Snort 2.9.8.x on Ubuntu – Part 2: Configure Snort to Run as a NIDS
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort
- Creating systemD Scripts for Snort
- Installing Snorby on Ubuntu 12
- Installing Snorby on Ubuntu 14
- Installing Snorby on Ubuntu 15
Configure Snort to Run as a NIDS
This is the second in a set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS). In the previous article we installed the Snort binary and verified that it correctly executed. In this section, we will configure Snort to run as a NIDS by creating the files and folders that Snort expects when running as a NIDS, and we will learn about the Snort configuration file: snort.conf.
First off, for security reasons we want Snort to run as an unprivileged user. We create a snort user and group for this purpose:
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Next, we need to create a number of files and folders that Snort expects when running in NIDS mode. We will then change the ownership of those files to our new snort user. Snort stores configuration files in /etc/snort, rules in /etc/snort/rules, /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules # Change Ownership on folders: sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
We now need to move the following files from the extracted Snort tarball to the snort configuration folder:
- classification.config describes the types of attack classifications that Snort understands (grouping rules into these types of classifications), such as trojan-activity or system-call-detect. The list of classifications can be found in section 3.4.6 of the Snort Manual
- file_magic.conf describes rules for identifying file types.
- reference.config contains urls that are referenced in the rules that provide more information about alerts.
- snort.conf is the configuration file for Snort, it tells Snort where resources are located, and how to output alerts, among other things.
- threshold.conf allows you to control the number of events that are required to generate an alert, which can help suppress noisy alerts. More information here.
- attribute table.dtd lets Snort use outside information to determine protocols and policies. More information here.
- gen-msg.map tells Snort which pre-processor is used by which rule. More information here.
- unicode.map provides a mapping between Unicode languages and the identifier. This file is required by Snort in order to start.
Run the commands below to move the files listed above to the /etc/snort folder:
cd ~/snort_src/snort-220.127.116.11/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-18.104.22.168/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
The Snort configuration folder and file structure should now look like the following:
user@snortserver:~$ tree /etc/snort /etc/snort ├── attribute_table.dtd ├── classification.config ├── file_magic.conf ├── gen-msg.map ├── preproc_rules ├── reference.config ├── rules │.. ├── local.rules │.. ├── iplists │ .. ├── black_list.rules │ .. ├── white_list.rules ├── snort.conf ├── so_rules ├── threshold.conf └── unicode.map
Editing the Snort Configuration File
The Snort configuration file is stored at /etc/snort/snort.conf, and contains all the settings that Snort will use when it is run in NIDS mode. This is a large file (well over 500 lines), and contains a number of options for the configuration of Snort. We are interested in only a few settings at this time.
First, we need to comment out the lines that causes Snort to import the default set of rule files. We do this because we will be using PulledPork to manage our rulesets, which saves all the rules into a single file. The easy way to comment out all these lines is to use sed to append the “#” (hash) character to those lines. This is accomplished by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
The result of this command is that lines 547 to 651 in snort.conf will now be commented out, which will prevent Snort from loading those rule files on start-up. These rule files do not exist, and will cause Snort to generate an error if it tries to load a file that doesn’t exist. If you were to manually download the rule files from the snort website and extract them to the /etc/snort/rules folder, then you would want those rules to be un-commented out. We will use PulledPork (configured later) to manage all our rules and save them into a single file, which is why we need all those rule files to be commented out.
Next, we need to manually edit a few lines in the snort.conf file. Use vi (or your favorite editor) to edit /etc/snort/snort.conf:
sudo vi /etc/snort/snort.conf
First, we need to let Snort know the network range of your home network (the assets you are trying to protect) and all other external networks. We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks. In the example below, our home network is 10.0.0.0 with a 24 bit subnet mask (255.255.255.0), and our external networks are all other networks.
ipvar HOME_NET 10.0.0.0/24 # (line 45) make this match your internal (friendly) network
Note: it is not recommended to set EXTERNAL_NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.
Next we need to tell Snort about the locations of all the folders we created earlier. These settings are also part of the snort.conf file. I have included the line numbers after the hash so you can more easily find the setting (do not write the line number, just change the path to match what is below):
var RULE_PATH /etc/snort/rules # line 104 var SO_RULE_PATH /etc/snort/so_rules # line 105 var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106 var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113 var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114
Finally, we want to enable one included rule file: /etc/snort/rules/local.rules. We will use this file to store our own rules, including one rule that we will write in the next article in this series that will allow us to easily check that Snort is correctly generating alerts. Un-comment the following line (line 545) by deleting the hash from the beginning of the line:
Testing Snort with our Configuration File
Snort has the ability to validate the configuration file, and you should do this whenever you make modifications to snort.conf. Run the following command to have Snort test the configuration file:
sudo snort -T -c /etc/snort/snort.conf -i eth0
The -T tells snort to test, and -c tells snort the path to the configuration file, and you are required to specify an interface you want to listen to with -i (this is a new requirement for the 2.9.8.x version of snort). You should see some output, with the following lines at the end:
... Snort successfully validated the configuration! Snort exiting
Congratulations, if you have output similar to the above then you have successfully Configured Snort to run as a NIDS. Continue to the next section: Writing and Testing a Single Rule With Snort.