Install Snort

How to Install Snort NIDS on Ubuntu Linux https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-...
1 of 16 4/26/2018, 9:15 PM
apt-get update -y
apt-get upgrade -y
apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbn
2 of 16 4/26/2018, 9:15 PM
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -zxvf daq-2.0.6.tar.gz
daq-2.0.6
cd daq-2.0.6
./configure && make && make install
eth0
wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz
3 of 16 4/26/2018, 9:15 PM
tar -xvzf snort-2.9.8.3.tar.gz
cd snort-2.9.8.3
./configure --enable-sourcefire && make && make install
ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V
4 of 16 4/26/2018, 9:15 PM
,,_ -*> Snort! <*-

o" )~ Version 2.9.8.3 GRE (Build 383)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
mkdir /etc/snort
mkdir /etc/snort/preproc_rules
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules
5 of 16 4/26/2018, 9:15 PM
chmod -R 5775 /etc/snort/

chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/
snort-2.9.8.3
cd snort-2.9.8.3
.conf .map .dtd /etc/snort/
cp -avr *.conf *.map *.dtd /etc/snort/
cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/l
sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
/etc/snort/snort.conf
6 of 16 4/26/2018, 9:15 PM
nano /etc/snort/snort.conf
# Setup the network addresses you are protecting

ipvar HOME_NET 192.168.15.0/24
# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
include $RULE_PATH/local.rules
snort -T -i eth0 -c /etc/snort/snort.conf
Snort successfully validated the configuration!

Snort exiting
7 of 16 4/26/2018, 9:15 PM
local.rules
nano /etc/snort/rules/local.rules
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev
alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev
snort -A console -q -c /etc/snort/snort.conf -i eth0
-A
-q
-c
-i
8 of 16 4/26/2018, 9:15 PM
eth0
ping 192.168.15.189
ftp 192.168.15.189
telnet 192.168.15.189 80
192.168.15.189
12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0]

12/14-23:36:34.982502 [**] [1:1000001:1] FTP connection attempt [**] [Priority: 0]
12/14-23:36:45.907427 [**] [1:1000003:1] TELNET connection attempt [**] [Priority:
Ctrl+c
snort.service
nano /lib/systemd/system/snort.service
9 of 16 4/26/2018, 9:15 PM
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
[Install]
WantedBy=multi-user.target
systemctl enable snort
systemctl start snort
systemctl status snort
10 of 16 4/26/2018, 9:15 PM
● snort.service - Snort NIDS Daemon

Loaded: loaded (/lib/systemd/system/snort.service; disabled; vendor preset: enabled
Active: active (running) since Wed 2016-12-14 23:45:56 IST; 15s ago
Main PID: 16129 (snort)
CGroup: /system.slice/snort.service
└─16129 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.
11 of 16 4/26/2018, 9:15 PM
3 Comments rapid7 1 Login
Recommend Share Sort by Best
Join the discussion…
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Arttu Manninen • 3 months ago

There are several places where your formatting is broken and results in a failing installation. Please fix
especially the sequences of mkdir+touch and systemctl. Otherwise thank you for sharing this!
• Reply • Share ›
Caitlin Condon Mod Arttu Manninen • 3 months ago

Hi Arttu, thanks for your feedback on this. Our team is looking into it!
Arttu Manninen Arttu Manninen • 3 months ago

...and it might be a good idea to mention that `eth0` is often no longer the default network
interface name :)
Subscribe Add Disqus to your siteAdd DisqusAdd Privacy
12 of 16 4/26/2018, 9:15 PM
13 of 16 4/26/2018, 9:15 PM
14 of 16 4/26/2018, 9:15 PM
15 of 16 4/26/2018, 9:15 PM
16 of 16 4/26/2018, 9:15 PM

Install Snort

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Install Snort

Hochgeladen von

Copyright:

Verfügbare Formate

How to Install Snort NIDS on Ubuntu Linux https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-...

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbn

tar -zxvf daq-2.0.6.tar.gz

./configure && make && make install

tar -xvzf snort-2.9.8.3.tar.gz

./configure --enable-sourcefire && make && make install

,,_ -*> Snort! <*-

chmod -R 5775 /etc/snort/

chmod -R 5775 /usr/local/lib/snort_dynamicrules/

.conf .map .dtd /etc/snort/

cp -avr *.conf *.map *.dtd /etc/snort/

cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/l

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

# Setup the network addresses you are protecting

# Set up the external network addresses. Leave as "any" in most situations

var RULE_PATH /etc/snort/rules

snort -T -i eth0 -c /etc/snort/snort.conf

Snort successfully validated the configuration!

snort -A console -q -c /etc/snort/snort.conf -i eth0

12/14-23:36:27.953203 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0]

systemctl enable snort

systemctl start snort

systemctl status snort

● snort.service - Snort NIDS Daemon

Dec 14 23:45:56 Node1 systemd[1]: Started Snort NIDS Daemon.

3 Comments rapid7 1 Login

Recommend Share Sort by Best

Join the discussion…

Arttu Manninen • 3 months ago

Caitlin Condon Mod Arttu Manninen • 3 months ago

Arttu Manninen Arttu Manninen • 3 months ago

Subscribe Add Disqus to your siteAdd DisqusAdd Privacy

Das könnte Ihnen auch gefallen

,,_ -> Snort! <-

cp -avr .conf .map *.dtd /etc/snort/

12/14-23:36:27.953203 [] [1:1000002:1] ICMP connection attempt [] [Priority: 0]