can also be set up as a systemd service unit. It is wise to run Snort as a non-privileged system user if you intend to run it as a service. Therefore, make Snort a non-login system user;

useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort

To enable Snort to operate as the snort user, create a systemd service unit. Interfaces should be adjusted accordingly. Update systemd configurations;

systemctl daemon-reload

Set the log file’s ownership and permissions;

chmod -R 5775 /var/log/snort chown -R snort:snort /var/log/snort

Setup Snort to run as soon as the system boots up. The service will operate as root before transferring its rights to the newly formed Snort user.

systemctl enable --now snort3

Verify the service’s status to ensure it is operational;

systemctl status snort3

Conclusion

The C programming language is used to create the network-based intrusion detection system known as SNORT. It can be used by the network administrator to monitor all incoming packets and identify any that pose a threat to the system. It is based on a technology called library packet capture. The rules are fairly simple to develop and practice and may be used in any operating system and network context. The primary reason this IDS is more well-liked than others is that it is free to use and open source, allowing any user to utilize it whatever he pleases.

Leave a Reply

Your email address will not be published.