قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Snort Intrusion Detection System on Linux – CloudSavvy IT

How to use Snort Intrusion Detection System on Linux – CloudSavvy IT



Gray nos
Shutterstock / RussianO

Run Snort on Linux and protect your network with real-time traffic analysis and threat detection. Security is everything and Snort is world class. This pig can only save your bacon.

What is snoring?

Snort is one of the best known and most widely used network intrusion systems (NIDS). It has been called one of the most important open source projects of all time. Originally developed by Sourcefire, it has been maintained by Cisco̵

7;s Talos Security Intelligence and Research Group since Cisco acquired Sourcefire in 2013.

Snort analyzes network traffic in real time and flags suspicious activity. In particular, it looks for anything that may indicate unauthorized access attempts and other attacks on the network. A comprehensive set rules define what counts as “suspicious” and what Snort should do if a rule is triggered.

In the same way that antivirus and anti-software packages rely on updated virus signature definitions to identify and protect you from the latest threats, Snort’s rules are frequently updated and issued so that Snort always works as it should.

The snort rules

There are three sets of rules:

  • Community rules: These are freely available sets of rules, created by the Snort user group.
  • Registered rules: These rule sets are provided by Talos. They are also available, but you must register to get them. Registration is free and only takes a moment. You get a personal oinkod which you must include in the download request.
  • Subscription rules: These are the same rules as the registered rules. However, subscribers receive the rules approximately one month before they are released as free rule sets for registered users. At the time of writing, 12-month subscriptions start at $ 29 for personal use and $ 399 for business use.

Installs Snort

At one point, the installation of Snort was a lengthy manual process. It was not difficult, but there were many steps and it was easy to miss one. The large Linux distributions have made things easier by making Snort accessible from their software repositories.

The versions in the repository are sometimes based on the latest version available on the Snort website. If you want, you can download and install from the source. As long as you have the latest rules, it does not matter too much if your snort is not the latest and greatest – as long as it is not old.

To investigate this article, we installed Snort on Ubuntu 20.04, Fedora 32 and Manjaro 20.0.1.

To install Snort on Ubuntu, use this command:

sudo apt-get install snort

sudo apt-get install snort in a terminal window

When the installation continues, you will get some questions. You will find the answers to these using ip addr before starting the installation or in a separate terminal window.

ip  addr

ip addr in a terminal window

Make a note of your network interface name. On this research computer it is enp0s3.

Also look at your IP address. This computer has an IP address 192.168.1.24. The extra “/24“Is classless CIDR listing (inter-domain routing). This tells you about the network address area. This means that this network has a subnet mask on 255.255.255.0, which has three leading sets of eight bits (and 3 x 8 = 24). You do not have to worry too much about it, just record what your IP address happens to include the CIDR notation. You must enter this in answer to one of the questions, with the last octet of the IP address changed to zero. In our example, this is 192.168.1.0/24.

Press “Tab” to highlight the “OK” button and press “Enter”.

Preliminary configuration page in a terminal window

Enter the name of the network interface name and press “Tab” to highlight the “OK” button and press “Enter”.

Set the interface name in a terminal window

Enter the network address range in CIDR format, press “Tab” to highlight the “OK” button and press “Enter”.

provide network details in CIDR listing in a terminal windwo

To install Snort on Fedora, you must use two commands:

rpm -Uvh https://forensics.cert.org/cert-forensics-tools-release-32.rpm

rpm -Uvh https://forensics.cert.org/cert-forensics-tools-release-32.rpm in a terminal window

sudo dnf install snort

sudo dnf install snort in a terminal window

At Manjaro, the command is we do not need the usual pacman, it is pamac. And we do not need to use sudo:

pamac install snort

pamac install snort in a terminal window

When asked if you want to build Snort from the AUR (Arch User Repository), press “Y” and press “Enter”. We do not want to edit the build files, so answer that question by pressing “N” and pressing “Enter”. Press “Y” and press “Enter” when asked if the transaction is to be applied.

You will be asked to enter your password.

The versions of Snort that were installed were:

  • Ubuntu: 2.9.7.0
  • Fedora: 2.9.16.1
  • Manjaro: 2.9.16.1

You can check your version with:

snort --version

snort --version in a terminal window

Configure Snort

There are a few steps to complete before we can run Snort. We need to edit the file “snort.conf”.

sudo gedit /etc/snort/snort.conf

sudo gedit /etc/snort/snort.conf in a terminal window

Find the line with the text “ipvar HOME_NET any”And edit it to replace“ optional ”with the CIDR listing address area of ​​your network.

snort.conf configuration file in the gedit editor

Save your changes and close the file.

Update the snort rules

To ensure that your copy of Snort provides the maximum level of protection, update the rules to the latest version. This ensures that Snort has access to the latest set of attack definitions and safeguards.

If you have registered and received your own oinkod, you can use the following command to download the rule set for registered users. The Snort download page lists available rule sets, including the group rule set that you do not need to sign up for.

Download the rule set for the version of Snort you have installed. We are downloading the 2.9.8.3 version, which is closest to the 2.9.7.0 version of Snort that was in the Ubuntu archive.

wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode= -O snortrules-snapshot-2983.tar.gz

wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=<your oink code goes here> -O snortrules-snapshot-2983.tar.gz in a terminal window “width =” 646 “height =” 97 “onload =” pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);  “onerror =” this.onerror = null;  sidespeed.  lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);  “/></p>
<p>When the download is complete, use this command to extract the rules and install them in the “/ etc / snort / rules” directory.</p>
<pre>sudo tar -xvzf snortrules-snapshot-2983.tar.gc -C /etc/snort/rules</pre>
<p><img class=

Promiscuous location

Network interface cards usually ignore traffic that is not intended for their IP address. We want Snort to detect suspicious network traffic addressed to any device on the network, not just network traffic that happens to be sent to the computer on which Snort is installed.

To get the Snort computer’s network interface to listen to all network traffic, we need to set it to promiscuous mode. The following command causes network interfaces enp0s3 to operate in promiscuous mode. Replacement enp0s3 with the name of the network interface you are using on your computer.

sudo ip link set enp0s3 promisc on

sudo ip link enter enp0s3 promisc on in a terminal window

If you are running Snort on a virtual machine, also remember to adjust the settings in your hypervisor for the virtual network card used by your virtual machine. For example, in VirtualBox you have to go to Settings > Network > Advanced and change the “Promiscuous Mode” drop-down menu to “Allow All.”

VirtualBox Network Adapter Settings Tab

RELATED: How to use ip Command on Linux

Running Snort

You can now start Snort. The command format is:

sudo snort -d -l /var/log/snort/ -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf

sudo snort -d -l / var / log / snort -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf in a terminal window

Replace your own network IP range instead 192.168.1.0/24.

The command line options used in this command are:

  • -d: Filters away the application storage packages.
  • -l / var / log / snort /: Sets the log directory.
  • -h 192.168.1.0/24: This does not set up the home network, which was inserted in the “snort.conf” file. With this value set to the same value as the home network, the logs are structured so that content from suspicious remote computers is logged into directories named after each remote computer.
  • -A console: Sends alerts to the console window.
  • -c /etc/snort/snort.conf: Specifies which Snort configuration file to use.

Snort scrolls a lot of output in the terminal window and then goes into an analysis mode. If it does not see any suspicious activity, you will not see any more screen output.

Snore in a terminal window

From another computer, we started generating malicious activity that was directed at our test computer, which was running Snort.

Suspicious and harmful activity is detected and flagged by Snort in a terminal window

Snort identifies network traffic as potentially harmful, sends alerts to the console window and writes entries in the logs.

Attacks classified as “Information Leakage” attacks indicate that an attempt has been made to interrogate your computer for information that may help an attacker. This probably indicates that someone is performing reconnaissance on your system.

Attacks classified as “Denial of Service” attacks indicate an attempt to flood your computer with fake network traffic. The attack tries to overwhelm your computer so that it can not continue to provide its services.

To verify that promiscuous mode works correctly and we protect the entire network address area, we fire malicious traffic at another computer and see if Snort detects it.

Suspicious and harmful activity is detected and flagged by Snort in a terminal window

The activity is detected and reported, and we can see that this attack was directed at another computer with an IP address on it 192.168.1.26. Snort monitors the entire address range of this network.

Next step

To maintain its vigilance, Snort needs updated rules. You can write a small script and enter the commands to download and install the rules in it and set a cron jobs to automate the process by calling the script regularly. The Pullpork script is a ready-made script designed to do just that if you do not want to write your own.

Snort does not have a front-end or a graphical user interface. Third-party projects have created several and you may want to explore some of them, such as Snorby and Squil.


Source link