How to install and use Snort in Ubuntu15.04

For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort. Snort installation requires that the data collection Library (DAQ) used by snort is used for one call

For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort.

Snort installation requirements

The data collection Library (DAQ) used by snort is used for the abstraction layer of a call package capture library. This is available on snort. The download process is as follows.

Downloading_daq

Decompress and run./configure, make, and make install to install DAQ. However, DAQ requires other tools. Therefore, the./configure script will generate the following error.

Flex and bison errors

Flexandbison_error

Libpcap Error

Libpcap error

Therefore, you must first install flex/bison and libcap before installing dashboard.

Install_flex

Install the libpcap Development Library as follows

Libpcap-dev installation

After necessary tools are installed, run the./configure script again. The following output is displayed.

Without_error_configure

The results of the make and make install commands are as follows.

Make install

Make

After successfully installing DAQ, We will install snort now. For example, use wget to download it.

Downloading_snort

Run the following command to decompress the installation package.

1. #tar -xvzf snort-2.9.7.3.tar.gz

Snort_extraction

Create the installation directory and set the prefix parameter in the script. We also recommend that you enable the sourcefire flag for packet performance monitoring (PPM.

1. #mkdir /usr/local/snort
2. #./configure --prefix=/usr/local/snort/ --enable-sourcefire

Snort_installation

The configuration script reports an error because the libpcre-dev, libdumbnet-dev, and zlib libraries are missing.

The configuration script reports an error because the libpcre library is missing.

Pcre-error

The configuration script reports an error because the dnet (libdumbnet) Library is missing.

Libdnt error

The configuration script reports an error because the zlib library is missing.

Zlib error

Install all required development libraries as follows.

1. # aptitude install libpcre3-dev

Install libpcre3-dev

1. # aptitude install libdumbnet-dev

Libdumnet-dev installation

1. # aptitude install zlib1g-dev

Zlibg-dev installation

After the library required by snort is installed, no error will be reported when you run the configuration script again.

Run the make and make install commands in the/usr/local/snort directory.

1. # make

Make snort

1. # make install

Make install snort

Finally, run snort from/usr/local/snort/bin. Now all the traffic to eth0 is in promisc mode (package dump mode ).

Snort running

Shows the snort dump traffic.

Traffic

Snort rules and configurations

Snort installed from the source code also needs to set rules and configuration, so we need to copy rules and configuration to/etc/snort. We have created a separate bash script for setting rules and configurations. It sets the following snort settings.

• Create an snort user for the snort IDS service in linux.
• Create a snort configuration file and folder under/etc.
• Set permissions and copy data from the etc directory of the source code.
• Remove the # (annotator) in the rule from the snort file ).

 

1. #!/bin/bash#
2. # Snort source code path
3. snort_src="/home/test/Downloads/snort-2.9.7.3"
4. echo "adding group and user for snort..."
5. groupadd snort &>/dev/null
6. useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &>/dev/null#snort configuration
7. echo "Configuring snort..."mkdir -p /etc/snort
8. mkdir -p /etc/snort/rules
9. touch /etc/snort/rules/black_list.rules
10. touch /etc/snort/rules/white_list.rules
11. touch /etc/snort/rules/local.rules
12. mkdir /etc/snort/preproc_rules
13. mkdir /var/log/snort
14. mkdir -p /usr/local/lib/snort_dynamicrules
15. chmod -R 775/etc/snort
16. chmod -R 775/var/log/snort
17. chmod -R 775/usr/local/lib/snort_dynamicrules
18. chown -R snort:snort /etc/snort
19. chown -R snort:snort /var/log/snort
20. chown -R snort:snort /usr/local/lib/snort_dynamicrules
21. ###copy configuration and rules from etc directory under source code of snort
22. echo "copying from snort source to /etc/snort ....."
23. echo $snort_src
24. echo "-------------"
25. cp $snort_src/etc/*.conf* /etc/snort
26. cp $snort_src/etc/*.map /etc/snort##enable rules
27. sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
28. echo "---DONE---"

Change and run the snort source directory path in the script. Below is the successful output.

Running script

The above script copies the following files and folders from the snort source to the/etc/snort configuration file.

Files copied

The configuration of snort is very complex. To make the IDS work properly, you need to make the following necessary modifications.

1. ipvar HOME_NET 192.168.1.0/24# LAN side

1. ipvar EXTERNAL_NET !$HOME_NET # WAN side

Retriable set

1. var RULE_PATH /etc/snort/rules # snort signature path
2. var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
3. var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
4. var WHITE_LIST_PATH /etc/snort/rules # dont scan
5. var BLACK_LIST_PATH /etc/snort/rules # Must scan

Main path

1. include $RULE_PATH/local.rules # file for custom rules

Remove the annotator (#) before ftp. rules and exploit. rules (#).

Path rules

Download the Community rule and decompress it to/etc/snort/rules. Enable the community and emergency threat rules in snort. conf.

Wget_rules

Community rules

After making the above changes, run the following command to check the configuration file.

1. # snort -T -c /etc/snort/snort.conf

Snort running

 

Summary

In this article, we focus on the installation and configuration of the open-source IDPS system snort on Ubuntu. It is usually used to monitor events, but it can be configured as an online mode for network protection. Snort rules can be used to capture files in offline mode for testing and analysis.

Related reading:

Snort Chinese manual http://www.linuxidc.com/Linux/2013-11/92265.htm

Http://www.linuxidc.com/Linux/2013-02/79805.htm of Snort + Base intrusion detection Configuration

Ubuntu 12.04 install Snort detailed http://www.linuxidc.com/Linux/2013-01/78554.htm

Snort enterprise deployment http://www.linuxidc.com/Linux/2012-08/68946.htm

Snort + base build IDS Intrusion Detection System http://www.linuxidc.com/Linux/2012-08/67865.htm

Linux platform Snort intrusion detection system Practice Guide http://www.linuxidc.com/Linux/2012-08/67048.htm

Http://www.linuxidc.com/Linux/2011-09/44157.htm of Snort in Ubuntu from compilation, installation to debugging

Snort details: Click here
Snort: Click here

Via: http://linoxide.com/security/install-snort-usage-ubuntu-15-04/

Author: nido Translator: geekpi Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: Http://www.linuxidc.com/Linux/2015-09/122685.htm