Snort is network intrusion detection system (NIDS) which is a type of open-source software to detect attacks, anomaly traffic in the network. It is written in C language and works on multiplatform. It is the most widely deployed intrusion prevention system in the world (With over 4 million downloads and nearly 500,000 registered users)
There are not enough resource how to configure Snort in linux. So I wrote this post.
Before snort installation, some package should be installed. So we wrote this command in terminal screen.
sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev
After that, libnet-1.12 is downloaded and unpacked.
tar xvfz libdnet-1.12.tgz
Then, you should go to this library packet folder.(When downloading file from net, your file is downloaded in /home/downloads folder). In the file directory,
this configuration for 64 bit machine.
sudo dpkg -i libdnet_1.12-1_i386.deb
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
(above) command is to create symbolic link.
After all, you should go to snort site (http://snort.org). Download snort and daq (snort-220.127.116.11.tar.gz and daq-2.0.2.tar.gz ). In this example, firstly, I download snort-18.104.22.168.tar.gz and daq-2.0.4.tar.gz. However, I encountered a problem, so I used older versions of softwares.
checking for daq_load_modules in -ldaq_static… no
ERROR! daq_static library not found, go get it from
Then, (used older version)
tar xvfvz daq-2.0.2.tar.gz
After that, snort file is configured
tar xvfvz snort-22.214.171.124.tar.gz
sudo dpkg -i snort_126.96.36.199-1_i386.deb
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
sudo ldconfig -v // to view version
After all, you should go to snort site to download snort rules (snortrules-snapshot-2970.tar.gz). Then it is unpacked. Create snort folder under etc folder. You can configure your snort.conf file. (/etc/snort)
ipvar HOME_NET 192.168.1.110/24 // or default mode (eg: any) can be used
ipvar EXTERNAL_NET !$HOME_NET // or default mode (eg: any) can be used
Also, you should write rule in folder (/etc/snort/rules) or append new rules to the other rules.
alert icmp any any -> any any (msg:”Alert Getting ICMP Flood Message”;sid:1000004;)
alert tcp any any -> any any (msg:”Alert Getting TCP Flood Message”;sid:1000005;)
alert udp any any -> any any (msg:”Alert Getting UDP Flood Message”;sid:1000006;)
alert tcp $EXTERNAL_NET any -> any any (msg:”Alert HTTP GET DDos”;pcre:”/GET.*\htm/i”;classtype:web-application-activity;sid:1000007;)
After all, you can run snort using this command:
snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -A console
This command says: your network input port is eth0, snort is working IDS mode (-i), your log file is /var/log/snort (-l), your configuration /etc/snort/snort.conf (-c) and you can see all process on the terminal screen (-A console).
I also encountered another problem when I entered this command;
snort -i 5 -l /var/log/snort -c /etc/snort/snort.conf -A console
Also, my network input is configured as eth2.
ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!
I solved it when I changed eth2 to eth0 and enter eth0 instead of 5
After that, you can test it by sending hping3 / ping to other machine (snort host).
(Pictures below; TCP, ICMP and UDP packets are catched)