Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
In this article, let us review how to install snort from source, write rules, and perform basic testing.
1. Download and Extract Snort
Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.
# cd /usr/src # wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116 # tar xvzf snort-2.8.6.1.tar.gz
Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)
2. Install Snort
Before installing snort, make sure you have dev packages of libpcap and libpcre.
# apt-cache policy libpcap0.8-dev libpcap0.8-dev: Installed: 1.0.0-2ubuntu1 Candidate: 1.0.0-2ubuntu1 # apt-cache policy libpcre3-dev libpcre3-dev: Installed: 7.8-3 Candidate: 7.8-3
Follow the steps below to install snort.
# cd snort-2.8.6.1 # ./configure # make # make install
3. Verify the Snort Installation
Verify the installation as shown below.
# snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.8.6.1 (Build 39)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
4. Create the required files and directory
You have to create the configuration file, rule file and the log directory.
Create the following directories:
# mkdir /etc/snort # mkdir /etc/snort/rules # mkdir /var/log/snort
Create the following snort.conf and icmp.rules files:
# cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rules alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).
Following is the structure of the alert:
<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)
| Structure | Example |
|---|---|
| Rule Actions | alert |
| Protocol | icmp |
| Source IP Address | any |
| Source Port | any |
| Direction Operator | -> |
| Destination IP Address | any |
| Destination Port | any |
| (rule options) | (msg:”ICMP Packet”; sid:477; rev:3;) |
5. Execute snort
Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.
# head /var/log/snort/alert [**] [1:477:3] ICMP Packet [**] [Priority: 0] 07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0 pkt type:0x4 proto: 0x800 len:0x64 209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:24905 Seq:1 ECHO
Alert Explanation
A couple of lines are added for each alert, which includes the following:
- Message is printed in the first line.
- Source IP
- Destination IP
- Type of packet, and header information.
If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/
Execute snort as Daemon
Add -D option to run snort as a daemon.
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/
Additional Snort information
- Default config file will be available at snort-2.8.6.1/etc/snort.conf
- Default rules can be downloaded from: http://www.snort.org/snort-rules
Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.Get the Linux Sysadmin Course Now!
If you enjoyed this article, you might also like..
|
|
|
|
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
{ 7 comments… read them below or add one }
good tutorial for keeping a track of the foreign activities on internet facing systems.
Thanks reamsh.I will definately give it a try to understand that
snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/
and error is :
ERROR: Unable to open rules file “/etc/snort//etc/snort/rules/local.rules”: No such file or directory.
Distro i use Fedora 13 .
In the first step you have us download the compressed file, then navigate to another directory to open. Shouldn’t you have us move the file to the other directory first? Either way it doesn’t work. If I try to unpack the compressed file from the usr/src directory it isn’t found (because we didn’t move it), and if I move the file to that directory and try it, I get a series of fails at unpacking.
A little help?
Can I use snort to monitor my webapp’s logs like Python / Java ??
karthik, you can use OSSEC (http://www.ossec.net) to monitor web server logs
To Catalin:
First of all create your /etc/snort/rules/icmp.rules
Then modify /etc/snort/snort.conf in the following way:
# cat /etc/snort/snort.conf
include rules/icmp.rules
I think here is a more better solution and it works grt…!