≡ Menu

Snort: 5 Steps to Install and Configure Snort on Linux

Snort is a free lightweight network intrusion detection system for both UNIX and Windows.

In this article, let us review how to install snort from source, write rules, and perform basic testing.

1. Download and Extract Snort

Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.

# cd /usr/src

# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116

# tar xvzf snort-2.8.6.1.tar.gz

Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)

2. Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.

# apt-cache policy libpcap0.8-dev
libpcap0.8-dev:
  Installed: 1.0.0-2ubuntu1
  Candidate: 1.0.0-2ubuntu1

# apt-cache policy libpcre3-dev
libpcre3-dev:
  Installed: 7.8-3
  Candidate: 7.8-3

Follow the steps below to install snort.

# cd snort-2.8.6.1

# ./configure

# make

# make install

3. Verify the Snort Installation

Verify the installation as shown below.

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.

Create the following directories:

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /var/log/snort

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules

# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

The above basic rule does alerting when there is an ICMP packet (ping).

Following is the structure of the alert:

<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)
Table: Rule structure and example
Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)

5. Execute snort

Execute snort from command line, as mentioned below.

# snort -c /etc/snort/snort.conf -l /var/log/snort/

Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.

# head /var/log/snort/alert 
[**] [1:477:3] ICMP Packet [**]
[Priority: 0] 
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO

Alert Explanation
A couple of lines are added for each alert, which includes the following:

  • Message is printed in the first line.
  • Source IP
  • Destination IP
  • Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.

# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

Add -D option to run snort as a daemon.

# snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Additional Snort information

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 15 comments… add one }

  • Diptanu paul August 6, 2010, 3:58 am

    good tutorial for keeping a track of the foreign activities on internet facing systems.
    Thanks reamsh.I will definately give it a try to understand that

  • Catalin Festila August 6, 2010, 4:23 am

    snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/
    and error is :
    ERROR: Unable to open rules file “/etc/snort//etc/snort/rules/local.rules”: No such file or directory.
    Distro i use Fedora 13 .

  • Adam Gonnerman August 6, 2010, 6:28 am

    In the first step you have us download the compressed file, then navigate to another directory to open. Shouldn’t you have us move the file to the other directory first? Either way it doesn’t work. If I try to unpack the compressed file from the usr/src directory it isn’t found (because we didn’t move it), and if I move the file to that directory and try it, I get a series of fails at unpacking.

    A little help?

  • karthik August 6, 2010, 8:26 am

    Can I use snort to monitor my webapp’s logs like Python / Java ??

  • Kevin August 6, 2010, 11:37 pm

    karthik, you can use OSSEC (http://www.ossec.net) to monitor web server logs

  • Francesco Talamona August 7, 2010, 2:46 am

    To Catalin:

    First of all create your /etc/snort/rules/icmp.rules
    Then modify /etc/snort/snort.conf in the following way:

    # cat /etc/snort/snort.conf
    include rules/icmp.rules

  • Jaydeep October 11, 2010, 5:44 am

    I think here is a more better solution and it works grt…!

  • elle October 8, 2013, 4:41 am

    why command snort not found after installing snort…???
    i have been trying for so many days and the when i type snort –version its says command snort not found… please help me to resolve this

  • Sagar December 11, 2013, 2:47 am

    Aritcle is very nice.

    However can you please also tell me how do i set snort to send alert to external mail id.

  • niry February 4, 2014, 7:43 am

    when I run snort there is error like this:
    “Unable to open rules file: /etc/snort/../rules/local.rules ”
    can you help me?
    thanks!

  • Lampk April 3, 2014, 3:06 am

    Thanks, this tutorial is still working for the newest snort version 2.9.6.0

  • Lauwko June 19, 2014, 2:25 am

    Thank you very much for the easy installation tutorial.
    Had one or two bumps (installing it on ubuntu server 12.04)
    I had to install the following packets:
    flex, bison and daq(can be found on snort webpage),
    Flex and bison could be installed using apt-get install.
    Cheers.

  • vishnu December 12, 2014, 12:24 pm

    If we add snort as demon, snort will startup automatically when the pc is on. right? If so how can i remove from starup demon?

  • muhammad March 10, 2015, 11:51 am

    Hi Everyone,
    i am having difficulty with snort installation. snort installation keeps giving me same error again and again for different versions of snort.

    Error
    ERROR! daq_static library not found, go get it from

    can anyone help to figure out the issue ?
    i would be grateful for the help.
    thanks

  • lahiru July 6, 2015, 4:25 pm

    thanks, i installed snort and added the rule. But when i try to ping another machine i dont get any alert. any idea why ?

Leave a Comment