How To Configure Snort On Debian

Updated on January 7, 2016
How To Configure Snort On Debian header image

Snort is a free network intrusion detection system (IDS). In less official terms, it lets you to monitor your network for suspicious activity in real time. Currently, Snort has packages for Fedora, CentOS, FreeBSD, and Windows-based systems. Exact installation method varies between OSes. In this tutorial, we will be installing directly from the source files for Snort. This guide was written for Debian.

Update, Upgrade, and Reboot

Before we actually get our hands on the Snort sources, we need to make sure that our system is up to date. We can do this by issuing the commands below.

sudo apt-get update
sudo apt-get upgrade -y
sudo reboot

Pre-install configuration

Once your system has rebooted, we need to install a number of packages to make sure that we can install SBPP. I was able to figure out that a number of the packages that were needed, so the base command is below.

sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libnetfilter-queue-dev iptables-dev libdumbnet-dev zlib1g-dev -y

Once all of the packages are installed, you will need to create a temporary directory for your source files - they can be anywhere you'd like. I'll be using /usr/src/snort_src. To create this folder, you'll need to be logged in as the root user, or have sudo permissions - root just makes it easier.

sudo mkdir /usr/src/snort_src
cd /usr/src/snort_src

Installing the Data Acquisition Library (DAQ)

Before we can get the source for Snort, we need to install the DAQ. It's fairly simple to install.

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Extract the files from the tarball.

tar xvfz daq-2.0.6.tar.gz

Change into the DAQ directory.

cd daq-2.0.6

Configure and install the DAQ.

./configure; make; sudo make install

That last line, will execute ./configure first. Then it will execute make. Lastly, it will execute make install. We use the shorter syntax here just to save a little bit on typing.

Installing Snort

We want to make sure we're in the /usr/src/snort_src directory again, so be sure to change into that directory with:

cd /usr/src/snort_src

Now that we are in the directory for the sources, we will download the tar.gz file for the source. At the time of this writing, the most recent version of Snort is 2.9.8.0.

wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

The commands to actually install snort are very similar to the ones used for the DAQ, but they have different options.

Extract the Snort source files.

tar xvfz snort-2.9.8.0.tar.gz

Change into the source directory.

cd snort-2.9.8.0

Configure and install the sources.

 ./configure --enable-sourcefire; make; sudo make install

Post-install of Snort

Once we have Snort installed, we need to make sure that our shared libraries are up to date. We can do this using the command:

sudo ldconfig

After we do that, test your Snort installation:

snort --version

If this command does not work, you will need to create a symlink. You can do this by typing:

sudo ln -s /usr/local/bin/snort /usr/sbin/snort
snort --version

The resulting output will resemble the following:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.5 GRE (Build 262)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.6.2
           Using PCRE version: 8.35 2014-04-04
           Using ZLIB version: 1.2.8

Un-rooting Snort

Now that we have snort installed, we don't want it running as root, so we need to create a snort user and group. To create a new user and group, we can use these two commands:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Since we have installed the program using the source, we need to create the configuration files and the rules for snort.

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/preproc_rules
sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules

After we create the directories and the rules, we now need to create the log directory.

sudo mkdir /var/log/snort

And lastly, before we can add any rules, we need a place to store the dynamic rules.

sudo mkdir /usr/local/lib/snort_dynamicrules

Once all of the previous files have been created, set the proper permissions on them.

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Setting up the config files

To save a bunch of time and to keep from having to copy and paste everything, lets just copy all of the files into the configuration directory.

sudo cp /usr/src/snort_src/snort*/etc/*.conf* /etc/snort
sudo cp /usr/src/snort_src/snort*/etc/*.map /etc/snort

Now that the config files are there, you can do one of two things:

  • You can enable Barnyard2
  • Or you can just leave the config files alone and selectively enable the desired rules.

Either way, you're still going to want to change a few things. Keep reading.

Configuration

In the /etc/snort/snort.conf file, you will need to change the variable HOME_NET. It should be set to your internal network's IP block so it won't log your own network's attempts to log into the server. This may be 10.0.0.0/24 or 192.168.0.0/16. On line 45 of /etc/snort/snort.conf change the variable HOME_NET to that value of your network's IP block.

On my network, it looks like this:

ipvar HOME_NET 192.168.0.0/16

Then, you'll have to set the EXTERNAL_NET variable to:

any

Which just turns EXERNAL_NET into whatever your HOME_NET is not.

Setting the rules

Now that a large majority of the system is set up, we need to configure our rules for this little piggy. Somewhere around line 104 in your /etc/snort/snort.conf file, you should see a "var" declaration and the variables RULE_PATH, SO_RULE_PATH, PREPROC_RULE_PATH, WHITE_LIST_PATH, and BLACK_LIST_PATH. Their values should be set to the paths we used in Un-rooting Snort.

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Once those values are set, delete or comment out the current rules starting on about line 548.

Now, lets check to make sure that your configuration is correct. You can verify it with snort.

 # snort -T -c /etc/snort/snort.conf
 

You will see output similar to the following (truncated for brevity).

 Running in Test mode
 
         --== Initializing Snort ==--
 Initializing Output Plugins!
 Initializing Preprocessors!
 Initializing Plug-ins!
 .....
 Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
 Verifying Preprocessor Configurations!
 
         --== Initialization Complete ==--
 
    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.8.0 GRE (Build 229) 
    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.7.4
            Using PCRE version: 8.35 2014-04-04
            Using ZLIB version: 1.2.8
 
            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
 
 Snort successfully validated the configuration!
 Snort exiting

Now that everything is configured without errors, we are ready to start testing Snort.

Testing Snort

The easiest way to test Snort is by enabling the local.rules. This is a file that contains your custom rules.

If you've noticed in the snort.conf file, somewhere around line 546, this line exists:

include $RULE_PATH/local.rules

If you don't have it, please add it around 546. You can then use the local.rules file for testing. As a basic test, I just have Snort keep track of a ping request (ICMP request). You can do that by adding in the following line to your local.rules file.

 alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
 

Once you have that in your file, save it, and continue reading.

Run the test

The following command will start Snort and print "fast mode" alerts, as the user snort, under the group snort, using the config /etc/snort/snort.conf, and it will listen on the network interface eno1. You will need to change eno1 to whatever network interface your system is listening on.

$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eno1

Once you have it running, ping that computer. You will start to see output that looks like the following:

01/07−16:03:30.611173 [**] [1:10000001:0] ICMP test [**] [Priority: 0]  192.168.1.105 -> 192.168.1.104
01/07−16:03:31.612174 [**] [1:10000001:0] ICMP test [**] [Priority: 0]  192.168.1.104 -> 192.168.1.105
01/07−16:03:31.612202 [**] [1:10000001:0] ICMP test [**] [Priority: 0]  192.168.1.105 -> 192.168.1.104
^C*** Caught Int−Signal

You can press Ctrl+C to exit the program, and that's it. Snort is all set up. You may now use any rules that you desire.

Lastly, I want to note that there are some public rules made by the community you can download from the official site under the "Community" tab. Look for "Snort", then just under that there is a community link. Download that, extract it, and look for the community.rules file.