For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort. Snort installation requires that the data collection Library (DAQ) used by snort is used for one call
For network security, intrusion detection is very important. The Intrusion Detection System (IDS) is used to detect illegal and malicious requests in the network. Snort is a well-known open-source Intrusion Detection System. Its Web Interface (Snorby) can be used to better analyze warnings. Snort uses iptables/pf firewall as the intrusion detection system. In this article, we will install and configure an open-source Intrusion Detection System snort.
Snort installation requirements
The data collection Library (DAQ) used by snort is used for the abstraction layer of a call package capture library. This is available on snort. The download process is as follows.
Downloading_daq
Decompress and run./configure, make, and make install to install DAQ. However, DAQ requires other tools. Therefore, the./configure script will generate the following error.
Flex and bison errors
Flexandbison_error
Libpcap Error
Libpcap error
Therefore, you must first install flex/bison and libcap before installing dashboard.
Install_flex
Install the libpcap Development Library as follows
Libpcap-dev installation
After necessary tools are installed, run the./configure script again. The following output is displayed.
Without_error_configure
The results of the make and make install commands are as follows.
Make install
Make
After successfully installing DAQ, We will install snort now. For example, use wget to download it.
Downloading_snort
Run the following command to decompress the installation package.
#tar -xvzf snort-2.9.7.3.tar.gz
Snort_extraction
Create the installation directory and set the prefix parameter in the script. We also recommend that you enable the sourcefire flag for packet performance monitoring (PPM.
#mkdir /usr/local/snort
#./configure --prefix=/usr/local/snort/ --enable-sourcefire
Snort_installation
The configuration script reports an error because the libpcre-dev, libdumbnet-dev, and zlib libraries are missing.
The configuration script reports an error because the libpcre library is missing.
Pcre-error
The configuration script reports an error because the dnet (libdumbnet) Library is missing.
Libdnt error
The configuration script reports an error because the zlib library is missing.
Zlib error
Install all required development libraries as follows.
# aptitude install libpcre3-dev
Install libpcre3-dev
# aptitude install libdumbnet-dev
Libdumnet-dev installation
# aptitude install zlib1g-dev
Zlibg-dev installation
After the library required by snort is installed, no error will be reported when you run the configuration script again.
Run the make and make install commands in the/usr/local/snort directory.
# make
Make snort
# make install
Make install snort
Finally, run snort from/usr/local/snort/bin. Now all the traffic to eth0 is in promisc mode (package dump mode ).
Snort running
Shows the snort dump traffic.
Traffic
Snort rules and configurations
Snort installed from the source code also needs to set rules and configuration, so we need to copy rules and configuration to/etc/snort. We have created a separate bash script for setting rules and configurations. It sets the following snort settings.
- Create an snort user for the snort IDS service in linux.
- Create a snort configuration file and folder under/etc.
- Set permissions and copy data from the etc directory of the source code.
- Remove the # (annotator) in the rule from the snort file ).
#!/bin/bash#
# Snort source code path
snort_src="/home/test/Downloads/snort-2.9.7.3"
echo "adding group and user for snort..."
groupadd snort &>/dev/null
useradd snort -r -s /sbin/nologin -d /var/log/snort -c snort_idps -g snort &>/dev/null#snort configuration
echo "Configuring snort..."mkdir -p /etc/snort
mkdir -p /etc/snort/rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/local.rules
mkdir /etc/snort/preproc_rules
mkdir /var/log/snort
mkdir -p /usr/local/lib/snort_dynamicrules
chmod -R 775/etc/snort
chmod -R 775/var/log/snort
chmod -R 775/usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules
###copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to /etc/snort ....."
echo $snort_src
echo "-------------"
cp $snort_src/etc/*.conf* /etc/snort
cp $snort_src/etc/*.map /etc/snort##enable rules
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
echo "---DONE---"
Change and run the snort source directory path in the script. Below is the successful output.
Running script
The above script copies the following files and folders from the snort source to the/etc/snort configuration file.
Files copied
The configuration of snort is very complex. To make the IDS work properly, you need to make the following necessary modifications.
ipvar HOME_NET 192.168.1.0/24# LAN side
ipvar EXTERNAL_NET !$HOME_NET # WAN side
Retriable set
var RULE_PATH /etc/snort/rules # snort signature path
var SO_RULE_PATH /etc/snort/so_rules #rules in shared libraries
var PREPROC_RULE_PATH /etc/snort/preproc_rules # Preproces path
var WHITE_LIST_PATH /etc/snort/rules # dont scan
var BLACK_LIST_PATH /etc/snort/rules # Must scan
Main path
include $RULE_PATH/local.rules # file for custom rules
Remove the annotator (#) before ftp. rules and exploit. rules (#).
Path rules
Download the Community rule and decompress it to/etc/snort/rules. Enable the community and emergency threat rules in snort. conf.
Wget_rules
Community rules
After making the above changes, run the following command to check the configuration file.
# snort -T -c /etc/snort/snort.conf
Snort running
Summary
In this article, we focus on the installation and configuration of the open-source IDPS system snort on Ubuntu. It is usually used to monitor events, but it can be configured as an online mode for network protection. Snort rules can be used to capture files in offline mode for testing and analysis.
Related reading:
Snort Chinese manual http://www.linuxidc.com/Linux/2013-11/92265.htm
Http://www.linuxidc.com/Linux/2013-02/79805.htm of Snort + Base intrusion detection Configuration
Ubuntu 12.04 install Snort detailed http://www.linuxidc.com/Linux/2013-01/78554.htm
Snort enterprise deployment http://www.linuxidc.com/Linux/2012-08/68946.htm
Snort + base build IDS Intrusion Detection System http://www.linuxidc.com/Linux/2012-08/67865.htm
Linux platform Snort intrusion detection system Practice Guide http://www.linuxidc.com/Linux/2012-08/67048.htm
Http://www.linuxidc.com/Linux/2011-09/44157.htm of Snort in Ubuntu from compilation, installation to debugging
Snort details: Click here
Snort: Click here
Via: http://linoxide.com/security/install-snort-usage-ubuntu-15-04/
Author: nido Translator: geekpi Proofreader: wxy
This article was originally translated by LCTT and launched with the Linux honor in China
This article permanently updates the link address: Http://www.linuxidc.com/Linux/2015-09/122685.htm