Snort is a well-known open-source network intrusion detection and prevention system (IDS). Snort is very useful to monitor the package sent and received through a network interface. You can specify the network interface to monitor the traffic flow. Snort works on the basis of signature-based detection. Snort uses different types of rulesets to detect network intrusions such as community. Registered and subscription rules. Correctly installed and configured Snort can be very useful in detecting different kinds of attacks and threats like SMB probes, malware infections, compromised systems, etc. In this article, we will learn how to install and configure Snort on an Ubuntu 20.04 system.
Snort Rules
Snort uses rulesets to detect network intrusions which are as follows. There are three types of rule sets available:
Community rules
These are the rules created by the snort user community and available free of cost.
Registered rules
These are the rules provided by Talos and are only available for registered users. Registration takes only a moment and free of cost. After the registration, you will get a code that is needed to submit while sending the download request
Subscription rules
These rules are also the same as registered rules but are provided to registered users before the release. These rulesets are paid and costing is based on personal user or business user.
Snort Installation
Installation of snort in the Linux system would be a manual and lengthy process. Nowadays the installation is very simple and easier since most of the Linux distributions have made the Snort package available in the repositories. The package can be installed from the source as well as from the software repositories.
During the installation, you will be asked to provide some details regarding the network interface. Run the following command, and note the details for future use.
$ ip a
To install the Snort tool in Ubuntu, use the following command.
$ sudo apt install snort
In the above example, ens33 is the name of the network interface and 192.168.218.128 is the ip address. The /24 shows that the network is of subnet mask 255.255.255.0 . Take note of these things since we need to provide these details during the installation.
Now, press tab to navigate to the ok option and press enter.
Now provide the name of the network interface, navigate to the ok option using the tab key, and press enter.
Provide the network address with the subnet mask. Navigate to the ok option using the tab key and press enter.
Once the installation is completed, run the command below the verify.
$ snort --version
Configuring snort
Before using the Snort, there are some things to be made in the configuration file. Snort stores the configuration files under the directory /etc/snort/ as the file name snort.conf.
Edit the configuration file with any text editor and make the following changes.
$ sudo vi /etc/snort/snort.conf
Find the line ipvar HOME_NET any in the configuration file and replace any with your network address.
In the above example, a network address 192.168.218.0 with subnet mask prefix 24 is used. Replace it with your network address and provide the prefix.
Save the file and exit
Download and Update Snort rules
Snort uses rulesets for intrusion detection. There are three types of rulesets that we have previously described at the start of the article. In this article, we will download and update community rules.
To install and update the rules, create a directory for the rules.
$ mkdir /usr/local/etc/rules
Download the community rules using the following command.
$ wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
Or else, you can browse the link below and download the rules.
https://www.snort.org/downloads/#snort-3.0
Extract the downloaded files in the previously created directory.
$ tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/
Enable Promiscuous Mode
We need to make Snot computer’s network interface listen to all traffic. To make this happen, enable promiscuous mode . Run the following command with the interface name.
$ sudo ip link set ens33 promisc on
Where ens33 is the interface name
Running snort
Now we are good to start the Snort. Follow the syntax below and substitute the parameters accordingly.
$ sudo snort -d -l /var/log/snort/ -h 192.168.218.0/24 -A console -c /etc/snort/snort.conf
Where,
-d is used to filter application layer packets
-l is used to setup the logging directory
-h is used to specify the home network
-A is used to send the alert to the console windows
-c is used to specify the snort configuration
Once the Snort is started, you will get the following output in the terminal.
You can check the log files to get information about intrusion detection.
Snort works on the basis of rulesets. So, always keep the rulesets up to date. You can set up a cronjob to download the rules and update them periodically.
Conclusion
In this tutorial, we learned how to use snort as a network intrusion prevention system in Linux. Also, I have covered how to install and use snort on an Ubuntu system and use it to monitor real-time traffic and do threat detection.