In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update. In this article, we will finalize the configuration of our Snort service by creating systemD scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 14, you should go see my Upstart article instead of this article.
Ubuntu 16 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.
To create the Snort systemD service, use an editor to create a service file:
sudo vi /lib/systemd/system/snort.service
with the following content (change ens160 if different on your system):
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable snort
And start the Snort service:
sudo systemctl start snort
Verify the service is running
systemctl status snort
Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:
sudo vi /lib/systemd/system/barnyard2.service
With the following content:
[Unit] Description=Barnyard2 Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable barnyard2
And start the barnyard2 service:
sudo systemctl start barnyard2
Verify the service is running
systemctl status barnyard2
Reboot the computer and check that both services are started
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
If both services are running, you are ready to move to the next section, where you will install BASE, a web-based GUI to view and profile alert data: Installing BASE
In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update. In this article, we will finalize the configuration of our Snort service by creating Upstart scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 16, you should go see my systemD article instead of this article.
First create the Snort Upstart script:
sudo vi /etc/init/snort.conf
We will insert the below content into this Upstart script. Note that we are using the same flags that we used in earlier articles, so if Snort ran correctly for you earlier, then you shouldn’t need to change any of these flags:
description "Snort NIDS service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script
Now make the script executable, and tell Upstart that the script exists:
sudo chmod +x /etc/init/snort.conf initctl list | grep snort snort stop/waiting
do the same for our Barnyard2 script:
sudo vi /etc/init/barnyard2.conf
with the following content:
description "barnyard2 service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
end script
Note that we have added a new flag here that we didn’t use before: -a /var/log/snort/archived_logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived_logs/ folder.
Now make the script executable, and tell Upstart that the script exists:
sudo chmod +x /etc/init/barnyard2.conf initctl list | grep barnyard barnyard2 stop/waiting
Reboot the computer and check that both services are started:
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
If both services are running, you are ready to move to the next section, where you will install BASE, a web-based GUI to view and profile alert data: Installing BASE
In the previous two sections of this article, we installed Snort and configured it to work as a NIDS with Barnyard2 processing packets that generated alerts based on a rule. In this article, we are going to install a Perl script called PulledPork, which will automatically download the latest rulesets from the Snort website.
To download the main free ruleset from Snort, you need an oinkcode. Register on the Snort website and save your oinkcode before continuing, as the oinkcode is required for the most popular free ruleset.
Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
Download the latest PulledPork and install. Here we copy the actual perl file to /usr/local/bin and the needed configuration files to /etc/snort:
cd ~/snort_src wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz tar xzvf pulledpork-master.tar.gz cd pulledpork-master/ sudo cp pulledpork.pl /usr/local/bin sudo chmod +x /usr/local/bin/pulledpork.pl sudo cp etc/*.conf /etc/snort
Test that PulledPork runs by running the following command, looking for the output below:
user@snortserver:~$ /usr/local/bin/pulledpork.pl -V PulledPork v0.7.3 - Making signature updates great again! user@snortserver:~$
Now that we are sure that PulledPork works, we need to configure it:
sudo vi /etc/snort/pulledpork.conf
Make the following changes to the pulledpork.conf file. Anywhere you see ‹oinkcode› enter your oinkcode from the Snort website. I have included line numbers to help you identify the location of these lines in the configuration file.
Line 19: enter your oinkcode where appropriate (or comment out if no oinkcode) Line 29: Un-comment for Emerging threats ruleset (not tested with this guide) Line 74: change to: rule_path=/etc/snort/rules/snort.rules Line 89: change to: local_rules=/etc/snort/rules/local.rules Line 92: change to: sid_msg=/etc/snort/sid-msg.map Line 96: change to: sid_msg_version=2 Line 119: change to: config_path=/etc/snort/snort.conf Line 133: change to: distro=Ubuntu-12-04 Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules Line 150: change to: IPRVersion=/etc/snort/rules/iplists
We want to run PulledPork once manually to make sure it works. We use the following flags:
-c /etc/snort/pulledpork.conf the location of the snort.conf file -l Write detailed logs to /var/log
Run the following command:
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
After this command runs (it takes some time), you should now see snort.rules in /etc/snort/rules, and .so rules in /usr/local/lib/snort_dynamicrules. Pulled Pork combines all the rulesets that it downloads into these two files. You need to make sure to add the line: include $RULE_PATH/snort.rules to the snort.conf file, or the pulled pork rules will never be read into memory when Snort starts:
sudo vi /etc/snort/snort.conf
Add the following line to enable snort to use the rules that PulledPork downloaded (line 547), after the line for local.rules:
include $RULE_PATH/snort.rules
Since we have modified snort.conf, we should test that Snort loads correctly in NIDS mode with the PulledPork rules included:
sudo snort -T -c /etc/snort/snort.conf -i eth0
Once that is successful, we want to test that Snort and Barnyard2 load correctly when run manually as daemons:
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
As before, ping the IP address of the Snort eth0 interface, and then check the database for more events (remember to use the MYSQLSNORTPASSWORD):
mysql -u snort -p -D snort -e "select count(*) from event"
The number of events reported should be greater than what you saw the last time you ran this command. Now that we are sure that PulledPork runs correctly, we want to add PulledPork to root’s crontab to run daily:
sudo crontab -e
Choose any editor if prompted
The Snort team has asked you to randomize when PulledPork connects to their server to help with load balancing. In the example below, we have PulledPork checking at 04:01 every day. Change the minutes value (the 01 below) to a value between 0 and 59, and the hours value (the 04 below) to a value between 00 and 23. For more info on crontab layout, check here:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
Stop the running daemons from earlier testing:
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$ ps aux | grep barnyard2 snort 1298 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D user 1316 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto barnyard2 user@snortserver:~$ sudo kill 1298
Note: Snort needs to be reloaded to see the new rules. This can be done with kill -SIGHUP snort-pid, or you can restart the snort service (once that’s created in a later part of this guide).
Additional note about shared object rules: In addition to regular rules, The above section will download Shared object rules. Shared object rules are also known as ”Shared Object rules”, ”SO rules”, ”pre-compiled rules”, or ”Shared Objects”. These are detection rules that are written in the Shared Object rule language, which is similar to C.
These rules are pre-compiled by the provider of the rules, and allow for more complicated rules, and allow for obfuscation of rules (say to detect attacks that haven’t been patched yet, but the vendor wants to allow detection without revealing the vulnerability). These rules are compiled by the vendor for specific systems. One of these systems is Ubuntu 12, and luckily these rules also work on Ubuntu 14 and 15.
Congratulations, if you have output similar to the above then you have successfully Configured PulledPork. Continue to the next section to install startup scripts for Snort and Barnyard2. Choose one of the two following links, depending on your version of Ubuntu. You will create an Upstart scripts for Ubuntu 12 and 14, and a systemD scripts for Ubuntu 15.
Choose One of the following to continue:
Ubuntu 14: Creating Upstart Scripts for Snort and Barnyard2
Ubuntu 16: Creating systemD Scripts for Snort
In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a much better understanding of how Snort rules are created and loaded.
In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to tell Snort to load this local.rules file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.
First, we need to edit the local.rules file:
sudo vi /etc/snort/rules/local.rules
input the following text and save the file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test. The other information here (GID, REV, classtype) are used group the rule, and will be helpful when you install BASE.
Barnyard2 doesn’t read meta-information about alerts from the local.rules file. Without this information, Barnyard2 won’t know any details about the rule that triggered the alert, and will generate non-fatal errors when adding new rules with PulledPork (done in a later step). To make sure that barnyard2 knows that the rule we created with unique identifier 10000001 has the message ”ICMP Test Detected”, as well as some other information (please see this blog post for more information). We add the following two lines to the /etc/snort/sid-msg.map file:
#v2 1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
(the #v2 tells barnyard2 that the next line is the version 2 format, rather than v1)
Since we have made changes to the file that snort loads (local.rules), it is a good idea to test the configuration file again:
sudo snort -T -c /etc/snort/snort.conf -i eth0
If successful, you should be able to scroll up through the output and see that Snort has loaded our rule:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +----------------------------------------------------------------------------
Now to test the rule. We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:
-A console the console option prints fast mode alerts to stdout -q Quiet. Don't show banner and status report. -u snort run snort as the following user after startup -g snort run snort as the following group after startup -c /etc/snort/snort.conf the path to our snort.conf file -i eth0 the interface to listen on
Run Snort with the command below, modifying the parameters as required specific for your configuration:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Note: If you are running Ubuntu 16, remember that your interface name is not eth0.
Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on. You should see output similar to the below on the terminal of the Snort machine:
10/31-02:27:19.663643 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:19.663675 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:20.658378 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:20.658404 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:21.766521 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:21.766551 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:22.766167 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:22.766197 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
^C*** Caught Int-Signal
You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.
Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.
This is the second in a set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS). In the previous article we installed the Snort binary and verified that it correctly executed. In this section, we will configure Snort to run as a NIDS by creating the files and folders that Snort expects when running as a NIDS, and we will learn about the Snort configuration file: snort.conf.
First off, for security reasons we want Snort to run as an unprivileged user. We create a snort user and group for this purpose:
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Next, we need to create a number of files and folders that Snort expects when running in NIDS mode. We will then change the ownership of those files to our new snort user. Snort stores configuration files in /etc/snort, rules in /etc/snort/rules, /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules # Change Ownership on folders: sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
We now need to move the following files from the extracted Snort tarball to the snort configuration folder:
Run the commands below to move the files listed above to the /etc/snort folder:
cd ~/snort_src/snort-2.9.9.0/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
The Snort configuration folder and file structure should now look like the following:
user@snortserver:~$ tree /etc/snort /etc/snort ├── attribute_table.dtd ├── classification.config ├── file_magic.conf ├── gen-msg.map ├── preproc_rules ├── reference.config ├── rules │.. ├── local.rules │.. ├── iplists │ .. ├── black_list.rules │ .. ├── white_list.rules ├── sid-msg.map ├── snort.conf ├── so_rules ├── threshold.conf └── unicode.map
The Snort configuration file is stored at /etc/snort/snort.conf, and contains all the settings that Snort will use when it is run in NIDS mode. This is a large file (well over 500 lines), and contains a number of options for the configuration of Snort. We are interested in only a few settings at this time.
First, we need to comment out the lines that causes Snort to import the default set of rule files. We do this because we will be using PulledPork to manage our rulesets, which saves all the rules into a single file. The easy way to comment out all these lines is to use sed to append the “#” (hash) character to those lines. This is accomplished by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
The result of this command is that lines 547 to 651 in snort.conf will now be commented out, which will prevent Snort from loading those rule files on start-up. These rule files do not exist, and will cause Snort to generate an error if it tries to load a file that doesn’t exist. If you were to manually download the rule files from the snort website and extract them to the /etc/snort/rules folder, then you would want those rules to be un-commented out. We will use PulledPork (configured later) to manage all our rules and save them into a single file, which is why we need all those rule files to be commented out.
Next, we need to manually edit a few lines in the snort.conf file. Use vi (or your favorite editor) to edit /etc/snort/snort.conf:
sudo vi /etc/snort/snort.conf
First, we need to let Snort know the network range of your home network (the assets you are trying to protect) and all other external networks. We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks. In the example below, our home network is 10.0.0.0 with a 24 bit subnet mask (255.255.255.0), and our external networks are all other networks.
ipvar HOME_NET 10.0.0.0/24 # (line 45) make this match your internal (friendly) network
Note: it is not recommended to set EXTERNAL_NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.
Next we need to tell Snort about the locations of all the folders we created earlier. These settings are also part of the snort.conf file. I have included the line numbers after the hash so you can more easily find the setting (do not write the line number, just change the path to match what is below):
var RULE_PATH /etc/snort/rules # line 104 var SO_RULE_PATH /etc/snort/so_rules # line 105 var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106 var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113 var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114
Finally, we want to enable one included rule file: /etc/snort/rules/local.rules. We will use this file to store our own rules, including one rule that we will write in the next article in this series that will allow us to easily check that Snort is correctly generating alerts. Un-comment the following line (line 545) by deleting the hash from the beginning of the line:
include $RULE_PATH/local.rules
Snort has the ability to validate the configuration file, and you should do this whenever you make modifications to snort.conf. Run the following command to have Snort test the configuration file:
sudo snort -T -c /etc/snort/snort.conf -i eth0
The -T tells snort to test, and -c tells snort the path to the configuration file, and you are required to specify an interface you want to listen to with -i (this is a new requirement as of 2.9.8.x version of snort). Make sure to use the correct interface. You should see some output, with the following lines at the end:
...
Snort successfully validated the configuration!
Snort exiting
Congratulations, if you have output similar to the above then you have successfully Configured Snort to run as a NIDS. Continue to the next section: Writing and Testing a Single Rule With Snort.
This detailed set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system. These articles are based on the Snort Installation guide I wrote, and which was posted in the documents section of the Snort website. If you are instead looking for a quick install guide for Snort on Ubuntu, please see my other standalone article: Snort 2.9.9.x on Ubuntu (quick install guide). If you want to test the new alpha version of Snort, please see my articles: Installing Snort++ (Version 3.0 Alpha 4) in Ubuntu.
These articles are designed to take you step-by-step through the installation, configuration, and testing of each component of a Snort system. I will explain the design decisions and the purpose of specific commands throughout this guide, which will will help you understand how Snort is installed, configured, tested, executed, and how it interfaces with its supporting software. You can follow the steps in this guide, but choose to skim the detailed explanations if you would like, and you will still end up with a working Snort system. However, if you take the effort to understand every step you will have a much deeper understanding of Snort, be better able to troubleshoot issues, and fully customize your Snort installation.
This guide has been tested with Snort 2.9.9.0 on both the x86 and x64 architectures of Ubuntu 14, and 16. This guide will probably work on other Ubuntu-derived distributions, and I have been told that it works fairly well (with some modifications) for Debian systems including the Raspberry Pi. This guide will note VMware specific configuration options, if you want to run Snort as a virtual machine. At the time of this writing, the latest version of Snort is 2.9.9.0, and the instructions below are tailored for that version. If you want to use more recent versions of any of the software installed below (updated versions released after the publication of this guide), it should work without significant changes, but obviously you may encounter issues I can’t foresee.
On its own, Snort runs in standalone mode as a packet sniffer and logger. With a few additional applications and some configuration, a Snort system becomes much more useful as a NIDS. The supporting software components we will install in this set of articles are:
If you just want a Snort system installed and running without having to compile and install all the individual components, there are some alternatives:
If you are running Snort as a VMware ESXi virtual machine, it is recommended that you use the vmxnet 3 network adapter.
So let’s get started. First, we need to ensure that the network card does not truncate over-sized packets. From The Snort Manual:
Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.
Edit /etc/network/interfaces as an admin:
sudo vi /etc/network/interfaces
Append the following two lines for each network interface you will have Snort listen on, making sure to change eth0 to match your interface name (See note below for Ubuntu 16):
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Important note for people running Ubuntu 16: Begining with Ubuntu 15.10, network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.
an example of how the /etc/network/interfaces file should look for a single interface:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we need to install all the prerequisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
Breakdown of the packages you are installing:
The final library that Snort requires is the development library for Nghttp2: a HTTP/2 C Library which implements the HPAC header compression algorithm.
In Ubuntu 16 the install is easy:
# Ubuntu 16 only: sudo apt-get install -y libnghttp2-dev
for Ubuntu 14, we need to compile from source:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Snort uses the Data Acquisition library (DAQ) to abstract calls to packet capture libraries. DAQ is downloaded and installed from the Snort website:
cd ~/snort_src wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source. When we configure the build of Snort, we use the --enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), and matches the way the sourcefire team builds Snort.
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:
/usr/sbin/snort -V
and you should see output similar to the following:
user@snortserver:~$ snort -V
Version 2.9.9.0 GRE (Build 56)
By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
Congratulations, if you have output similar to the above then you have successful installed Snort. Continue to the next section to Configure Snort to Run as a NIDS.
The instructions below show how to install OpenAppId in Snort 2.9.9.x on Ubuntu 14 and Ubuntu 16.
If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my in-depth series for installing Snort on Ubuntu, or my Quick Install Guide for Snort 2.9.9.x on Ubuntu. If you want to test the new alpha version of Snort (Version 3.0 Alpha 4), please see my article: Installing Snort 3 Alpha in Ubuntu.
So let’s get started. First we need tocreate a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev
Snort 2.9.9.x needs the development libraries for Nghttp2. On Ubuntu 16 this is simple:
# Ubuntu 16 only (not Ubuntu 14) sudo apt-get install -y libnghttp2-dev
On Ubuntu 14, we do this from scratch:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Next we want to install the pre-requisites that are specific to OpenAppID:
sudo apt-get install -y libluajit-5.1-dev pkg-config openssl libssl-dev
Download and install Data Acquisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source. We use the ‑‑enable-open-appid option, which prepares Snort to be built with OpenAppID support. We also use the ‑‑enable-sourcefire option, which enables the Sourcefire-specific build options:
Now we are ready to install Snort from source:
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire --enable-open-appid make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
We need to a few configuration things to prepare Snort for use. More detailed information on the steps below can be found here .
Create the needed directories and empty files:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
Finally copy some files:
cd ~/snort_src/snort-2.9.9.0/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
Comment out the rule files that are automatically loaded by Snort in snort.conf (since we don’t have any rule files downloaded at this time) by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
Next we need to edit the /etc/snort/snort.conf Snort configuration file as root.
sudo vi /etc/snort/snort.conf
Line 45 of /etc/snort/snort.conf: the variable HOME_NET should match your internal (defended) network. In the below example our HOME NET is 10.0.0.0 with a 24-bit subnet mask (255.255.255.0):
ipvar HOME_NET 10.0.0.0/24
Still editing snort.conf, next we need to modify some file paths to match the lines below, beginning at line 104:
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules/iplists var BLACK_LIST_PATH /etc/snort/rules/iplists
Still editing snort.conf, next we need to enable the local.rules file by un-commenting (remove the hash symbol from the beginning) line 546 so it looks like the following:
include $RULE_PATH/local.rules
Once you have saved your edits to snort.conf, you should test that snort can load this configuration file without any errors. You do this by running snort with the -T flag to tell snort to test the file, the -c flag to identify the path of the snort.conf file, and the -i flag for a network interface that Snort will listen on (Note that Ubuntu 16 can have different interface names, which you can check with the ifconfig command). This is shown below. Output has been truncated to the final few lines to show success:
user@snortserver:~$ sudo snort -T -i eth0 -c /etc/snort/snort.conf (...) Snort successfully validated the configuration! Snort exiting user@snortserver:~$
Now we need to download the Application Detector Package, which contains the rules for detecting types of traffic. You can find this file on the Snort.org download page, listed as snort-openappid.tar.gz. You should download the latest version of this package, the version below is the latest as of writing, but will probably have changed, as the Snort team is updating regularly:
cd ~/snort_src wget https://snort.org/downloads/openappid/4602 -O snort-openappid.tar.gz tar -xvzf snort-openappid.tar.gz
The result of the above command will create a odp directory which holds all the application detector files. We want to move that folder under our Snort rules folder:
sudo cp -r ~/snort_src/odp/ /etc/snort/rules/
and create one folder for third-party developed application detectors:
sudo mkdir /usr/local/lib/thirdparty
We need to enable the OpenAppID pre-processor, then we need to have Snort output the AppID data. The 2.9.9.0 release of snort doesn’t seem to create the default snort.conf correctly (which would include the necessary OpenAppID settings), so rather than enabling them by uncommeting them, we will need to add these lines manually. To enable the pre-processor, edit the snort.conf file (located at /etc/snort/snort.conf) as root, and add the following lines before the commented-out section 6 (line 513 for me):
preprocessor appid: app_stats_filename appstats-u2.log, \ app_stats_period 60, \ app_detector_dir /etc/snort/rules
This tells Snort the file name of the log to output statistics to (appstats-u2-log), how often to write to the log (every 60 seconds), and where to find the odf folder we downloaded earlier.
While still in the /etc/snort/snort.conf file, add the following lower down (below the commented-out section 6, around line 526 ):
output unified2: filename snort.u2, limit 128, appid_event_types
this directive tells Snort to output alerts in the unified2 binary format to the snort.log, the size of the log, and also to output AppID data to the same location.
Now test the Snort configuration file to verify there are no errors:
sudo /usr/local/bin/snort -T -c /etc/snort/snort.conf -i eth0
as above, you should see the text: Snort successfully validated the configuration! If not, fix the errors that are reported.
Use the below command to start collecting packets (change the interface as needed), and use ctrl-c to stop the collection:
sudo /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 ctrl-c
To generate OpenAppID data while Snort is running as above, try browsing to a website, making sure the data is visible to the interface that snort is listening on, either by passing that data directly through the Snort interface, or by ensuring that your network infrastructure copies network traffic to the Snort server (span port, port mirroring, or promiscuous mode, for example).
Once you have collected data (remember that we are writing data out every 60 seconds, so wait longer than a minute before cancelling the collection), you should see file(s) in /var/log/snort/ with the name: appstats-u2.log.nnnnnnnnnn (where the n’s are numbers). these are the OpenAppID data files. We can process them with u2openappid, which is located in /usr/local/bin.
A simple example of this processing:
noah@snort:~$ sudo u2openappid /var/log/snort/appstats-u2.log.1483841898 statTime="1449426240",appName="HTTP",txBytes="0",rxBytes="8152" statTime="1449426300",appName="HTTP",txBytes="0",rxBytes="9542" statTime="1449426240",appName="DNS",txBytes="301",rxBytes="0" statTime="1449426240",appName="__unknown",txBytes="12376",rxBytes="1118" statTime="1449426300",appName="DNS",txBytes="761",rxBytes="0"
In the above example, I used curl over the same interface snort was listening on to request www.xkcd.com. The various application detectors show the amount of traffic for each detector, DNS, HTTP, and the like.
An more complex example of this processing (from an older version of OpenAppID, but still valid):
noah@snort:~$ sudo /usr/local/bin/u2openappid /var/log/snort/appstats-u2.log.1428300780 statTime="1428300720",appName="curl",txBytes="740",rxBytes="6894" statTime="1428300720",appName="http",txBytes="1306",rxBytes="7384" statTime="1428300720",appName="ubuntu",txBytes="566",rxBytes="490" statTime="1428300720",appName="python_urllib",txBytes="566",rxBytes="490" statTime="1428300780",appName="https",txBytes="777",rxBytes="1444" statTime="1428300780",appName="https",txBytes="1040",rxBytes="2116" statTime="1428300840",appName="google",txBytes="3001",rxBytes="4684" statTime="1428300840",appName="facebook",txBytes="66705",rxBytes="1841294" statTime="1428300840",appName="firefox",txBytes="9080",rxBytes="29282" statTime="1428300840",appName="google_analytic",txBytes="2441",rxBytes="17912" statTime="1428300840",appName="http",txBytes="10591",rxBytes="49907" statTime="1428300840",appName="https",txBytes="68049",rxBytes="1846327" statTime="1428300840",appName="ssl_client",txBytes="66013",rxBytes="1840694" statTime="1428300840",appName="linux_mint",txBytes="955",rxBytes="2912" statTime="1428300840",appName="python_urllib",txBytes="1511",rxBytes="20625" statTime="1428300720",appName="dns",txBytes="380",rxBytes="538" statTime="1428300720",appName="ssh",txBytes="10487",rxBytes="24943" statTime="1428300720",appName="rtp",txBytes="592",rxBytes="0" statTime="1428300780",appName="dhcp",txBytes="1368",rxBytes="0" statTime="1428300780",appName="dns",txBytes="482",rxBytes="936" statTime="1428300780",appName="vnc",txBytes="219685",rxBytes="5131591" statTime="1428300780",appName="https",txBytes="210284",rxBytes="1373974" statTime="1428300780",appName="mdns",txBytes="8316",rxBytes="0" statTime="1428300840",appName="dns",txBytes="1754",rxBytes="5372" statTime="1428300840",appName="facebook",txBytes="3109",rxBytes="11074" statTime="1428300840",appName="https",txBytes="3109",rxBytes="11074" statTime="1428300840",appName="ssl_client",txBytes="3109",rxBytes="11074"
If you have output similar to the above, then Snort is installed and works. To generate the above output, I browsed to xkcd.com with curl on one computer, and to facebook with firefox on another computer. Looking through the output, the applications listed with the same statTime are from the same request. When I used curl to request xkcd.com, snort detected the various types of traffic defined by the various detectors.
If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my in-depth series on installing Snort on Ubuntu. If you have any feedback (recommendations or corrections), please let me know here.
The instructions below show how to install Snort 2.9.9.x on both the x86 and x64 architectures for Ubuntu 14 and 16. If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my in-depth series for installing Snort on Ubuntu.
If you want to test the new alpha version of Snort (Version 3.0 Alpha 4), please see my article: Installing Snort 3 Alpha in Ubuntu
If you want to work with OpenAppID, please see my guide for OpenAppID for Snort 2.9.9.x on Ubuntu.
So let’s get started. First we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we need to install all the pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
We need the development libraries for Nghttp2. On Ubuntu 16 this is simple:
# Ubuntu 16 only (not Ubuntu 14) sudo apt-get install -y libnghttp2-dev
On Ubuntu 14, we do this from scratch:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Disable LRO and GRO for all interfaces Snort will listen on under /etc/network/interfaces. using ethtool. An explanation of LRO and GRO are in the The Snort Manual. Use an editor to edit the network interfaces file:
sudo vi /etc/network/interfaces
and for every interface that Snort will listen on (one interface for simple setups, multiple interfaces for more complex setups), add the following two lines, changing eth0 to match the interface:
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
for example, my /etc/network/interfaces file looks like this:
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Reboot the system and verify that LRO and GRO are off:
user@snortserver:~$ ethtool -k eth0 | grep receive-offload generic-receive-offload: off large-receive-offload: off
Download and install Data Acquisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source:
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snortserver:~$ snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.9.0 GRE (Build 56)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
user@snortserver:~$
If you have output similar to the above, then Snort is installed and works. If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my in-depth series for installing Snort on Ubuntu.
If you have any questions or recommendations, please contact me. I can’t always answer questions right away, but I will do my best to get back to you. I welcome all recommendations and corrections.
NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 239) in Ubuntu.
The instructions below show how to install Snort 3 alpha 4 build 223 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).
Snort 3 Alpha 4 Build 233 was released on December 22, 2016, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake
Install tools required for compiling the source from github:
sudo apt-get install -y libtool git autoconf
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):
cd ~/snort_src wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz tar -xzvf libsafec-10052013.tar.gz cd libsafec-10052013 ./configure make sudo make install
One of the Snort recommended prerequisites is Hyperscan 4.2.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.
Install Ragel 6.9 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz tar -xzvf ragel-6.9.tar.gz cd ragel-6.9 ./configure make sudo make install
Download the Boost 1.63 libraries, but do not install:
cd ~/snort_src wget http://downloads.sourceforge.net/project/boost/boost/1.63.0/boost_1_63_0.tar.gz tar -xvzf boost_1_63_0.tar.gz
Install Hyperscan 4.2.0 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.2.0.tar.gz tar -xvzf v4.2.0.tar.gz mkdir ~/snort_src/hyperscan-4.2.0-build cd hyperscan-4.2.0-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_63_0/ ../hyperscan-4.2.0 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.2.0-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):
cd ~/snort_src wget https://www.snort.org/downloads/snortplus/daq-2.2.1.tar.gz tar -xvzf daq-2.2.1.tar.gz cd daq-2.2.1 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 223). If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://github.com/snortadmin/snort3/archive/master.tar.gz tar -xvzf master.tar.gz cd snort3-master/ autoreconf -isvf ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc" sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.0.0-a4 (Build 223) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 2.2.1
Using libpcap version 1.5.3
Using LuaJIT version 2.0.2
Using PCRE version 8.31 2012-07-06
Using ZLIB version 1.2.8
Using LZMA version 5.1.0alpha
Using OpenSSL 1.0.1f 6 Jan 2014
Using Hyperscan version 4.2.0 2017-01-07
user@snort3:~$
Now let’s test snort with the default configuration file and ruleset:
user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~ Snort++ 3.0.0-a4-223
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
ssh
rpc_decode
pop
stream_user
stream_tcp
smtp
ssl
gtp_inspect
stream_ip
appid
stream_icmp
reputation
stream_udp
file_id
back_orifice
classifications
port_scan
dnp3
ftp_data
ftp_server
telnet
ftp_client
http_inspect
stream
references
arp_spoof
sip
wizard
dns
imap
stream_file
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
total rules loaded: 3974
text rules: 3974
option chains: 3974
chain headers: 187
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 119 31 29 26
src 1685 4 0 0
dst 1927 232 0 0
both 0 1 0 0
total 3731 268 29 26
--------------------------------------------------
flowbits
defined: 124
not checked: 9
not set: 2
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dcerpc: 3 0
drda: 3 0
ftp: 8 2
http: 1161 1553
ident: 1 0
imap: 29 1044
ircd: 1 1
ldap: 5 0
mysql: 29 1
netbios-ns: 4 0
netbios-ssn: 25 7
pop3: 12 1043
rtsp: 2 0
smtp: 550 3
ssl: 5 1
sunrpc: 9 0
telnet: 5 1
vnc-server: 1 3
total: 1853 3659
--------------------------------------------------
service rule counts - udp to-srv to-cli
dcerpc: 2 0
dns: 170 2
kerberos: 4 4
netbios-dgm: 7 7
netbios-ns: 1 1
netbios-ssn: 1 1
ntp: 1 0
snmp: 1 1
ssdp: 8 0
sunrpc: 7 3
tftp: 1 0
total: 203 19
--------------------------------------------------
fast pattern port groups src dst any
packet: 27 125 4
key: 23 107 1
header: 23 107 1
body: 0 2 0
file: 23 107 1
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 29 17
key: 3 0
header: 1 3
body: 1 0
file: 1 4
--------------------------------------------------
search engine
instances: 566
patterns: 24676
pattern chars: 515657
num states: 409159
num match states: 23816
memory scale: MB
total memory: 8.27426
pattern memory: 1.05602
match list memory: 1.96014
transition memory: 5.20412
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration.
o")~ Snort exiting
user@snort3:~$
If you have output similar to the above, then Snort 3.0.0 Alpha 4 is installed and works.
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│ ├── snort
│ ├── snort2lua
│ ├── u2boat
│ └── u2spewfoo
├── etc
│ └── snort
│ ├── file_magic.lua
│ ├── sample.rules
│ ├── snort_defaults.lua
│ └── snort.lua
├── include
│ └── snort
│ ├── actions
│ ├── codecs
│ ├── daqs
│ ├── decompress
│ ├── detection
│ ├── events
│ ├── file_api
│ ├── filters
│ ├── flow
│ ├── framework
│ ├── hash
│ ├── latency
│ ├── log
│ ├── lua
│ ├── main
│ ├── managers
│ ├── mime
│ ├── profiler
│ ├── protocols
│ ├── search_engines
│ ├── sfip
│ ├── sfrt
│ ├── stream
│ ├── time
│ └── utils
├── lib
│ ├── pkgconfig
│ │ └── snort.pc
│ └── snort
│ └── daqs
└── share
└── doc
└── snort
37 directories, 9 files
The /opt/snort/bin folder contains the following Snort binaries:
Additionally, the following folders are created / used:
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to work with protocol (layer 7) detection, please see my article on OpenAppID.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.