Saturday, 16 May 2015

Getting Started with Snort on Ubuntu 14.10..!!

Snort is an Open source Intrusion Prevention System capable of real time traffic analysis and packet logging. It can be configured to run in three modes:
  • Sniffer Mode: which simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen).
  • Packet Logger Mode: which logs the packets to disk.
  • Network Intrusion Detection Sytem (NIDS) Mode: which performs detection and analysis on network traffic. This is the most complex and configurable mode.
In order to use Snort on Ubuntu system, all the dependencies must be installed. Install it by running the command below:

$ sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

Also, Install libdnet:
  • download libdnet from http://code.google.com/p/libdnet/
  • Extract the directory libdnet-1.12.tgz
  • Run the terminal as root
  • Move into the extracted libdnet-1.12 directory : cd ~/Downloads/libdnet-1.12

  • Run command: $ ./configure "CFLAG=-fPIC"
  • $ make
  • $ make install
Now, go to https://www.snort.org/ , download the appropriate packages for your system. For Ubuntu Operating System, i have downloaded snort-2.9.7.2.tar.gz and daq-2.0.4.tar.gz.


Install daq-2.0.4:
  • Extract the downloaded file daq-2.0.4.tar.gz. (You can also extract the package using terminal: $ tar xvfz daq-2.0.4.tar.gz ).

  • Move into the extracted directory daq-2.0.4: $ cd ~/Downloads/daq-2.0.4

  • $ ./configure
  • $ make
  • $ sudo make install
Install Snort:
  • Extract the downloaded file snort-2.9.7.2.tar.gz. (You can also extract the package using terminal: $ tar xvfz snort-2.9.7.2.tar.gz).
  • Move into the extracted directory snort-2.9.7.2 : $ cd ~/Downloads/snort-2.9.7.2
  • $ ./configure
  • $ make
  • $ sudo checkinstall
  • $ sudo dpkg -i ....
  • $ sudo ln -s /usr/local/bin/snort  /usr/bin/snort
  • $ sudo ldconfig -V
  • You can now check the version of Snort by running the command: $ snort -V
  • $ sudo groupadd snort
  • $ sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
  • $ sudo mkdir /var/log/snort
  • $ sudo chown snort:snort /var/log/snort
Just installing Snort doesn't finish it all yet. Now, download the Rules package:
  •  go to https://snort.org/ .Scroll down to Step 2 and Sign up to get the access to the registered user rule packages.

  • download the package snortrules-snapshot-2972.tar.gz 
  • Make a directory : $ sudo mkdir /etc/snort
  • Move into the Directory where you have your rule package. I am having it in my Downloads folder. $ cd ~/Downloads
  • $ sudo tar xvfz snortrules-snapshot-2972.tar.gz -C /etc/snort
  • $ sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
  • $ sudo mkdir /usr/local/lib/snort_dynamicrules
  • $ sudo chown -R snort:snort /etc/snort/*
  • $ sudo mv /etc/snort/etc/* /etc/snort
So now, after you are done with the setting up of  the rules, the last thing you need to do is to change the configuration according to your system. For this, type the following command in the terminal:

$ sudo pico /etc/snort/snort.conf

It will open up the configuration file. Scroll down and go to step 1. Setup the network address you are protecting. 

Scroll down and set the path to your rules files:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules


Now, you are all ready to run Snort. Let's start.

If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), using root terminal run the command:
$ snort -v
For a more descriptive display, run the command:
$ snort -vde
For recording the packets to the disk (i.e. packet logger mode), you need to specify a logging directory and snort will automatically know to go into the packet logger mode.
$ sudo -vde -l /var/log/snort
It will record the packets to /var/log/snort directory. It can be checked by listing the contents of /var/log/snort.
To enable NIDS mode, run the command:

$ snort -A console -c /etc/snort/snort.conf -l /var/log/snort -K ascii

where snort.conf is the name of your configuration file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the field should be taken.

In my next post, i am gonna describe how to set the custom rules to enable the NIDS mode and how its gonna work.

"Hope it helps someone to initiate with Snort..!! Do let me know if it does..!!"

Thankyou..!! :-)

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)