How to install and use Snort in Ubuntu 15.04

Source: Internet
Author: User
Tags sourcefire

How to install and use Snort in Ubuntu 15.04

For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort.

Snort installation requirements

The data collection Library (DAQ) used by snort is used for the abstraction layer of a call package capture library. This is available on snort. The download process is as follows.

Downloading_daq

Decompress and run./configure, make, and make install to install DAQ. However, DAQ requires other tools. Therefore, the./configure script will generate the following error.

Flex and bison errors

Flexandbison_error

Libpcap Error

Libpcap error

Therefore, you must first install flex/bison and libcap before installing dashboard.

Install_flex

Install the libpcap Development Library as follows

Libpcap-dev installation

After necessary tools are installed, run the./configure script again. The following output is displayed.

Without_error_configure

The results of the make and make install commands are as follows.

Make install

Make

After successfully installing DAQ, We will install snort now. For example, use wget to download it.

Downloading_snort

Run the following command to decompress the installation package.

  1. #tar -xvzf snort-2.9.7.3.tar.gz

Snort_extraction

Create the installation directory and set the prefix parameter in the script. We also recommend that you enable the sourcefire flag for packet performance monitoring (PPM.

  1. #mkdir /usr/local/snort
  2. #./configure --prefix=/usr/local/snort/ --enable-sourcefire

Snort_installation

The configuration script reports an error because the libpcre-dev, libdumbnet-dev, and zlib libraries are missing.

The configuration script reports an error because the libpcre library is missing.

Pcre-error

The configuration script reports an error because the dnet (libdumbnet) Library is missing.

Libdnt error

The configuration script reports an error because the zlib library is missing.

Zlib error

Install all required development libraries as follows.

  1. # aptitude install libpcre3-dev

Install libpcre3-dev

  1. # aptitude install libdumbnet-dev

Libdumnet-dev installation

  1. # aptitude install zlib1g-dev

Zlibg-dev installation

After the library required by snort is installed, no error will be reported when you run the configuration script again.

Run the make and make install commands in the/usr/local/snort directory.

  1. # make

Make snort

  1. # make install

Make install snort

Finally, run snort from/usr/local/snort/bin. Now all the traffic to eth0 is in promisc mode (package dump mode ).

Snort running

Shows the snort dump traffic.

Traffic

Snort rules and configurations

Snort installed from the source code also needs to set rules and configuration, so we need to copy rules and configuration to/etc/snort. We have created a separate bash script for setting rules and configurations. It sets the following snort settings.

  • Create an snort user for the snort IDS service in linux.
  • Create a snort configuration file and folder under/etc.
  • Set permissions and copy data from the etc directory of the source code.
  • Remove the # (annotator) in the rule from the snort file ).
 
  1. #!/bin/bash#
  2. # Snort source code path
  3. snort_src="/home/test/Downloads/snort-2.9.7.3"
  4. echo "adding group and user for snort..."
  5. groupadd snort &>/dev/null
  6. useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &>/dev/null#snort configuration
  7. echo "Configuring snort..."mkdir -p /etc/snort
  8. mkdir -p /etc/snort/rules
  9. touch /etc/snort/rules/black_list.rules
  10. touch /etc/snort/rules/white_list.rules
  11. touch /etc/snort/rules/local.rules
  12. mkdir /etc/snort/preproc_rules
  13. mkdir /var/log/snort
  14. mkdir -p /usr/local/lib/snort_dynamicrules
  15. chmod -R 775/etc/snort
  16. chmod -R 775/var/log/snort
  17. chmod -R 775/usr/local/lib/snort_dynamicrules
  18. chown -R snort:snort /etc/snort
  19. chown -R snort:snort /var/log/snort
  20. chown -R snort:snort /usr/local/lib/snort_dynamicrules
  21. ###copy configuration and rules from etc directory under source code of snort
  22. echo "copying from snort source to /etc/snort ....."
  23. echo $snort_src
  24. echo "-------------"
  25. cp $snort_src/etc/*.conf* /etc/snort
  26. cp $snort_src/etc/*.map /etc/snort##enable rules
  27. sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
  28. echo "---DONE---"

Change and run the snort source directory path in the script. Below is the successful output.

Running script

The above script copies the following files and folders from the snort source to the/etc/snort configuration file.

Files copied

The configuration of snort is very complex. To make the IDS work properly, you need to make the following necessary modifications.

  1. ipvar HOME_NET 192.168.1.0/24# LAN side
  1. ipvar EXTERNAL_NET !$HOME_NET # WAN side

Retriable set

  1. var RULE_PATH /etc/snort/rules # snort signature path
  2. var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
  3. var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
  4. var WHITE_LIST_PATH /etc/snort/rules # dont scan
  5. var BLACK_LIST_PATH /etc/snort/rules # Must scan

Main path

  1. include $RULE_PATH/local.rules # file for custom rules

Remove the annotator (#) before ftp. rules and exploit. rules (#).

Path rules

Download the Community rule and decompress it to/etc/snort/rules. Enable the community and emergency threat rules in snort. conf.

Wget_rules

Community rules

After making the above changes, run the following command to check the configuration file.

  1. # snort -T -c /etc/snort/snort.conf

Snort running

 

Summary

In this article, we focus on the installation and configuration of the open-source IDPS system snort on Ubuntu. It is usually used to monitor events, but it can be configured as an online mode for network protection. Snort rules can be used to capture files in offline mode for testing and analysis.

Snort Chinese manual

Snort + Base intrusion detection Configuration

Install Snort in Ubuntu 12.04

Snort enterprise deployment practices

Build an IDS Intrusion Detection System Using Snort and base

Linux Snort intrusion detection system Practice Guide

The whole process of Snort in Ubuntu is from compilation, installation to debugging.

Snort details: click here
Snort: click here

Via: http://linoxide.com/security/install-snort-usage-ubuntu-15-04/

Author: nido Translator: geekpi Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.