SNORT IDS INSTALLATION AND BASIC CONFIGURATION 1

Snort IDS Installation and Basic Configuration

Robert Thompson
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 2

Contents
Preface............................................................................................................................................. 3

Post Installation of Host OS............................................................................................................ 3

Installing Snort ................................................................................................................................ 4

Configure Snort............................................................................................................................... 6

Custom Rule creation and referencing ............................................................................................ 9

References ..................................................................................................................................... 10
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 3

Preface

This process in this document was conducted following a guide written and posted
openly online for the purpose of introducing Snort from an introductory level to new users. I take
no credit for the methods used and make no claim that the methods are my own. The
environment that the Snort box was deployed on was an isolated virtual environment governed
by a VyOS box for communication with the public web. All downloads, installs and
configuration are performed in a terminal shell.

Post Installation of Host OS

The host OS that Snort will be hosted on is a Xubuntu 16.04.1 install; hostname:
nts415snort-virtual-machine. Post installation, the OS was updated using an update script I
wrote which conducted updates for packages, repositories, and the kernel. The update was
current as of 10/16/2016. Post installation, open a terminal and check the configuration of the
interfaces using ifconfig or ip a commands. The interface displayed should read ens32; this
host received a DHCP address assigned by the VyOS box on the same network: 192.168.112.7.
ping any website on the open internet to confirm connectivity and DNS resolution. Finally, the
guide suggests disabling Large Receive Offload (LRO) and Generic Receive Offload (GRO);
they are features of the network card which reassemble packets before they have been processed
by the kernel.
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 4

Installing Snort

First, we install dependencies required for Snort;

sudo apt-get libpcap-dev libpcre3-dev libdumbnet-dev bison flex
sudo apt-get zlib1g-dev liblzma-dev openssl libssl-dev

Next, we need to download and install DAQ from Snorts site; Data AcQuisition is a library that
Snort uses in lieu of constantly querying the libpcap library for packet capturing (Cisco, n.d.).
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

To install it, we need to decompress it using tar and traverse into the directory to compile it
from source. Note: All commands must be performed in this exact order or the program will not
compile.
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install

Next we download and install Snort itself. Same as the previous, we will download via terminal
and compile from source; if Snort is offered via repositories of your distro, it may not be the
latest version. Check online at Snorts website to see what the latest version is. The latest version
as of this writing is 2.9.8.3. Note: Again, all commands must be performed in this exact order or
the program will not compile.
wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz
tar -xvzf snort-2.9.8.3.tar.gz
cd snort-2.9.8.3.tar.gz
./configure --enable-sourcefile
make
sudo make install
sudo ldconfig

Once the installation is complete, a symlink must be created between the Snort binary file and the
systems binary file. symlink stands for Symbolic Link, which basically allows the system to
address commands and point them towards a location in the file system. In this case, we want a
symlink attached to Snorts binary file in order to call snort from the command line.
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 5

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

We can now test if our Snort install was successful:

SNORT IDS INSTALLATION AND BASIC CONFIGURATION 6

Configure Snort

Since we installed and compiled from source, Snort did not create the directories it needs to
function, so we will need to create them manually. The files that software references in Linux are
located in the /etc folder. Also, we are going to create the local rules file where our custom
rules will be written and sourced from, as well as some other necessary files;
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /etc/snort/so_rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/while_list.rules
sudo touch /etc/snort/sid.msg.map

In addition to these directories, we need to make a directory for Snorts dynamic rules as well,
however those are stored in a different location;
sudo mkdir /usr/local/lib/snort_dynamicrules

Finally, we need to make directories for the logs;

sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

Next, we need to create Snorts service account and group; in Linux, when you create a service
account, you have the option to ensure that the account does not have the ability to log in. This is
good security practice in that service accounts do not need to be logged in to in order to manage
the services that they govern over Linux administrators can do what they need to do from their
privileged accounts. The purpose of the Service account, though, is to dedicate an account to
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 7

have the access to the files it needs in order to run the service, as well as preventing changes to
the files that it uses by users (beyond the administrators).
sudo groupadd snort
sudo useradd -r -s snort /sbin/nologin -c SNORT_IDS -g snort-org
# the /sbin/nologin portion of the above line restricts the
# account from a logon shell

Next we need to set the permissions for the directories we created; this will prevent users from
changing the configuration files without proper credentials. We will first change the owner with
chown followed by the ACL using chmod using the R option which will force the
subdirectories of the given directory to inherit ACL permissions;
## Ownership Commands
sudo chown -r snort:snort /etc/snort
sudo chown -r snort:snort /var/log/snort
sudo chown -r snort:snort /usr/local/lib/snort_dynamicrules
## Permission Commands
sudo chmod R 5775 /etc/snort
sudo chmod R 5775 /var/log/snort
sudo chmod R 5775 /var/log/snort/archived_logs
sudo chmod R 5775 /etc/snort/so_rules
sudo chmod R 5775 /usr/local/lib/snort_dynamicrules

Snort, like most software in Linux, relies on special configuration files that reside in their /etc
folders. Again, since we compiled from source, the files are not in their proper directories by
default; they are shipped with the source and must be moved/copied over to their proper
directories by hand. The success of the following commands (used exactly as presented) are
reliant on the working directory being the location of the source files
(/$whereYouSavedTheSource/snort-2.9.8.3/etc)
sudo cp *.conf /etc/snort
sudo cp *.config /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

Snort also stores config files in /usr/local/$etc files as well; cd over to the proper location in the
source files and copy those over to their respective locations as well
(/$whereYouSavedTheSource/snort-2.9.8.3/src/dynamic-
preprocessors/build/usr/local/lib/snort_dynamicpreprocessor)
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 8

sudo cp * /usr/local/lib/snort_dynamicpreprocessor

Snort has various different rule paths loaded in its .conf file by default, for our purposes we are
going to disable them so we can get a basic rule configured by hand.
sudo sed i s/include \$RULE\_PATH/#include \$RULE\_PATH/
/etc/snort/snort.conf
## For clarity, the above two lines are one line, do not split
## them. Essentially, the command parses through the given file
## looking for all instances of the given parameter, and performs
## the given action to it. Our command is looking for instances
## of $RULE_PATH and is appending a #include before it in
## order to comment out the line in the file, disabling it.

Next we will configure the network that Snort will be monitoring. Using the text editor of your
choice, open the /etc/snort/snort.conf file using sudo. Around line 40, you should see
ipvar HOME_NET; change the value there to the network range you wish to monitor. On our
example box, we are going to watch the 192.168.112.0/24 range. Further down the file around
line 100, change the values of the following variables to the proper paths;
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PROPROC_RULE_PATH /etc/snort/proproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists

Finally, we need to set the path for the local rules file we created earlier. The line you are
looking for is around 540; some text editors have a search function built into them that you can
use to search for the instances that contain the phrase local.rules. Uncomment the line:
#include $RULE_PATH/local.rules

To test if you properly configured this file properly, run the following command, and you should
be informed of whether or not Snort can validate the configuration file, replacing ens32 with the
proper interface of your machine:
sudo snort T i ens32 c /etc/snort/snort.conf
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 9

Custom Rule creation and referencing

We are going to create a custom rule to alert us of ping requests that communicate with our Snort
box. Open the local.rules file we created earlier and append the following line, then save the
file:
alert icmp any any -> $HOME_NET any (msg:ICMP packet detected;
GID:1; sid:10000001; rev:001; classtype:icmp-event;)

Once this line is saved off, start Snort by running the following command:
Sudo /usr/local/bin/snort A console q u snort g snort c
/etc/snort/snort.conf I ens32

The client machine used in this example is another Xubuntu box on the same network being
served up a DHCP address from the VyOS box with address 192.168.112.5.
SNORT IDS INSTALLATION AND BASIC CONFIGURATION 10

References

Cisco. (n.d.). README.daq. Retrieved from Snort: https://www.snort.org/faq/readme-daq

Dietrich, N. (2015, December 16). Snort 2.9.8.x on Ubuntu 12, 14, and 15. Retrieved from Snort.org:

https://s3.amazonaws.com/snort-org-

site/production/document_files/files/000/000/090/original/Snort_2.9.8.x_on_Ubuntu_12-14-

15.pdf