Post

snort

IDS/IPS , Network Security Monitoring

Posted
snort
snort
By ahmed bouayed
3 min read
snort

Install and Configure Snort

  1. Update package lists and Upgrade existing packages 
    1

    sudo apt update && sudo apt upgrade -y
  2. Install Snort 
    1

    sudo apt install snort -y

    This command will install Snort and its dependencies. During installation, you might be prompted to select the network interface Snort should listen on. Use the ip a command to determine the appropriate interface.

  3. Configure Snort
    • backup the configuration file 
      1

      sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.backup
    • Edit the configuration file 
      1

      sudo nano /etc/snort/snort.conf
    • Configure Network Variables HOME_NET: Define your internal network IP address range. 
      1

      ipvar HOME_NET 192.168.1.0/24
  4. Test the Configuration 
    1

    sudo snort -T -i eth0 -c /etc/snort/snort.conf

Download Community Rules

  1. Obtain the latest rules: Download the latest community rules archive from the official Snort website 
    1

    wget https://www.snort.org/downloads/community/community-rules.tar.gz
  2. Extract the archive: Extract the downloaded archive to the appropriate Snort rules directory 
    1

    sudo tar -xvzf community-rules.tar.gz -C /etc/snort/rules/
  3. Configure Snort
    • Edit the Snort configuration file /etc/snort/snort.conf 
      1

      sudo nano /etc/snort/snort.conf
    • Include community rules 
      1

      include $RULE_PATH/community-rules/community.rules
  4. Test Configuration Validate the configuration 
    1

    sudo snort -T -i eth0 -c /etc/snort/snort.conf
  5. Restart the Snort service 
    1

    sudo systemctl restart snort.service

Add Custom Rules to Snort

  1. Open the Snort rules file 
    1

    sudo nano /etc/snort/rules/local.rules
  2. Add your custom rules to the file. For example 
    1
2
3
4
5

    alert tcp any any -> any 80 (msg:"Suspicious HTTP Request to /admin"; content:"GET /admin"; nocase; sid:1000101;)
alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1000102;)
alert tcp any any -> any 21 (msg:"FTP Login Attempt"; content:"USER"; nocase; sid:1000103;)
alert udp any any -> any 53 (msg:"Suspicious DNS Query Length"; dns_query; byte_test:1,>,64,0; sid:1000104;)
alert tcp any any -> any 3389 (msg:"RDP Brute Force Attempt"; threshold: type threshold, track by_src, count 5, seconds 60; sid:1000105;)
  3. Test the configuration to ensure there are no syntax errors 
    1

    sudo snort -T -c /etc/snort/snort.conf
  4. Restart Snort to apply the new rules 
    1

    sudo systemctl restart snort
  5. Testing Custom Rules
    • Use tools like curl, nmap, or ping to generate traffic that matches your custom rules.
    • Check Snort logs to verify that the rules are triggering alerts
1

sudo tail -f /var/log/snort/snort.alert

Enable NIDS

Make Promiscuous Mode Persistent

Make Interface Offloading Changes Persistent To disable GRO (Generic Receive Offload) and LRO (Large Receive Offload)

  • To enable promiscuous mode, you can use a systemd service or modify the network configuration.
  1. Create a systemd service file Create a file /etc/systemd/system/promisc.service 
    1

    sudo nano /etc/systemd/system/promisc.service

    with the following content

    1
2
3
4
5
6
7
8
9
10
11

    [Unit]
Description=enable promisc and disable GRO & LRO
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
  2. start the service
1
2
3
4

sudo systemctl daemon-reload
sudo systemctl enable promisc.service
sudo systemctl start promisc.service
sudo systemctl status promisc.service

Updating Community Rules

  • Security Best Practices: Keep Snort and its rule sets updated. Regularly review and adjust your security policies.
  • Download the Latest Version
  • Download the new rules archive: Download the latest version of the community rules archive from the Snort website. Replace Existing Rules
  1. Back up the existing rules (Optional, but recommended) 
    1

    sudo cp -r /etc/snort/rules/community* /etc/snort/rules/community_backup_$(date +%Y%m%d)
  2. Obtain the latest rules: Download the latest community rules archive from the official Snort website 
    1

    wget https://www.snort.org/downloads/community/community-rules.tar.gz
  3. Extract the new rules

This will overwrite the existing community rules files.

1

sudo tar -xvzf community-rules.tar.gz -C /etc/snort/rules/

Restart Snort

1

sudo systemctl restart snort.service

Snorpy

Snorpy is a simple Snort rule creator

1
2
3
4
5

sudo apt install docker.io -y
git clone https://github.com/chrisjd20/Snorpy.git
cd Snorpy
sudo docker build -t snorpy_app .
sudo docker run -p 8080:8080 -it --rm --name snorpy_container snorpy_app
security
ids ips
This post is licensed under CC BY 4.0 by the author.