Installing & Configuring Snort IDS/IPS on Ubuntu.
Please Support the writer using the button on the bottom of the page.
Snort is an Intrusion Detection System(IDS) and an Intrusion Prevention System (IPS). it is used to notify and alert the security personnel in an organization of breached security rules.
Snort IDS uses a set of rules that define malicious network activity and uses these rules to find packets that match against them and generates alerts for users.
Snort can be installed easily on Ubuntu servers which are located and configured on the same network as the other networking devices. This makes it easy to trace and report any malicious activity on the network.
In this blog, I will talk about installing, Configuring & intrusion Detection using Snort IDS/IPS in an Ubuntu Server.
What you need:
- Virtualbox /VMWare
- Ubuntu server/Desktop installed in the VM
- A secondary Operating System — preferably Kali
- Internet Connection
After making sure the above are present, it is time to get started.
INSTALLING SNORT
The first step is to make sure that your Ubuntu Operating System is up and running on your VM and that you can ping it from your secondary Operating System (Kali). This means that they should be on the same network or subnet.
On the Ubuntu System, open the Terminal — located at all programs
Open the terminal above and run the sudo apt-get update command to update the Ubuntu packages, this may take sometime depending on your network strength and VM memory specifications.
After that, type sudo apt-get install snort. This command will install the Snort program and its dependencies.
Snort will then create different directories where several files are located. These directories may be found using whereis snort command. It will list every directory containing the phrase snort. The directories created by Snort includes:
- /etc/snort:- This is the most important directory to the snort user. It contains the configuration and rules files. This is where the .conf file is found and we shall use it later to do some Snort settings.
- /usr/sbin/snort:- This is the executable binary of the Snort IDS/IPS.
- /usr/lib/snort:- This contains the shared libraries and files that are used by the Snort executable
/usr/sbin/snortand other Snort-related components. These files are essential for Snort's functionality and its interactions with different modules and plugins. - /usr/include/snort:- This contains header files and related resources used for compiling and building custom plugins, preprocessors, or other Snort-related extensions. Header files provide necessary declarations and information about functions, structures, and constants that are required when developing software that interacts with or extends Snort’s functionality.
CONFIGURING SNORT IDS/IPS
Now that we’ve understood what snort is and how it is installed, it is time to configure it so as to work as an IDS in our network.
In order to do the above, we need to navigate to the /etc/snort directory and locate the snort.conf file. This file contains various settings that are necessary for the effective working of Snort IDS.
In our case, we shall not cover much of what is inside, but a few of them.
Let’s read the contents of this snort.conf file to see what we can set and what is contained therein. In order to do this, we use the command nano snort.conf — this will open the file in read & write mode where we can be able to edit and save the changes made.
NB: MAKE SURE YOU HAVE THE ROOT PRIVILEGES WHILE EDITING THE FILE. Use sudo su to switch to the root user and key your password if set.
A file will open in edit mode, scroll to the part marked as step #1.
This is the part where we shall set our home network to which we want Snort to monitor. Here, we shall indicate the full mask/subnet of our home network.
Under the ipvar HOME_NET part, it’s where we set our home address. (Please include the /24 mask). This can be got from your Ubuntu terminal using the command ip a s as below. It is the second inet under the adapter enp0s3
After assigning your home address and its subnet in the section above, it;s time to save our changes and exit. use Ctrl + x, press Y and then Enter key.
Awesome!
We have installed and configured the Snort IDS in a basic manner which is a good start and it's eligible for day-to-day use.
TESTING THE SNORT CONFIGURATION FILE FOR ERRORS
Let’s test our snort.conf file to make sure that there are no errors while running it.
To do this we use the command sudo snort -T -i enps03 -c /etc/snort/snort.conf. This command is run on the terminal (preferably in the /etc/snort) directory.
- -T is used to open snort in test mode.
- - i is used to specify the network adapter in use.
- -c is used to denote the snort configuration file and where it’s located.
The below image shows the results after running the above command in the terminal.
NB: Please note if you encounter errors in your config file, refer again to this tutorial. Ignore any WARNING at this level.
THANK YOU AND ENJOY!