1. Installing Snort
2. Configuring Snort to Run as a NIDS
3. Writing and Testing a Single Rule With Snort
4. Installing Barnyard2
5. Installing PulledPork
6. Creating Upstart Scripts for Snort on Ubuntu 14
7. Creating systemD Scripts for Snort on Ubuntu 16
8. Installing BASE
9. Conclusion

Configure Snort to Run as a NIDS

This is the second in a set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS). In the previous article we installed the Snort binary and verified that it correctly executed. In this section, we will configure Snort to run as a NIDS by creating the files and folders that Snort expects when running as a NIDS, and we will learn about the Snort configuration file: snort.conf.

Basic Configuration

First off, for security reasons we want Snort to run as an unprivileged user. We create a snort user and group for this purpose:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Next, we need to create a number of files and folders that Snort expects when running in NIDS mode.  We will then change the ownership of those files to our new snort user. Snort stores configuration files in /etc/snort, rules in /etc/snort/rules, /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:

# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

We now need to move the following files from the extracted Snort tarball to the snort configuration folder:

• classification.config describes the types of attack classifications that Snort understands (grouping rules into these types of classifications), such as trojan-activity or system-call-detect. The list of classifications can be found in section 3.4.6 of the Snort Manual
• file_magic.conf describes rules for identifying file types.
• reference.config contains urls that are referenced in the rules that provide more information about alerts.
• snort.conf is the configuration file for Snort, it tells Snort where resources are located, and how to output alerts, among other things.
• threshold.conf allows you to control the number of events that are required to generate an alert, which can help suppress noisy alerts. More information here.
• attribute table.dtd lets Snort use outside information to determine protocols and policies. More information here.
• gen-msg.map tells Snort which pre-processor is used by which rule. More information here.
• unicode.map provides a mapping between Unicode languages and the identifier. This file is required by Snort in order to start.

Run the commands below to move the files listed above to the /etc/snort folder:

cd ~/snort_src/snort-2.9.9.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

The Snort configuration folder and file structure should now look like the following:

	user@snortserver:~$ tree /etc/snort
	/etc/snort
	├── attribute_table.dtd
	├── classification.config
	├── file_magic.conf
	├── gen-msg.map
	├── preproc_rules
	├── reference.config
	├── rules
	│.. ├── local.rules
	│.. ├── iplists
	│    .. ├── black_list.rules
	│    .. ├── white_list.rules
	├── sid-msg.map
	├── snort.conf
	├── so_rules
	├── threshold.conf
	└── unicode.map

Editing the Snort Configuration File

The Snort configuration file is stored at /etc/snort/snort.conf, and contains all the settings that Snort will use when it is run in NIDS mode. This is a large file (well over 500 lines), and contains a number of options for the configuration of Snort. We are interested in only a few settings at this time.

First, we need to comment out the lines that causes Snort to import the default set of rule files. We do this because we will be using PulledPork to manage our rulesets, which saves all the rules into a single file. The easy way to comment out all these lines is to use sed to append the “#” (hash) character to those lines.  This is accomplished by running the following command:

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

The result of this command is that lines 547 to 651 in snort.conf will now be commented out, which will prevent Snort from loading those rule files on start-up. These rule files do not exist, and will cause Snort to generate an error if it tries to load a file that doesn’t exist. If you were to manually download the rule files from the snort website and extract them to the /etc/snort/rules folder, then you would want those rules to be un-commented out. We will use PulledPork (configured later) to manage all our rules and save them into a single file, which is why we need all those rule files to be commented out.

Next, we need to manually edit a few lines in the snort.conf file. Use vi (or your favorite editor) to edit /etc/snort/snort.conf:

sudo vi /etc/snort/snort.conf

First, we need to let Snort know the network range of your home network (the assets you are trying to protect) and all other external networks.  We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks. In the example below, our home network is 10.0.0.0 with a 24 bit subnet mask (255.255.255.0), and our external networks are all other networks.

ipvar HOME_NET 10.0.0.0/24 	# (line 45) make this match your internal (friendly) network

Note: it is not recommended to set EXTERNAL_NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.

Next we need to tell Snort about the locations of all the folders we created earlier.  These settings are also part of the snort.conf file.  I have included the line numbers after the hash so you can more easily find the setting (do not write the line number, just change the path to match what is below):

var RULE_PATH /etc/snort/rules						# line 104
var SO_RULE_PATH /etc/snort/so_rules				# line 105
var PREPROC_RULE_PATH /etc/snort/preproc_rules		# line 106

var WHITE_LIST_PATH /etc/snort/rules/iplists		# line 113
var BLACK_LIST_PATH /etc/snort/rules/iplists		# line 114

Finally, we want to enable one included rule file: /etc/snort/rules/local.rules.  We will use this file to store our own rules, including one rule that we will write in the next article in this series that will allow us to easily check that Snort is correctly generating alerts.  Un-comment the following line (line 545) by deleting the hash from the beginning of the line:

include $RULE_PATH/local.rules

Testing Snort with our Configuration File

Snort has the ability to validate the configuration file, and you should do this whenever you make modifications to snort.conf. Run the following command to have Snort test the configuration file:

sudo snort -T -c /etc/snort/snort.conf -i eth0

The -T tells snort to test, and -c tells snort the path to the configuration file, and you are required to specify an interface you want to listen to with -i (this is a new requirement as of 2.9.8.x version of snort). Make sure to use the correct interface. You should see some output, with the following lines at the end:

    ...
	Snort successfully validated the configuration!
	Snort exiting

Congratulations, if you have output similar to the above then you have successfully Configured Snort to run as a NIDS. Continue to the next section: Writing and Testing a Single Rule With Snort.