Run Snort on Linux and protect your network with real-time traffic analysis and threat detection. Security is everything, and Snort is world-class. This pig might just save your bacon.
What Is Snort?
Snort is one of the best known and widely used network intrusion detection systems (NIDS). It has been called one of the most important open-source projects of all time. Originally developed by Sourcefire, it has been maintained by Cisco’s Talos Security Intelligence and Research Group since Cisco acquired Sourcefire in 2013.
Snort analyzes network traffic in real-time and flags up any suspicious activity. In particular, it looks for anything that might indicate unauthorized access attempts and other attacks on the network. A comprehensive set of rules define what counts as “suspicious” and what Snort should do if a rule is triggered.
In the same way that antivirus and anti-malware packages rely on up-to-date virus signature definitions to be able to identify and protect you from the newest threats, Snort’s rules are updated and reissued frequently so that Snort is always operating at its optimum effectiveness.
The Snort Rules
There are three sets of rules:
- Community Rules: These are freely available rule sets, created by the Snort user community.
- Registered Rules: These rule sets are provided by Talos. They are freely available also, but you must register to obtain them. Registration is free and only takes a moment. You’ll receive a personal oinkcode that you need to include in the download request.
- Subscription Rules: These are the same rules as the registered rules. However, subscribers receive the rules about a month before they’re released as free rule sets for registered users. At the time of writing, 12-month subscriptions start at USD $29 for personal use and USD $399 for business use.
At one time, installing Snort was a lengthy manual process. It wasn’t difficult, but there were a lot of steps and it was easy to miss one out. The major Linux distributions have made things simpler by making Snort available from their software repositories.
The versions in the repositories sometimes lag behind the latest version that is available on the Snort website. If you want to, you can download and install from source. As long as you have the latest rules, it doesn’t matter too much if your Snort isn’t the latest and greatest—as long as it isn’t ancient.
To research this article, we installed Snort on Ubuntu 20.04, Fedora 32, and Manjaro 20.0.1.
To install Snort on Ubuntu, use this command:
sudo apt-get install snort
As the installation proceeds, you’ll be asked a couple of questions. You can find the answers to these by using the
ip addr command before starting the installation, or in a separate terminal window.
Take note of your network interface name. On this research computer, it is
Also, look at your IP address. This computer has an IP address of
192.168.1.24. The extra “
/24” is classless inter-domain routing (CIDR) notation. This tells us the network address range. It means this network has a subnet mask of
255.255.255.0, which has three leading sets of eight bits (and 3 x 8 = 24). You don’t need to worry too much about that, just record whatever your IP address happens to be including the CIDR notation. You need to provide this as the answer to one of the questions, with the last octet of the IP address changed to zero. In our example, this is
Press “Tab” to highlight the “OK” button, and press “Enter.”
Type the name of the network interface name and press “Tab” to highlight the “OK” button, and press “Enter.”
Type the network address range in CIDR format, press “Tab” to highlight the “OK” button, and press “Enter.”
To Install Snort on Fedora, you need to use two commands:
rpm -Uvh https://forensics.cert.org/cert-forensics-tools-release-32.rpm
sudo dnf install snort
On Manjaro, the command we need is not the usual
pacman, it is
pamac. And we don’t need to use
pamac install snort
When you’re asked if you want to build Snort from the AUR (Arch User Repository) press “Y” and hit “Enter.” We don’t want to edit the build files, so answer that question by pressing “N” and hitting “Enter.” Press “Y” and hit “Enter” when you’re asked if the transaction should be applied.
You’ll be prompted for your password.
The versions of Snort that were installed were:
- Ubuntu: 126.96.36.199
- Fedora: 188.8.131.52
- Manjaro: 184.108.40.206
You can check your version using:
There are a few steps to complete before we can run Snort. We need to edit the “snort.conf” file.
sudo gedit /etc/snort/snort.conf
Locate the line that reads “
ipvar HOME_NET any” and edit it to replace the “any” with the CIDR notation address range of your network.
Save your changes and close the file.
Updating the Snort Rules
To make sure your copy of Snort is providing the maximum level of protection, update the rules to the most recent version. This ensures Snort has access to the newest set of attack definitions and protection actions.
If you have registered and obtained your own oinkcode, you can use the following command to download the rule set for registered users. The Snort download page lists the available rule sets, including the community rule set for which you do not need to register.
Download the rule set for the version of Snort you’ve installed. We’re downloading the 220.127.116.11 version, which is the closest to the 18.104.22.168 version of Snort that was in the Ubuntu repository.
wget https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=<your oink code goes here> -O snortrules-snapshot-2983.tar.gz
Once the download is complete, use this command to extract the rules and install them in the “/etc/snort/rules” directory.
sudo tar -xvzf snortrules-snapshot-2983.tar.gc -C /etc/snort/rules
Network interface cards usually ignore traffic that isn’t destined for their IP address. We want Snort to detect suspicious network traffic addressed to any device on the network, not just network traffic that happens to be sent to the computer on which Snort is installed.
To make the Snort computer’s network interface listen to all network traffic, we need to set it to promiscuous mode. The following command will cause network interface
enp0s3 to operate in promiscuous mode. Substitute
enp0s3 with the name of the network interface you are using on your computer.
sudo ip link set enp0s3 promisc on
If you are running Snort in a virtual machine, also remember to adjust the settings in your hypervisor for the virtual network card used by your virtual machine. For example, in VirtualBox, you need to go to
Settings > Network > Advanced and change the “Promiscuous Mode” drop-down to “Allow All.”
RELATED: How to Use the ip Command on Linux
You can now start Snort. The command format is:
sudo snort -d -l /var/log/snort/ -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf
Substitute your own network IP range in place of the
The command-line options used in this command are:
- -d: Filters out the application layer packets.
- -l /var/log/snort/: Sets the logging directory.
- -h 192.168.1.0/24: This doesn’t set the home network, that was set in the “snort.conf” file. With this value set to the same value as the home network, the logs are structured so that content from suspicious remote computers is logged into directories named after each remote computer.
- -A console: Sends alerts to the console window.
- -c /etc/snort/snort.conf: Indicates which Snort configuration file to use.
Snort scrolls a lot of output in the terminal window, then enters its monitoring an analysis mode. Unless it sees some suspicious activity, you won’t see any more screen output.
From another computer, we started to generate malicious activity that was directly aimed at our test computer, which was running Snort.
Snort identifies the network traffic as potentially malicious, sends alerts to the console window, and writes entries into the logs.
Attacks classified as “Information Leaks” attacks indicate an attempt has been made to interrogate your computer for some information that could aid an attacker. This probably indicates that someone is performing reconnaissance on your system.
Attacks classified as “Denial of Service” attacks indicate an attempt to flood your computer with false network traffic. The attack tries to overwhelm your computer to the point that it cannot continue to provide its services.
To verify that promiscuous mode is operating correctly and we’re safeguarding the entire network address range, we’ll fire some malicious traffic at a different computer, and see whether Snort detects it.
The activity is detected and reported, and we can see that this attack was directed against a different computer with an IP address of
192.168.1.26. Snort is monitoring the entire address range of this network.
To maintain its vigilance, Snort needs up-to-date rules. You could write a small script and put the commands to download and install the rules in it, and set a
cron job to automate the process by calling the script periodically. The pulledpork script is a ready-made script designed to do just that if you don’t fancy writing your own.