![\"Snort](\"https:\/\/upcloud.com\/media\/snort_logo-1-300x164.png\"){kind=logo}
<\/figure>\r\n\r\n\r\n\r\nSnort is one of the most commonly used\u00a0network-based IDS<\/a>. It is lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.<\/p>\r\n\r\n\r\n\r\n Setting up a basic configuration of Snort on Debian is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.<\/p>\r\n\r\n\r\n\r\n With the prerequisites fulfilled, next up is how to install Snort on Debian 9. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.<\/p>\r\n\r\n\r\n\r\n Setting up Snort on Debian from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.<\/p>\r\n\r\n\r\n\r\n Start by making a temporary download folder to your home directory and then changing into it with the command below.<\/p>\r\n\r\n\r\n\r\n Snort itself uses something called a Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source is available.<\/p>\r\n\r\n\r\n\r\n The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.<\/p>\r\n\r\n\r\n\r\n The latest version requires an additional step to auto-reconfigure DAQ before running the config. Use the command below which requires you need to have autoconf<\/tt> and libtool<\/tt> installed.<\/p>\r\n\r\n\r\n\r\n Afterwards, run the configuration script using its default values, then compile the program with make and finally install DAQ.<\/p>\r\n\r\n\r\n\r\n With the DAQ installed, you can get started with Snort, and change back to the download folder.<\/p>\r\n\r\n\r\n\r\n Next, download the Snort source code with wget<\/tt>.\u00a0You can find the latest version number on the Snort downloads page<\/a>. Replace it in the following command if necessary.<\/p>\r\n\r\n\r\n\r\n Once the download is complete, extract the source and change into the new directory with these commands.<\/p>\r\n\r\n\r\n\r\n Then configure the installation with sourcefire<\/tt>\u00a0enabled, run make and make install.<\/p>\r\n\r\n\r\n\r\n With that done, continue below on how to set up the configuration files.<\/p>\r\n\r\n\r\n\r\n Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.<\/p>\r\n\r\n\r\n\r\n Start with updating the shared libraries using the command underneath.<\/p>\r\n\r\n\r\n\r\n Snort on Debian gets installed to \/usr\/local\/bin\/snort<\/tt> directory, it is good practice to create a symbolic link to \/usr\/sbin\/snort<\/tt>.<\/p>\r\n\r\n\r\n\r\n To run Snort on Debian safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.<\/p>\r\n\r\n\r\n\r\n Then create the folder structure to house the Snort configuration, just copy over the commands below.<\/p>\r\n\r\n\r\n\r\n Set the permissions for the new directories accordingly.<\/p>\r\n\r\n\r\n\r\n Create new files for the white and blacklists as well as the local rules.<\/p>\r\n\r\n\r\n\r\n Then copy the configuration files from the download folder.<\/p>\r\n\r\n\r\n\r\n Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.<\/p>\r\n\r\n\r\n\r\n Underneath you can find instructions for downloading both community rules and registered user rule sets.<\/p>\r\n\r\n\r\n\r\n If you just want to quickly test out Snort, grab the community rules using wget<\/tt> with the command below.<\/p>\r\n\r\n\r\n\r\n Extract the rules and copy them to your configuration folder.<\/p>\r\n\r\n\r\n\r\n By default, Snort on Debian expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed<\/tt> command underneath.<\/p>\r\n\r\n\r\n\r\n You can also take a moment and register<\/a> on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.<\/p>\r\n\r\n\r\n\r\n Replace the oinkcode<\/tt><\/span>\u00a0in the following command with your personal code.<\/p>\r\n\r\n\r\n\r\n Once downloaded, extract the rules over to your configuration directory.<\/p>\r\n\r\n\r\n\r\n The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf<\/tt> file.<\/p>\r\n\r\n\r\n\r\n With the configuration and rule files in place, edit the snort.conf<\/tt> to modify a few parameters. Open the configuration file in your favourite text editor, for example, using nano<\/tt> with the command below.<\/p>\r\n\r\n\r\n\r\n Find these\u00a0sections shown below in the configuration file and change the parameters to reflect the examples\u00a0here.<\/p>\r\n\r\n\r\n\r\n In the same snort.conf file, scroll down to section 6 and set the output for unified2 to log under the filename of snort.log<\/tt> like below.<\/p>\r\n\r\n\r\n\r\n Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules<\/tt> to allow Snort to load any custom rules.<\/p>\r\n\r\n\r\n\r\n If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules<\/tt> line.<\/p>\r\n\r\n\r\n\r\n Once you are done with the configuration file, save the changes and exit the editor.<\/p>\r\n\r\n\r\n\r\n Your Snort should now be ready to run. Test the configuration using the parameter -T<\/tt> to enable test mode.<\/p>\r\n\r\n\r\n\r\n After running the Snort configuration test, you should get a message like this example below.<\/p>\r\n\r\n\r\n\r\n In case you get an error, the printout should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above or by commenting out unnecessary inclusion lines in the snort.conf<\/tt>\u00a0file. Check the configuration part and try again.<\/p>\r\n\r\n\r\n\r\n To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules<\/tt> file. Open your local rules in a text editor.<\/p>\r\n\r\n\r\n\r\n Then add the following line to the file.<\/p>\r\n\r\n\r\n\r\n The rule consists of the following parts:<\/p>\r\n\r\n\r\n\r\n Save the local.rules<\/tt> and exit the editor.<\/p>\r\n\r\n\r\n\r\n Start Snort with -A console<\/tt>\u00a0option to print the alerts to stdout<\/tt>.\u00a0You will need to select the correct network interface with the public IP address of your server, for example, eth0<\/tt>.<\/p>\r\n\r\n\r\n\r\n If you are not sure which interface to use, check your UpCloud control panel<\/a> for the public IPv4 address of your server in the Network settings<\/a>. You can also use the following command on your server.<\/p>\r\n\r\n\r\n\r\n The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0<\/tt>.<\/p>\r\n\r\n\r\n\r\n With Snort up and running, ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.<\/p>\r\n\r\n\r\n\r\n After the alerts show up you can stop Snort with ctrl+C<\/tt>.<\/p>\r\n\r\n\r\n\r\n Snort records the alerts to a log under \/var\/log\/snort\/snort.log.timestamp<\/span><\/tt>, where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.<\/p>\r\n\r\n\r\n\r\n The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.<\/p>\r\n\r\n\r\n\r\n To run Snort on Debian as a service in the background you will need to add a startup script for Snort. Open a new file in a text editor for example with the next command.<\/p>\r\n\r\n\r\n\r\n Enter the following to the file, save and exit the editor.<\/p>\r\n\r\n\r\n\r\n With the service defined, reload the\u00a0systemctl<\/tt>\u00a0daemon.<\/p>\r\n\r\n\r\n\r\n Snort can then be run with the configuration you set up using the command below.<\/p>\r\n\r\n\r\n\r\n The startup script also includes other usual\u00a0systemctl<\/tt> commands: stop<\/tt>, restart<\/tt>, and status<\/tt>. For example, you can check the status of the service with the following command.<\/p>\r\n\r\n\r\n\r\n Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort documents page<\/a>, or jump right into writing your own detection rules with their helpful Snort rules info graph<\/a>.<\/p>\r\n","protected":false},"featured_media":27367,"comment_status":"open","ping_status":"closed","template":"","community-category":[111,113,121],"class_list":["post-24610","tutorial","type-tutorial","status-publish","has-post-thumbnail","hentry","community-category-networking","community-category-integrations","community-category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial\/24610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/types\/tutorial"}],"replies":[{"embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/comments?post=24610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/media\/27367"}],"wp:attachment":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/media?parent=24610"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/community-category?post=24610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Preparing your server<\/h2>\r\n\r\n\r\n\r\n
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev \r\nlibpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev \r\nbison flex libdnet autoconf libtool<\/pre>\r\n\r\n\r\n\r\n
Installing from the source<\/h2>\r\n\r\n\r\n\r\n
mkdir ~\/snort_src && cd ~\/snort_src<\/pre>\r\n\r\n\r\n\r\n
wget https:\/\/www.snort.org\/downloads\/snort\/daq-2.0.7.tar.gz<\/pre>\r\n\r\n\r\n\r\n
tar -xvzf daq-2.0.7.tar.gz\r\ncd daq-2.0.7<\/pre>\r\n\r\n\r\n\r\n
autoreconf -f -i<\/pre>\r\n\r\n\r\n\r\n
.\/configure && make && sudo make install<\/pre>\r\n\r\n\r\n\r\n
cd ~\/snort_src<\/pre>\r\n\r\n\r\n\r\n
wget https:\/\/www.snort.org\/downloads\/snort\/snort-2.9.16.tar.gz<\/pre>\r\n\r\n\r\n\r\n
tar -xvzf snort-2.9.16.tar.gz\r\ncd snort-2.9.16<\/pre>\r\n\r\n\r\n\r\n
.\/configure --enable-sourcefire && make && sudo make install<\/pre>\r\n\r\n\r\n\r\n
Configuring Snort to run in NIDS mode<\/h2>\r\n\r\n\r\n\r\n
sudo ldconfig<\/pre>\r\n\r\n\r\n\r\n
sudo ln -s \/usr\/local\/bin\/snort \/usr\/sbin\/snort<\/pre>\r\n\r\n\r\n\r\n
Setting up username and folder structure<\/h2>\r\n\r\n\r\n\r\n
sudo groupadd snort\r\nsudo useradd snort -r -s \/sbin\/nologin -c SNORT_IDS -g snort<\/pre>\r\n\r\n\r\n\r\n
sudo mkdir -p \/etc\/snort\/rules\r\nsudo mkdir \/var\/log\/snort\r\nsudo mkdir \/usr\/local\/lib\/snort_dynamicrules<\/pre>\r\n\r\n\r\n\r\n
sudo chmod -R 5775 \/etc\/snort\r\nsudo chmod -R 5775 \/var\/log\/snort\r\nsudo chmod -R 5775 \/usr\/local\/lib\/snort_dynamicrules\r\nsudo chown -R snort:snort \/etc\/snort\r\nsudo chown -R snort:snort \/var\/log\/snort\r\nsudo chown -R snort:snort \/usr\/local\/lib\/snort_dynamicrules<\/pre>\r\n\r\n\r\n\r\n
sudo touch \/etc\/snort\/rules\/white_list.rules\r\nsudo touch \/etc\/snort\/rules\/black_list.rules\r\nsudo touch \/etc\/snort\/rules\/local.rules<\/pre>\r\n\r\n\r\n\r\n
sudo cp ~\/snort_src\/snort-2.9.16\/etc\/*.conf* \/etc\/snort\r\nsudo cp ~\/snort_src\/snort-2.9.16\/etc\/*.map \/etc\/snort<\/pre>\r\n\r\n\r\n\r\n
\r\n
Option 1. Using community rules<\/h2>\r\n\r\n\r\n\r\n
wget https:\/\/www.snort.org\/rules\/community -O ~\/community.tar.gz<\/pre>\r\n\r\n\r\n\r\n
sudo tar -xvf ~\/community.tar.gz -C ~\/<\/pre>\r\n\r\n\r\n\r\n
sudo cp ~\/community-rules\/* \/etc\/snort\/rules<\/pre>\r\n\r\n\r\n\r\n
sudo sed -i 's\/include $RULE_PATH\/#include $RULE_PATH\/' \/etc\/snort\/snort.conf<\/pre>\r\n\r\n\r\n\r\n
Option 2. Obtaining\u00a0registered user rules<\/h2>\r\n\r\n\r\n\r\n
wget https:\/\/www.snort.org\/rules\/snortrules-snapshot-29160.tar.gz?oinkcode=oinkcode<\/span> -O ~\/registered.tar.gz<\/pre>\r\n\r\n\r\n\r\nsudo tar -xvf ~\/registered.tar.gz -C \/etc\/snort<\/pre>\r\n\r\n\r\n\r\n
Configuring the network and rule sets<\/h2>\r\n\r\n\r\n\r\n
sudo nano \/etc\/snort\/snort.conf<\/pre>\r\n\r\n\r\n\r\n
# Setup the network addresses you are protecting\r\nipvar HOME_NET server_public_IP<\/span>\/32<\/pre>\r\n\r\n\r\n\r\n# Set up the external network addresses. Leave as \"any\" in most situations\r\nipvar EXTERNAL_NET !$HOME_NET\r\n<\/pre>\r\n\r\n\r\n\r\n
# Path to your rules files (this can be a relative path)\r\nvar RULE_PATH \/etc\/snort\/rules\r\nvar SO_RULE_PATH \/etc\/snort\/so_rules\r\nvar PREPROC_RULE_PATH \/etc\/snort\/preproc_rules<\/pre>\r\n\r\n\r\n\r\n
# Set the absolute path appropriately\r\nvar WHITE_LIST_PATH \/etc\/snort\/rules\r\nvar BLACK_LIST_PATH \/etc\/snort\/rules<\/pre>\r\n\r\n\r\n\r\n
# unified2\r\n# Recommended for most installs\r\noutput unified2: filename snort.log, limit 128<\/pre>\r\n\r\n\r\n\r\n
include $RULE_PATH\/local.rules<\/pre>\r\n\r\n\r\n\r\n
include $RULE_PATH\/community.rules<\/pre>\r\n\r\n\r\n\r\n
Validating settings<\/h2>\r\n\r\n\r\n\r\n
sudo snort -T -c \/etc\/snort\/snort.conf<\/pre>\r\n\r\n\r\n\r\n
--== Initialization Complete ==--\r\n\r\n ,,_ -*> Snort! <*-\r\n o\" )~ Version 2.9.16 GRE (Build 118) \r\n '''' By Martin Roesch & The Snort Team: http:\/\/www.snort.org\/contact#team\r\n Copyright (C) 2014-2020 Cisco and\/or its affiliates. All rights reserved.\r\n Copyright (C) 1998-2013 Sourcefire, Inc., et al.\r\n Using libpcap version 1.8.1\r\n Using PCRE version: 8.39 2016-06-14\r\n Using ZLIB version: 1.2.11\r\n\r\n Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.1 \r\n Preprocessor Object: SF_DCERPC2 Version 1.0 \r\n Preprocessor Object: SF_SSH Version 1.1 \r\n Preprocessor Object: SF_FTPTELNET Version 1.2 \r\n Preprocessor Object: SF_SDF Version 1.1 \r\n Preprocessor Object: SF_DNP3 Version 1.1 \r\n Preprocessor Object: SF_REPUTATION Version 1.1 \r\n Preprocessor Object: SF_IMAP Version 1.0 \r\n Preprocessor Object: SF_SMTP Version 1.1 \r\n Preprocessor Object: SF_GTP Version 1.1 \r\n Preprocessor Object: appid Version 1.1 \r\n Preprocessor Object: SF_MODBUS Version 1.1 \r\n Preprocessor Object: SF_POP Version 1.0 \r\n Preprocessor Object: SF_DNS Version 1.1 \r\n Preprocessor Object: SF_SSLPP Version 1.1 \r\n Preprocessor Object: SF_SIP Version 1.1 \r\n\r\nSnort successfully validated the configuration!\r\nSnort exiting<\/pre>\r\n\r\n\r\n\r\n
Testing the configuration<\/h2>\r\n\r\n\r\n\r\n
sudo nano \/etc\/snort\/rules\/local.rules<\/pre>\r\n\r\n\r\n\r\n
alert icmp any any -> $HOME_NET any (msg:\"ICMP test\"; sid:10000001; rev:001;)<\/pre>\r\n\r\n\r\n\r\n
\r\n
\r\n
sudo snort\u00a0-A console\u00a0-i eth0\u00a0-u snort -g snort -c \/etc\/snort\/snort.conf<\/pre>\r\n\r\n\r\n\r\n
ip addr<\/pre>\r\n\r\n\r\n\r\n
07\/12-11:20:33.501624 \u00a0[**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202<\/pre>\r\n\r\n\r\n\r\nsnort -r \/var\/log\/snort\/snort.log.<\/pre>\r\n\r\n\r\n\r\n
WARNING: No preprocessors configured for policy 0.\r\n07\/12-11:20:33.501624 83.136.252.118 -> 80.69.173.202\r\nICMP TTL:63 TOS:0x0 ID:20187 IpLen:20 DgmLen:84 DF\r\nType:8 Code:0 ID:13891 Seq:1 ECHO<\/pre>\r\n\r\n\r\n\r\n
Running Snort in the background<\/h2>\r\n\r\n\r\n\r\n
sudo nano \/lib\/systemd\/system\/snort.service<\/pre>\r\n\r\n\r\n\r\n
[Unit]\r\nDescription=Snort NIDS Daemon\r\nAfter=syslog.target network.target\r\n\r\n[Service]\r\nType=simple\r\nExecStart=\/usr\/local\/bin\/snort -q -u snort -g snort -c \/etc\/snort\/snort.conf -i eth0\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\r\n\r\n\r\n\r\n
sudo systemctl daemon-reload<\/pre>\r\n\r\n\r\n\r\n
sudo systemctl start snort<\/pre>\r\n\r\n\r\n\r\n
sudo systemctl status snort<\/pre>\r\n\r\n\r\n\r\n
Conclusions<\/h2>\r\n\r\n\r\n\r\n