How to Install and Configure Snort on Linux
welcome back again to the series of “security analysis 101” where we discuss and learn log analysis with finding patterns using utilities and tools. lets start with introduction.
❄️ Introduction:
Snort is an Intrusion Detection System(IDS) and an Intrusion Prevention System (IPS). it is used to notify and alert the security personnel in an organization of breached security rules.
Snort IDS uses a set of rules that define malicious network activity and uses these rules to find packets that match against them and generates alerts for users.
In this blog, We will start with installing, Configuring & intrusion Detection using Snort IDS/IPS in an Ubuntu Server 22.24.
❄️ Requirements:
- Ubuntu server/Desktop installed on VM
- Internet Connection
❄️ Snort Installation:
Step 1: make sure that your Ubuntu Operating System is up and running on your VM and that you can ping it from your secondary Operating System (Kali). This means that they should be on the same network or subnet.
Step 2 : go to terminal of ubuntu machine and type sudo apt-get update.
Step 3 : type sudo apt-get install snort. This command will install the Snort program and its dependencies.
Step 4 : type whereis snort command. It will list every directory containing the phrase snort. The directories created by Snort includes:
- /etc/snort: It contains the configuration and rules files.
- /usr/sbin/snort:- This is the executable binary of the Snort IDS/IPS.
- /usr/lib/snort:- This contains the shared libraries and files that are used by the Snort executable
/usr/sbin/snortand other Snort-related components. - /usr/include/snort:- This contains header files and related resources used for compiling and building custom plugins, preprocessors, or other Snort-related extensions.
❄️ Configuring Snort IDS/IPS:
Now we have installed the snort and we are now going to configure snort by adding rules and other things.
Step 1: Navigate to etc/snort directory. locate the snort.conf file. This file contains various settings that are necessary for the effective working of Snort IDS.
before moving forward we go through the snort.conf file. note that you have sudo permission. Open file in edit and write mode.
This is the part where we shall set our home network to which we want Snort to monitor. Here, we shall indicate the full mask/subnet of our home network.
Under the ipvar HOME_NET part, it’s where we set our home address. (Please include the /24 mask). This can be got from your Ubuntu terminal using the command ip a s as below. It is the second inet under the adapter enp0s3( it is different for you).
Step 2: save our changes and exit. use Ctrl + x, press Y and then Enter key.
Heys guys we have successfully installed and configured snort IDS.
❄️ Test snort configuration file for errors:
Let’s test our snort.conf file to make sure that there are no errors while running it.
Type command sudo snort -T -i enps03 -c /etc/snort/snort.conf , run inside /etc/snort directory.
- -T is used to open snort in test mode.
- - i is used to specify the network adapter in use.
- -c is used to denote the snort configuration file and where it’s located.
Observe, we have seen message below on terminal that “ snort successfully validate the configuration ”.
Hey,📢 we successfully installed and configured the snort. In next blog i will show you more deep dive in snort.
Ok, see you next time! with new content with new spirit !!! please follow for upcomming content. and give your feedback or suggestion to improve my content quality and skills.
