Snort 2.9.8.x on Ubuntu – Part 1: Installing Snort

UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. Installing Snort
  2. Configure Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort
  7. Creating systemD Scripts for Snort
  8. Installing Snorby on Ubuntu 12
  9. Installing Snorby on Ubuntu 14
  10. Installing Snorby on Ubuntu 15
  11. Conclusion

Overview

This detailed set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system.  These articles are based on the Snort Installation guide I wrote, and which was posted in the documents section of the Snort website. If you are instead looking for a quick install guide for Snort on Ubuntu, please see my other standalone article: Snort 2.9.8.x on Ubuntu (quick install guide). If you want to test the new alpha version of Snort, please see my articles: Installing Snort++ (Version 3.0 Alpha 2) in Ubuntu 12 and Ubuntu 14.

These articles are designed to take you step-by-step through the installation, configuration, and testing of each component of a Snort system.  I will explain the design decisions and the purpose of specific commands throughout this guide, which will will help you understand how Snort is installed, configured, tested, executed, and how it interfaces with its supporting software.   You can follow the steps in this guide, but choose to skim the detailed explanations if you would like, and you will still end up with a working Snort system. However, if you take the effort to understand every step you will have a much deeper understanding of Snort, be better able to troubleshoot issues, and fully customize your Snort installation.

Supported Software Versions

This guide has been tested with Snort 2.9.8.0 on both the x86 and x64 architectures of Ubuntu 12, 14, and 15. This guide will probably work on other Ubuntu-derived distributions, and I have been told that it works fairly well (with some modifications) for Debian systems. This guide will note VMware specific configuration options, if you want to run Snort as a virtual machine.  At the time of this writing, the latest version of Snort is 2.9.8.0, and the instructions below are tailored for that version.  If you want to use more recent versions of any of the software installed below (updated versions released after the publication of this guide), it should work without significant changes, but obviously you may encounter issues I can’t foresee.

On its own, Snort runs in standalone mode as a packet sniffer and logger.  With a few additional applications and some configuration, a Snort system becomes much more useful as a NIDS.  The supporting software components we will install in this set of articles are:

  • Barnyard2 is a dedicated spooler for Snort’s unified2 binary output format. Packet processing is very resource intensive, so to reduce the load on the Snort process: we have Snort save suspicious packets to a directory in a native binary format without processing the packets. Barnyard2 then asynchronously processes those packets and saves them in a MySQL database.
  • PulledPork is a Perl script that automatically downloads the latest Snort rulesets. Since the threat landscape is constantly evolving, new rulesets are required by Snort to identify the latest types of suspicious traffic (rulesets are similar to antivirus signatures).
  • Snorby provides a web front-end to query and analyze the alerts coming from a Snort system.

Alternatives to This Guide

If you just want a Snort system installed and running without having to compile and install all the individual components, there are some alternatives:

  • Autosnort: a script that will install Snort and supporting software on your system.
  • Install Snort from the Ubuntu repository: This version of Snort tends to be out of date, and doesn’t give you the flexibility provided by compiling your own version of Snort.
  • Security Onion: A live CD based on Ubuntu with Snort already installed.

Recommendations for Running Snort in a Virtual Machine

If you are running Snort as a VMware ESXi virtual machine, it is recommended that you use the vmxnet 3 network adapter.

Onwards

So let’s get started. First we need to install all the prerequisites from the Ubuntu repositories:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

Breakdown of the packages you are installing:

  • build-essential: provides the build tools (GCC and the like) to compile software.
  • bison, flex: parsers required by DAQ (DAQ is installed later below).
  • libpcap-dev: Library for network traffic capture required by Snort.
  • libpcre3-dev: Library of functions to support regular expressions required by Snort.
  • libdumbnet-dev: the libdnet library provides a simplified, portable interface to several low-level networking routines. Many guides for installing Snort install this library from source, although that is not necessary.
  • zlib1g-dev: A compression library required by Snort.
  • liblzma-dev: Provides decompression of swf files (adobe flash)
  • openssl and libssl-dev: Provides SHA and MD5 file signatures

Next, we need to ensure that the network card does not truncate over-sized packets.  From The Snort Manual:

Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.

Install ethtool if you are on Ubuntu 12:

sudo apt-get install -y ethtool

now edit /etc/network/interfaces as an admin:

sudo vi /etc/network/interfaces

Append the following two lines for each network interface you will have Snort listen on (See note below for Ubuntu 15):

post-up ethtool -K eth0 gro off
post-up ethtool -K eth0 lro off

Important note for people running Ubuntu 15.10: In Ubuntu 15.10, for new installations (not upgrades), network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.

an example of how the /etc/network/interfaces file should look for a single interface:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
post-up ethtool -K eth0 gro off
post-up ethtool -K eth0 lro off

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

Snort uses the Data Acquisition library (DAQ) to abstract calls to packet capture libraries. DAQ is downloaded and installed from the Snort website:

cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install

Now we are ready to install Snort from source. When we configure the build of Snort, we use the –enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), and matches the way the sourcefire team builds Snort.

cd ~/snort_src
wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
tar -xvzf snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure --enable-sourcefire
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:

/usr/sbin/snort -V

and you should see output similar to the following:

user@snortserver:~$ /usr/sbin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

user@snortserver:~$

Congratulations, if you have output similar to the above then you have successful installed Snort. Continue to the next section to Configure Snort to Run as a NIDS.

Comments are Disabled