Snort 2.9.9.x on Ubuntu – Part 1: Installing Snort
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
This detailed set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system. These articles are based on the Snort Installation guide I wrote, and which was posted in the documents section of the Snort website. If you are instead looking for a quick install guide for Snort on Ubuntu, please see my other standalone article: Snort 2.9.9.x on Ubuntu (quick install guide). If you want to test the new alpha version of Snort, please see my articles: Installing Snort++ (Version 3.0 Alpha 4) in Ubuntu.
These articles are designed to take you step-by-step through the installation, configuration, and testing of each component of a Snort system. I will explain the design decisions and the purpose of specific commands throughout this guide, which will will help you understand how Snort is installed, configured, tested, executed, and how it interfaces with its supporting software. You can follow the steps in this guide, but choose to skim the detailed explanations if you would like, and you will still end up with a working Snort system. However, if you take the effort to understand every step you will have a much deeper understanding of Snort, be better able to troubleshoot issues, and fully customize your Snort installation.
Supported Software Versions
This guide has been tested with Snort 126.96.36.199 on both the x86 and x64 architectures of Ubuntu 14, and 16. This guide will probably work on other Ubuntu-derived distributions, and I have been told that it works fairly well (with some modifications) for Debian systems including the Raspberry Pi. This guide will note VMware specific configuration options, if you want to run Snort as a virtual machine. At the time of this writing, the latest version of Snort is 188.8.131.52, and the instructions below are tailored for that version. If you want to use more recent versions of any of the software installed below (updated versions released after the publication of this guide), it should work without significant changes, but obviously you may encounter issues I can’t foresee.
On its own, Snort runs in standalone mode as a packet sniffer and logger. With a few additional applications and some configuration, a Snort system becomes much more useful as a NIDS. The supporting software components we will install in this set of articles are:
- Barnyard2 is a dedicated spooler for Snort’s unified2 binary output format. Packet processing is very resource intensive, so to reduce the load on the Snort process: we have Snort save suspicious packets to a directory in a native binary format without processing the packets. Barnyard2 then asynchronously processes those packets and saves them in a MySQL database.
- PulledPork is a Perl script that automatically downloads the latest Snort rulesets. Since the threat landscape is constantly evolving, new rulesets are required by Snort to identify the latest types of suspicious traffic (rulesets are similar to antivirus signatures).
- BASE provides a web front-end to query and analyze the alerts coming from a Snort system.
Alternatives to This Guide
If you just want a Snort system installed and running without having to compile and install all the individual components, there are some alternatives:
- Autosnort: a script that will install Snort and supporting software on your system.
- Install Snort from the Ubuntu repository: This version of Snort tends to be out of date, and doesn’t give you the flexibility provided by compiling your own version of Snort.
- Security Onion: A live CD based on Ubuntu with Snort already installed.
Recommendations for Running Snort in a Virtual Machine
So let’s get started. First, we need to ensure that the network card does not truncate over-sized packets. From The Snort Manual:
Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.
Edit /etc/network/interfaces as an admin:
sudo vi /etc/network/interfaces
Append the following two lines for each network interface you will have Snort listen on, making sure to change eth0 to match your interface name (See note below for Ubuntu 16):
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Important note for people running Ubuntu 16: Begining with Ubuntu 15.10, network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.
an example of how the /etc/network/interfaces file should look for a single interface:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we need to install all the prerequisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
Breakdown of the packages you are installing:
- build-essential: provides the build tools (GCC and the like) to compile software.
- bison, flex: parsers required by DAQ (DAQ is installed later below).
- libpcap-dev: Library for network traffic capture required by Snort.
- libpcre3-dev: Library of functions to support regular expressions required by Snort.
- libdumbnet-dev: the libdnet library provides a simplified, portable interface to several low-level networking routines. Many guides for installing Snort install this library from source, although that is not necessary.
- zlib1g-dev: A compression library required by Snort.
- liblzma-dev: Provides decompression of swf files (adobe flash)
- openssl and libssl-dev: Provides SHA and MD5 file signatures
In Ubuntu 16 the install is easy:
# Ubuntu 16 only: sudo apt-get install -y libnghttp2-dev
for Ubuntu 14, we need to compile from source:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Snort uses the Data Acquisition library (DAQ) to abstract calls to packet capture libraries. DAQ is downloaded and installed from the Snort website:
cd ~/snort_src wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source. When we configure the build of Snort, we use the --enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), and matches the way the sourcefire team builds Snort.
cd ~/snort_src wget https://snort.org/downloads/snort/snort-184.108.40.206.tar.gz tar -xvzf snort-220.127.116.11.tar.gz cd snort-18.104.22.168 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:
and you should see output similar to the following:
user@snortserver:~$ snort -V Version 22.214.171.124 GRE (Build 56) By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.8
Congratulations, if you have output similar to the above then you have successful installed Snort. Continue to the next section to Configure Snort to Run as a NIDS.