-
Update apt packages -
sudo apt update
-
Install snort dependency packages -
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool
-
Make a temporary folder
snort_src
-
Download DAQ
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
-
Extract the tar file and cd into it
tar -xvzf daq-2.0.7.tar.gz
,cd daq-2.0.7
-
Auto reconfigure DAQ -
autoreconf -f -i
-
Run DAQ configuration script -
./configure && make && sudo make install
-
Navigate back to parent folder, and then download snort source code
cd ..
,wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
-
Extract the tar file and cd into it
tar -xvzf snort-2.9.20.tar.gz
,cd snort-2.9.20
-
Configure the installation with sourcefire enabled, run make and make install. -
./configure --enable-sourcefire && make && sudo make install
-
Update share libraries, and create symlink
sudo ldconfig
,sudo ln -s /usr/local/bin/snort /usr/sbin/snort
-
Create a user group and user to run snort -
sudo groupadd snort
,sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
-
Create some directories for snort usages:
sudo mkdir -p /etc/snort/rules sudo mkdir /var/log/snort sudo mkdir /usr/local/lib/snort_dynamicrules
-
Set the permissions on the newly created directories:
sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
-
Create rules file for usage:
sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/local.rules
-
Copy the configuration file from the downloaded folder to
etc
directorysudo cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort sudo cp ~/snort_src/snort-2.9.16/etc/*.map /etc/snort
-
Download community rules (there are other option like subscription rules)
wget https://www.snort.org/rules/community -O ~/community.tar.gz
- Extract the file
sudo tar -xvf ~/community.tar.gz -C ~/
- Copy the file to the
etc
rules folder -sudo cp ~/community-rules/community.rules /etc/snort/rules
- Comment out unnecessary lines -
sudo sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
-
Configure Network and Rules file path:
- Use Vim to edit
/etc/snort/snort.conf
as specified in Reference
- Use Vim to edit
-
Test and Validate Configuration -
sudo snort -T -c /etc/snort/snort.conf
-
Test Local rules
- Add
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
rules into the/etc/snort/rules/local.rules
- test with
sudo snort -A console -i eth1 -u snort -g snort -c /etc/snort/snort.conf
. (My VM will use eth1) - Check snort log with
sudo snort -r /var/log/snort/snort.log.
<--- Tab Autocomplete
- Add
-
Run snort in backgroup
- Add the required text (Remember to use eth1 for my VM) to
/lib/systemd/system/snort.service
file - Execute the following
sudo systemctl daemon-reload
sudo systemctl start snort
sudo systemctl status snort
- Add the required text (Remember to use eth1 for my VM) to