Run Snort on Linux and protect your network with real-time traffic analysis and threat detection. Security is everything and Snort is world class. This pig can only save your bacon.
What is snoring?
Snort is one of the best known and most widely used network intrusion systems (NIDS). It has been called one of the most important open source projects of all time. Originally developed by Sourcefire, it has been maintained by Cisco̵7;s Talos Security Intelligence and Research Group since Cisco acquired Sourcefire in 2013.
Snort analyzes network traffic in real time and flags suspicious activity. In particular, it looks for anything that may indicate unauthorized access attempts and other attacks on the network. A comprehensive set rules define what counts as “suspicious” and what Snort should do if a rule is triggered.
In the same way that antivirus and anti-software packages rely on updated virus signature definitions to identify and protect you from the latest threats, Snort’s rules are frequently updated and issued so that Snort always works as it should.
The snort rules
There are three sets of rules:
- Community rules: These are freely available sets of rules, created by the Snort user group.
- Registered rules: These rule sets are provided by Talos. They are also available, but you must register to get them. Registration is free and only takes a moment. You get a personal oinkod which you must include in the download request.
- Subscription rules: These are the same rules as the registered rules. However, subscribers receive the rules approximately one month before they are released as free rule sets for registered users. At the time of writing, 12-month subscriptions start at $ 29 for personal use and $ 399 for business use.
At one point, the installation of Snort was a lengthy manual process. It was not difficult, but there were many steps and it was easy to miss one. The large Linux distributions have made things easier by making Snort accessible from their software repositories.
The versions in the repository are sometimes based on the latest version available on the Snort website. If you want, you can download and install from the source. As long as you have the latest rules, it does not matter too much if your snort is not the latest and greatest – as long as it is not old.
To investigate this article, we installed Snort on Ubuntu 20.04, Fedora 32 and Manjaro 20.0.1.
To install Snort on Ubuntu, use this command:
sudo apt-get install snort
When the installation continues, you will get some questions. You will find the answers to these using
ip addr before starting the installation or in a separate terminal window.
Make a note of your network interface name. On this research computer it is
Also look at your IP address. This computer has an IP address
192.168.1.24. The extra “
/24“Is classless CIDR listing (inter-domain routing). This tells you about the network address area. This means that this network has a subnet mask on
255.255.255.0, which has three leading sets of eight bits (and 3 x 8 = 24). You do not have to worry too much about it, just record what your IP address happens to include the CIDR notation. You must enter this in answer to one of the questions, with the last octet of the IP address changed to zero. In our example, this is
Press “Tab” to highlight the “OK” button and press “Enter”.
Enter the name of the network interface name and press “Tab” to highlight the “OK” button and press “Enter”.
Enter the network address range in CIDR format, press “Tab” to highlight the “OK” button and press “Enter”.
To install Snort on Fedora, you must use two commands:
rpm -Uvh https://forensics.cert.org/cert-forensics-tools-release-32.rpm
sudo dnf install snort
At Manjaro, the command is we do not need the usual
pacman, it is
pamac. And we do not need to use
pamac install snort
When asked if you want to build Snort from the AUR (Arch User Repository), press “Y” and press “Enter”. We do not want to edit the build files, so answer that question by pressing “N” and pressing “Enter”. Press “Y” and press “Enter” when asked if the transaction is to be applied.
You will be asked to enter your password.
The versions of Snort that were installed were:
- Ubuntu: 184.108.40.206
- Fedora: 220.127.116.11
- Manjaro: 18.104.22.168
You can check your version with:
There are a few steps to complete before we can run Snort. We need to edit the file “snort.conf”.
sudo gedit /etc/snort/snort.conf
Find the line with the text “
ipvar HOME_NET any”And edit it to replace“ optional ”with the CIDR listing address area of your network.
Save your changes and close the file.
Update the snort rules
To ensure that your copy of Snort provides the maximum level of protection, update the rules to the latest version. This ensures that Snort has access to the latest set of attack definitions and safeguards.
If you have registered and received your own oinkod, you can use the following command to download the rule set for registered users. The Snort download page lists available rule sets, including the group rule set that you do not need to sign up for.
Download the rule set for the version of Snort you have installed. We are downloading the 22.214.171.124 version, which is closest to the 126.96.36.199 version of Snort that was in the Ubuntu archive.
Network interface cards usually ignore traffic that is not intended for their IP address. We want Snort to detect suspicious network traffic addressed to any device on the network, not just network traffic that happens to be sent to the computer on which Snort is installed.
To get the Snort computer’s network interface to listen to all network traffic, we need to set it to promiscuous mode. The following command causes network interfaces
enp0s3 to operate in promiscuous mode. Replacement
enp0s3 with the name of the network interface you are using on your computer.
sudo ip link set enp0s3 promisc on
If you are running Snort on a virtual machine, also remember to adjust the settings in your hypervisor for the virtual network card used by your virtual machine. For example, in VirtualBox you have to go to
Settings > Network > Advanced and change the “Promiscuous Mode” drop-down menu to “Allow All.”
RELATED: How to use ip Command on Linux
You can now start Snort. The command format is:
sudo snort -d -l /var/log/snort/ -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf
Replace your own network IP range instead
The command line options used in this command are:
- -d: Filters away the application storage packages.
- -l / var / log / snort /: Sets the log directory.
- -h 192.168.1.0/24: This does not set up the home network, which was inserted in the “snort.conf” file. With this value set to the same value as the home network, the logs are structured so that content from suspicious remote computers is logged into directories named after each remote computer.
- -A console: Sends alerts to the console window.
- -c /etc/snort/snort.conf: Specifies which Snort configuration file to use.
Snort scrolls a lot of output in the terminal window and then goes into an analysis mode. If it does not see any suspicious activity, you will not see any more screen output.
From another computer, we started generating malicious activity that was directed at our test computer, which was running Snort.
Snort identifies network traffic as potentially harmful, sends alerts to the console window and writes entries in the logs.
Attacks classified as “Information Leakage” attacks indicate that an attempt has been made to interrogate your computer for information that may help an attacker. This probably indicates that someone is performing reconnaissance on your system.
Attacks classified as “Denial of Service” attacks indicate an attempt to flood your computer with fake network traffic. The attack tries to overwhelm your computer so that it can not continue to provide its services.
To verify that promiscuous mode works correctly and we protect the entire network address area, we fire malicious traffic at another computer and see if Snort detects it.
The activity is detected and reported, and we can see that this attack was directed at another computer with an IP address on it
192.168.1.26. Snort monitors the entire address range of this network.
To maintain its vigilance, Snort needs updated rules. You can write a small script and enter the commands to download and install the rules in it and set a
cron jobs to automate the process by calling the script regularly. The Pullpork script is a ready-made script designed to do just that if you do not want to write your own.
Snort does not have a front-end or a graphical user interface. Third-party projects have created several and you may want to explore some of them, such as Snorby and Squil.