Home > Developer > Linux

How to install and use Snort in Ubuntu 15.04

Source: Internet
Author: User
Tags sourcefire
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

How to install and use Snort in Ubuntu 15.04

For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort.

Snort installation requirements

The data collection Library (DAQ) used by snort is used for the abstraction layer of a call package capture library. This is available on snort. The download process is as follows.

Downloading_daq

Decompress and run./configure, make, and make install to install DAQ. However, DAQ requires other tools. Therefore, the./configure script will generate the following error.

Flex and bison errors

Flexandbison_error

Libpcap Error

Libpcap error

Therefore, you must first install flex/bison and libcap before installing dashboard.

Install_flex

Install the libpcap Development Library as follows

Libpcap-dev installation

After necessary tools are installed, run the./configure script again. The following output is displayed.

Without_error_configure

The results of the make and make install commands are as follows.

Make install

Make

After successfully installing DAQ, We will install snort now. For example, use wget to download it.

Downloading_snort

Run the following command to decompress the installation package.

  1. #tar -xvzf snort-2.9.7.3.tar.gz

Snort_extraction

Create the installation directory and set the prefix parameter in the script. We also recommend that you enable the sourcefire flag for packet performance monitoring (PPM.

  1. #mkdir /usr/local/snort
  2. #./configure --prefix=/usr/local/snort/ --enable-sourcefire

Snort_installation

The configuration script reports an error because the libpcre-dev, libdumbnet-dev, and zlib libraries are missing.

The configuration script reports an error because the libpcre library is missing.

Pcre-error

The configuration script reports an error because the dnet (libdumbnet) Library is missing.

Libdnt error

The configuration script reports an error because the zlib library is missing.

Zlib error

Install all required development libraries as follows.

  1. # aptitude install libpcre3-dev

Install libpcre3-dev

  1. # aptitude install libdumbnet-dev

Libdumnet-dev installation

  1. # aptitude install zlib1g-dev

Zlibg-dev installation

After the library required by snort is installed, no error will be reported when you run the configuration script again.

Run the make and make install commands in the/usr/local/snort directory.

  1. # make

Make snort

  1. # make install

Make install snort

Finally, run snort from/usr/local/snort/bin. Now all the traffic to eth0 is in promisc mode (package dump mode ).

Snort running

Shows the snort dump traffic.

Traffic

Snort rules and configurations

Snort installed from the source code also needs to set rules and configuration, so we need to copy rules and configuration to/etc/snort. We have created a separate bash script for setting rules and configurations. It sets the following snort settings.

  • Create an snort user for the snort IDS service in linux.
  • Create a snort configuration file and folder under/etc.
  • Set permissions and copy data from the etc directory of the source code.
  • Remove the # (annotator) in the rule from the snort file ).
 
  1. #!/bin/bash#
  2. # Snort source code path
  3. snort_src="/home/test/Downloads/snort-2.9.7.3"
  4. echo "adding group and user for snort..."
  5. groupadd snort &>/dev/null
  6. useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &>/dev/null#snort configuration
  7. echo "Configuring snort..."mkdir -p /etc/snort
  8. mkdir -p /etc/snort/rules
  9. touch /etc/snort/rules/black_list.rules
  10. touch /etc/snort/rules/white_list.rules
  11. touch /etc/snort/rules/local.rules
  12. mkdir /etc/snort/preproc_rules
  13. mkdir /var/log/snort
  14. mkdir -p /usr/local/lib/snort_dynamicrules
  15. chmod -R 775/etc/snort
  16. chmod -R 775/var/log/snort
  17. chmod -R 775/usr/local/lib/snort_dynamicrules
  18. chown -R snort:snort /etc/snort
  19. chown -R snort:snort /var/log/snort
  20. chown -R snort:snort /usr/local/lib/snort_dynamicrules
  21. ###copy configuration and rules from etc directory under source code of snort
  22. echo "copying from snort source to /etc/snort ....."
  23. echo $snort_src
  24. echo "-------------"
  25. cp $snort_src/etc/*.conf* /etc/snort
  26. cp $snort_src/etc/*.map /etc/snort##enable rules
  27. sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
  28. echo "---DONE---"

Change and run the snort source directory path in the script. Below is the successful output.

Running script

The above script copies the following files and folders from the snort source to the/etc/snort configuration file.

Files copied

The configuration of snort is very complex. To make the IDS work properly, you need to make the following necessary modifications.

  1. ipvar HOME_NET 192.168.1.0/24# LAN side
  1. ipvar EXTERNAL_NET !$HOME_NET # WAN side

Retriable set

  1. var RULE_PATH /etc/snort/rules # snort signature path
  2. var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
  3. var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
  4. var WHITE_LIST_PATH /etc/snort/rules # dont scan
  5. var BLACK_LIST_PATH /etc/snort/rules # Must scan

Main path

  1. include $RULE_PATH/local.rules # file for custom rules

Remove the annotator (#) before ftp. rules and exploit. rules (#).

Path rules

Download the Community rule and decompress it to/etc/snort/rules. Enable the community and emergency threat rules in snort. conf.

Wget_rules

Community rules

After making the above changes, run the following command to check the configuration file.

  1. # snort -T -c /etc/snort/snort.conf

Snort running

 

Summary

In this article, we focus on the installation and configuration of the open-source IDPS system snort on Ubuntu. It is usually used to monitor events, but it can be configured as an online mode for network protection. Snort rules can be used to capture files in offline mode for testing and analysis.

Snort Chinese manual

Snort + Base intrusion detection Configuration

Install Snort in Ubuntu 12.04

Snort enterprise deployment practices

Build an IDS Intrusion Detection System Using Snort and base

Linux Snort intrusion detection system Practice Guide

The whole process of Snort in Ubuntu is from compilation, installation to debugging.

Snort details: click here
Snort: click here

Via: http://linoxide.com/security/install-snort-usage-ubuntu-15-04/

Author: nido Translator: geekpi Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address:

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to use ssh command in ubuntu how to use vi in ubuntu how to install and use joomla how to use nano editor in ubuntu how to install and use wordpress how to use mysql in ubuntu how to use vi editor in ubuntu
Related Article
Linux under the PS command Usage summary
VI is failed with error "E382:cannot write, ' buftype ' optio...
Linux error--->export ' = ' not a valid identifier for gen...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More