1. Installing Snort
2. Configuring Snort to Run as a NIDS
3. Writing and Testing a Single Rule With Snort
4. Installing Barnyard2
5. Installing PulledPork
6. Creating Upstart Scripts for Snort on Ubuntu 14
7. Creating systemD Scripts for Snort on Ubuntu 16
8. Installing BASE
9. Conclusion

Where to Go From Here

I hope this series of articles has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you have. The goal of this guide was not just for you to create a Snort NIDS, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Snort NIDS with confidence.

Capturing More Traffic With Snort

You will probably want to configure your network infrastructure to mirror traffic meant for other hosts to your Snort sensor. This configuration is dependent on what network equipment you are using. If you are running Snort as a Virtual Machine on a VMware ESXi server, you can configure promiscuous mode for ESXi by following my instructions in this article: configure promiscuous mode for ESXi.

For different network infrastrucutre, you will need to do a little research to configure network mirroring for your Snort server. Cisco calls this a span port, but most other vendors call this Port Mirroring. Instructions for Mikrotik (a linux based switch and router product that I like).  If you run DD-WRT, it can be configured with iptables, like any linux based system. If you have network equipment not listed above, any search engine should point you towards a solution, if one exists. Note that many consumer switches will not have the ability to mirror ports.

You can also purchase devices specifically made to mirror data (called taps). Some products that have been recommended on the Snort-Users list are:

• USB Powered 10/100Base-T Network Tap
• Throwing Star LAN Tap
• Build your own

More Advanced Snort Configuration

Snort has the ability to do much more than we’ve covered in this set of articles. Hopefully you’ve learned enough through this setup that you will be able to implement more advanced configurations and make Snort work for you. Some things that Snort is capable of:

• Multiple remote Snort sensors, for example on different subnets.
• The documentation section of the Snort website has a number of useful articles about more advanced things you can do with Snort.

Some other related articles I have written:

• Snort as a Network Intrusion Prevention System (NIPS).
• Installing Snort++ (Snort 3.0 Alpha).
• OpenAppID for Layer 7 protocol detection.

Recommended Reading

• Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security) (Kindle Version) – This is a good book for understanding how Snort works under the hood. It is a little old, but is still relevent and very detailed.
• Snort Cookbook – This book is very helpful in showing how Snort can be run to meet specific needs (using recipes that describe specific situations).
• Applied Network Security Monitoring: Collection, Detection, and Analysis – I haven’t read this book, but it is well reviewed, and covers NIDS at a much higher level than the other two books.

Feedback

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.