Snort: 5 Steps to Install and Configure Snort on Linux

Snort is a free lightweight network intrusion detection system for both UNIX and Windows. In this article, let us review how to install snort from source, write rules, and perform basic testing.

1. Download and Extract Snort

Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.

# cd /usr/src

# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116

# tar xvzf snort-2.8.6.1.tar.gz

Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)

2. Install Snort
Before installing snort, make sure you have dev packages of libpcap and libpcre.

# apt-cache policy libpcap0.8-dev

libpcap0.8-dev:

Installed: 1.0.0-2ubuntu1

Candidate: 1.0.0-2ubuntu1

# apt-cache policy libpcre3-dev

libpcre3-dev:

Installed: 7.8-3

Candidate: 7.8-3

Follow the steps below to install snort.

# cd snort-2.8.6.1

# ./configure

# make

# make install

3. Verify the Snort Installation

Verify the installation as shown below.

# snort --version

,,_

-*> Snort! <*-

o"

)~

Version 2.8.6.1 (Build 39)

'''' team

By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-

Copyright (C) 1998-2010 Sourcefire, Inc., et al.

Using PCRE version: 7.8 2008-09-05

4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.

Create the following directories:

# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /var/log/snort

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf

include /etc/snort/rules/icmp.rules

# cat /etc/snort/rules/icmp.rules

alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

The above basic rule does alerting when there is an ICMP packet (ping).

Following is the structure of the alert:

<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)

Table: Rule structure and example Structure Rule Actions Protocol Source IP Address Source Port Direction Operator alert icmp any any -> Example

Destination IP Address any Destination Port (rule options) any (msg:ICMP Packet; sid:477; rev:3;)

5. Execute snort
Execute snort from command line, as mentioned below.

# snort -c /etc/snort/snort.conf -l /var/log/snort/

Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.

# head /var/log/snort/alert

[**] [1:477:3] ICMP Packet [**]

[Priority: 0]

07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0

pkt type:0x4 proto: 0x800 len:0x64

209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF

Type:8

Code:0

ID:24905

Seq:1

ECHO

Alert Explanation A couple of lines are added for each alert, which includes the following:

Message is printed in the first line. Source IP Destination IP Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.

# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

Add -D option to run snort as a daemon.

# snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Additional Snort information

Default config file will be available at snort-2.8.6.1/etc/snort.conf Default rules can be downloaded from: http://www.snort.org/snort-rule

Intrusion Detection with Snort Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does. Snort Installation For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself. Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring the source code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcredevel.X.rpm from your favorite RPM repository) Also, before you compile, you should add both a group and user for snort:

groupadd snort

and

useradd -g snort snort -s /dev/null

Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command:

./configure --with-mysql
then:

make

and (as root)

make install

Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort) Setting up Snort First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable:

var HOME_NET X.X.X.X/X

You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules. Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line

output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhost

Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine)

mysqladmin -u root -p create snort

Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables.

grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

Then set the password for the user 'snort' that you used above:

SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');

Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command:

mysql -u root -p < create_mysql snort

Then we need to create some extra tables. The best way to do this is with the following command:

zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort

Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this:

+------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+

Now everything is ready for 'snort' to start logging alerts. SnortReport There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/ SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed. To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX";). Next, make sure the variable for the path to the 'jpgraph' points to where we want it:

define("JPGRAPH_PATH", "./jpgraph/");

You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph. Now, if you point your web browser to where SnortReport is, you should see something like this: Now you have web-based monitoring of your Snort intrusion detection system. Updating and Adding Snort Rules As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc). If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update

manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.
This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network. Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1). Let's assume we have one working website (www.example.com) and that the document root is:/var/www/www.example.com/web The IP of the server is 192.168.0.5 and it's using eth0 as network interface name.

Needed programs and files

Snort Snort rules PCRE (Perl Compatible Regular Expressions) LIBPCAP BASE (Basic Analysis and Security Engine) ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar. To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace) cd /root mkdir snorttemp cd snorttemp Now you need to get Snort. The latest version at the time of writing this is 2.6.0 wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And lets remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules! Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules (If you are a member of the forum you can also download the - registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map: mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0: cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file: tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work. To make snort work with BASE, we need more! PCRE - Perl Compatible Regular Expressions. Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz) cd back to the snorttemp map: cd /root/snorttemp

and download the pcre-6.3.tar.gz file: wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap0.9.4.tar.gz) cd back to the snorttemp map: cd /root/snorttemp

and download the libpcap-0.9.4.tar.gz file: wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz

Untar the file:

tar -xvzf libpcap-0.9.4.tar.gz

Remove the file:

rm libpcap-0.9.4.tar.gz

BASE (Basic Analysis and Security Engine ) Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah)) cd back to the snorttemp map: cd /root/snorttemp

and download the base-1.2.5.tar.gz file: wget http://surfnet.dl.sourceforge.net/sourceforge/secureideas/base-1.2.5.tar.gz

Untar the file:

tar -xvzf base-1.2.5.tar.gz

Remove the file:

rm base-1.2.5.tar.gz

ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).) Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php) cd back to the snorttemp map: cd /root/snorttemp

and download the adodb490.tgz file: wget http://surfnet.dl.sourceforge.net/sourceforge/adodb/adodb490.tgz

Untar the file:

tar -xvzf adodb490.tgz

Remove the file:

rm adodb490.tgz

ls should now show the following directorys in /root/snorttemp: adodb, base-1.2.5, libpcap-0.9.4, pcre-6.3 and snort-2.6.0

Lets start with: LIBPCAP. Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp

cd into the libcap map:

cd libpcap-0.9.4

and make / install LIBPCAP:

./configure make make install Next is PCRE. Again, make sure that you are in the directory that you downloaded all files. cd /root/snorttemp

cd into the PCRE map:

cd pcre-6.3

and make / install pce-6.3

./configure make make install Now it time for Snort: Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp

cd into the snort map:

cd snort-2.6.0

and make / install Snort with some extra needed options!

./configure --enable-dynamicplugin --with-mysql make make install Snort needs some maps, so lets create them:

mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort Moving the Snort files from the installation map to the just created maps. Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp

and cd into snort-2.6.0:

cd snort-2.6.0

and into the rules

cd rules

now we copy all files from the /rules into /etc/snort/rules

cp * /etc/snort/rules

We will do the same for the files in the install /etc folder:

cd ../etc cp * /etc/snort

Fixing the snort.conf

The /etc/snort/snort.conf needs some tuning to get it to work on your system! So cd into /etc/snort: cd /etc/snort

and open snort.conf with nano (or any other 'text' editor)

nano snort.conf

change "var HOME_NET any" to "var HOME_NET 192.168.0.5/32" change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules" As we made snort with the '--with-mysql' option and as BASE needs it, we also need to tell Snort what database to use. Scroll down till you see "# output database", and remove the # in front of the line for the MySQL. Now also change the "user", "password" and "dbname". Save the file and close 'nano' Make a note of this as you will need it later!

Setting up the MySQL Database for Snort.

There are many ways to create the snort database. The table layout can be found in the file create_mysql in the /root/snorttemp/snort-2.6.0/schemas directory. Whichever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you set in the /etc/snort/snort.conf file! After creating you can test snort and see if you get any errors with:

snort -c /etc/snort/snort.conf

Exit the test with Ctrl+C If you get no error's Snort is setup correct.

Moving ADOdb and BASE

Moving ADOdb: cd back to the download dir cd /root/snorttemp/

and move adodb it to the root of the www map:

mv adodb /var/www

Next: BASE (Basic Analysis and Security Engine ) Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig. mv base-1.2.5 /var/www/www.example.com/web

and cd into /var/www/www.example.com/web cd /var/www/www.example.com/web

To enable BASE to write the setup file we need to chmod the base-1.2.5 folder to 757:

chmod 757 base-1.2.5

Open your favorite web browser and go to: http://www.example.com/base-1.2.5/setup If all is setup okay you should see the BASE Setup Program page:

Click on Continue step 1 of 5: Enter the path to ADODB (/var/www/adodb):

click on Submit Query step 2 of 5: Enter the needed info on the next screen: (leave the Use Archive Database as is):

click on Submit Query step 3 of 5: If you want to Use Authentication for the Base page you can do so here:

click on Submit Query step 4 of 5: Click on Create BASE AG to create the database.

and after Create BASE AG

Once done, click on Now continue to step 5...

To make the Graph's from BASE work you will also need to install Image_Color, Image_Canvas and Image_Graph. To do this do: pear install Image_Color pear install Image_Canvas-alpha pear install Image_Graph-alpha

That it for BASE! If you want you can chmod the base-1.2.5 dir back to 775:

chmod 775 base-1.2.5

You can also delete the snorttemp directory, and all the files in it.

Starting Snort
To start SNORT and make BASE show you the Snort's logged info, you will need to run:

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

Now wait some time and see all the Snort alerts show up in BASE.