4

How to Install & Configure Snort NIDS in Linux

Snort is  network intrusion detection system (NIDS) which  is a type of open-source software to detect attacks, anomaly traffic  in the network. It is written in C language and works on multiplatform. It is the most widely deployed intrusion prevention system in the world (With over 4 million downloads and nearly 500,000 registered users)

SnortTM

There are not enough resource how to configure Snort in linux. So I wrote this post.

Before snort installation, some package should be installed. So we wrote this command in terminal screen.

sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

After that, libnet-1.12 is downloaded and unpacked.

wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz

tar xvfz libdnet-1.12.tgz

Then, you should go to this library packet folder.(When downloading file from net, your file is downloaded in /home/downloads folder). In the file directory,

./configure “CFLAGS=-fpic”  

this configuration for 64 bit machine.

make

for compilation

sudo checkinstall

Then,

sudo dpkg -i libdnet_1.12-1_i386.deb

sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

(above) command is to create symbolic link.

After all, you should go to snort site (http://snort.org). Download snort and daq (snort-2.9.6.1.tar.gz and daq-2.0.2.tar.gz ). In this example, firstly, I download snort-2.9.7.0.tar.gz and daq-2.0.4.tar.gz. However, I encountered a problem, so I used older versions of softwares.

Problem message:

checking for daq_load_modules in -ldaq_static… no

ERROR!  daq_static library not found, go get it from

http://www.snort.org/.

Then, (used older version)

tar xvfvz daq-2.0.2.tar.gz

./configure

make

sudo checkinstall

After that, snort file is configured

tar xvfvz snort-2.9.6.1.tar.gz

./configure

make

sudo checkinstall

sudo dpkg -i snort_2.9.6.1-1_i386.deb

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

After installation,

sudo ldconfig -v // to view version

After all, you should go to snort site to download snort rules (snortrules-snapshot-2970.tar.gz). Then it is unpacked. Create snort folder under etc folder. You can configure your snort.conf file. (/etc/snort)

ipvar HOME_NET 192.168.1.110/24  // or default mode (eg: any) can be used

ipvar EXTERNAL_NET !$HOME_NET // or default mode (eg: any) can be used 

Also, you should write rule in folder (/etc/snort/rules) or append new rules to the other rules.

alert icmp any any -> any any (msg:”Alert Getting ICMP Flood Message”;sid:1000004;)

alert tcp any any -> any any (msg:”Alert Getting TCP Flood Message”;sid:1000005;)

alert udp any any -> any any (msg:”Alert Getting UDP Flood Message”;sid:1000006;)

alert tcp $EXTERNAL_NET any -> any any (msg:”Alert HTTP GET DDos”;pcre:”/GET.*\htm/i”;classtype:web-application-activity;sid:1000007;)

After all, you can run snort using this command:

snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -A console

This command says: your network input port is eth0, snort is working  IDS mode (-i), your log file is /var/log/snort (-l), your configuration /etc/snort/snort.conf (-c) and you can see all process on the terminal screen (-A console).

I also encountered another problem when I entered this command;

snort -i 5 -l /var/log/snort -c /etc/snort/snort.conf -A console

Also, my network input is configured as eth2.

Problem Message:

ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!

I solved it when I changed eth2 to eth0 and enter eth0 instead of 5

After that, you can test it by sending hping3 / ping to other machine (snort host).

(Pictures below; TCP, ICMP and UDP packets are catched)

  Untitled2  Untitled3Untitled