If you’re serious about network security, installing an IPS or IDS solution is a must to fortress the network perimeter and deflect potentially unwanted network traffic.
Snort is one such famous, free-for-personal use and open-source IPS/IDS solution. Let’s learn how you can install and set up Snort on Linux to defend your network from cyber-attacks.
What Is Snort?
Snort is an open-source Network Intrusion Detection and Prevention System (NIDS/IPS) software that, as the name hints, helps in securing your network perimeter by enforcing rules and filters that detect and drop potentially malicious packets injected into your network.
With Snort, you’ll be able to perform advanced network traffic logging, packet sniffing and analysis, and set up a strong Intrusion Prevention System that defends your network from unwanted and potentially malicious traffic.
Prerequisites to Installing Snort
Before you install Snort, there is some preliminary setup to do. This mostly includes updating and upgrading your system and installing the dependencies required by Snort to function properly.
Start by updating and upgrading your system.
On Ubuntu- and Debian-based Linux distros:
sudo apt update && apt upgrade -y
On Arch Linux and its derivatives:
sudo pacman -Syu
On RHEL and Fedora:
sudo dnf upgrade
With your system upgraded, continue to install the dependencies required by Snort. Here are the commands you need to run:
On Ubuntu and Debian, run:
sudo apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev libpcre++-dev
On Arch Linux, run:
sudo pacman -S gperftools hwloc hyperscan ibdaqlibdnet libmnl libpcap libunwind luajit lz4 openssl pcre pulledporkxz zlib cmake pkgconf
For RHEL and Fedora, issue the following command:
sudo dnf install gcc gcc-c++ libnetfilter_queue-devel git flex bison zlib zlib-devel pcre pcredevel libdnet tcpdump libnghttp2 wget xz-devel -y
Additionally, you also need to manually install the Data Acquisition Library, LibDAQ for Snort to function properly and also gperftools to generate the build files.
First, download the LibDAQ source files from the official website using the wget command. Then, extract the archive and move into the directory using cd. Inside the directory, run the bootstrap and configure scripts then proceed to prepare files with make and install it with the make install command.
wget https://www.snort.org/downloads/snortplus/libdaq-3.0.11.tar.gz
tar -xzvf lib*
cd lib*
./bootstrap
./configure
make
sudo make install
With LibDAQ installed, you need to install one last dependency: gperftools. Start by grabbing the source files from the GitHub repo. Extract the files, move into the directory, and run the configure script. Finally, install the package using the make and make install commands.
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.10/gperftools-2.10.tar.gz
tar -xvzf gper* && cd gper
./configure
make
sudo make install
Once these dependencies have been installed, you can move on to the next steps to install Snort.
Install Snort From Source on Linux
With the preliminary setup out of the way, you can now focus on installing the actual software. You’ll be building it from the source, so grab the required build files first.
Use the wget command or download the files manually from the official download page:
wget https://www.snort.org/downloads/snortplus/snort3-3.1.58.0.tar.gz
Download: Snort
Once the archive containing the build files has finished downloading, extract it using the tar command:
tar -xzvf snort*
Move into the extracted folder, run the configuration script, use the make command to prepare the files, and finally install them with make install:
cd snort*
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
Snort will now be successfully installed in your system. However, there’s just one more step you need to complete. When new software is manually installed, the installation directory and required libraries may not be automatically included in the system’s default path. So you might run into errors when starting the application.
To avoid this issue, you need to run the ldconfig command. It will sync the system’s shared library cache with newly installed libraries and binaries. Either run the ldconfig command from a root shell or use the sudo prefix:
sudo ldconfig
Now you’ve covered all the important steps required to install Snort. To verify installation run the Snort command with the -V flag, and you should see an output returning the version name and other data.
snort -V
Once you’ve verified the Snort installation, move on to the next steps to set it up as a full-blown IDS/IPS.
Initial Configuration of Snort on Linux
The efficiency of Snort almost entirely depends upon the quality of rule sets that it’s supplied with.
However, before you get to setting up rules, you need to configure the network cards to work with Snort and you also need to test how the default configuration is being handled by Snort. Start by configuring the network cards.
Set the network interface to promiscuous mode:
sudo ip link set dev interface_name promisc on
Using ethtool, disable Generic Receive Offload (GRO) and Large Receive Offload (LRO) to prevent larger network packets from being truncated:
sudo ethtool -K interface_name gro off lro off
Test how Snort performs with the default configuration:
snort -c /usr/local/etc/snort/snort.lua
This should return a successful output signaling that you have installed and set up Snort correctly in your system. Now you can tinker with its features and experiment with different configurations to find the best set of rule set for securing your network.
Set Up Rules and Enforce Them With Snort
With the basic settings in place, Snort is now ready to defend your perimeter. As you know, Snort needs rule sets to determine the validity of traffic, let’s set up a few community-made, free rule sets for Snort.
Snort reads rule sets and configurations from specific directories. So first, using the mkdir and touch commands, create a few important directories to store rules and other relevant data for Snort:
sudo mkdir -p /usr/local/etc/{lists,so_rules,rules}
sudo touch /usr/local/etc/rules/local.rules
sudo touch /usr/local/etc/lists/default.blocklist
With these directories created, you can download the community ruleset from the official website using the wget command:
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
Once the rule set finishes downloading, extract it and copy it over to the /usr/local/etc/rules/ directory.
tar -xvzf snort3-com*
cd snort3-com*
cp * /usr/local/etc/rules/
To run Snort with the rule set execute this command:
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/snort3-community.rules -i interface_name -s 65535 -k none
Breakdown of the command:
- -c sets the path to the default configuration file
- -R sets the path to the rule set to enforce
- -i sets the interface
- -s discards snaplen limit
- -k ignores checksums
This should validate the configuration and enforce all the rule sets on Snort. As soon as it picks up any network disturbance, it will alert you with a console message.
If you wish to create and enforce your own rule set, you can learn more about it from the official documentation pages.
Set Up Logging With Snort
By default, Snort does not output any logs. You need to specify with the -L flag to start Snort in logging mode, define the log file type, and -l flag to set the logging directory for Snort to dump the logs.
Here’s the command to start Snort with logging enabled:
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/snort3-community.rules -i interface_name -s 65535 -k none -L file_type -l /var/log/snort
Breakdown of the command:
- -c sets the path to the default configuration file
- -R sets the path to the rule set to enforce
- -i sets the interface
- -s discards snaplen limit
- -k ignores checksums
- -L enables logging mode and defines the log file type
- -l defines the path to store logs
Note that in the example command, the logging directory is set to /var/log/snort. Although this is recommended practice, you’re free to store your logs elsewhere.
You can read the log files from Snort from the directory you defined or pass them into SIEM software like Splunk for further analysis.
Add Snort as a System Startup Daemon
Although you have installed and set up Snort, you need to make sure it starts executing at startup and running as a background daemon. Adding it as an auto-start system service will ensure Snort is up and defending your system at all times it’s online.
Here’s how to add a Snort startup daemon on Linux:
- Start by creating a new systemd service file:
touch /lib/systemd/system/snort.service - Open the file in a text editor of your choice and populate it with the following data. You can modify the flags to fit your needs:
[Unit]
Description=Snort Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/snort3-community.rules -s 65535 -k none -l /var/log/snort -D -L pcap -i ens33
[Install]
WantedBy=multi-user.target - Save and exit the file. Then, using the service and systemctl commands, enable and start the script:
sudo systemctl enable snort.service
sudo snort start
The Snort background daemon should now be up and running. You can verify the status of the script using the systemctl status snort command. It should return a positive output.
Now You Know How to Protect Your Network With Snort IDS
While implementing IDS is a good practice, it’s a passive measure than an active one. The best way to improve and guarantee your network’s security is by continuously testing it, and looking for flaws to fix.
Penetration testing is a great way to find exploitable vulnerabilities and patch them.