Snort is a well-known open-source network intrusion detection and prevention system (IDS). Snort is very useful to monitor the package sent and received through a network interface. You can specify the network interface to monitor the traffic flow. Snort works on the basis of signature-based detection. Snort uses different types of rulesets to detect network intrusions such as community. Registered and subscription rules. Correctly installed and configured Snort can be very useful in detecting different kinds of attacks and threats like SMB probes, malware infections, compromised systems, etc. In this article, we will learn how to install and configure Snort on an Ubuntu 20.04 system.

Snort Rules

Snort uses rulesets to detect network intrusions which are as follows. There are three types of rule sets available:

Community rules

These are the rules created by the snort user community and available free of cost.

Registered rules

These are the rules provided by Talos and are only available for registered users. Registration takes only a moment and free of cost. After the registration, you will get a code that is needed to submit while sending the download request

Subscription rules

These rules are also the same as registered rules but are provided to registered users before the release. These rulesets are paid and costing is based on personal user or business user.

Snort Installation

Installation of snort in the Linux system would be a manual and lengthy process. Nowadays the installation is very simple and easier since most of the Linux distributions have made the Snort package available in the repositories. The package can be installed from the source as well as from the software repositories.

During the installation, you will be asked to provide some details regarding the network interface. Run the following command, and note the details for future use.

$ ip a

get network Interface

To install the Snort tool in Ubuntu, use the following command.

$ sudo apt install snort

In the above example, ens33 is the name of the network interface and 192.168.218.128 is the ip address. The /24 shows that the network is of subnet mask 255.255.255.0 . Take note of these things since we need to provide these details during the installation.

Now, press tab to navigate to the ok option and press enter.

Configure the network interface

Now provide the name of the network interface, navigate to the ok option using the tab key, and press enter.

Provide the network address with the subnet mask. Navigate to the ok option using the tab key and press enter.

local network IP address range

Once the installation is completed, run the command below the verify.

$ snort --version

Check Snort version

Configuring snort

Before using the Snort, there are some things to be made in the configuration file. Snort stores the configuration files under the directory /etc/snort/ as the file name snort.conf.

Edit the configuration file with any text editor and make the following changes.

$ sudo vi /etc/snort/snort.conf

Find the line ipvar HOME_NET any in the configuration file and replace any with your network address.

Configure Snort

In the above example, a network address 192.168.218.0 with subnet mask prefix 24 is used. Replace it with your network address and provide the prefix.

Save the file and exit

Download and Update Snort rules

Snort uses rulesets for intrusion detection. There are three types of rulesets that we have previously described at the start of the article. In this article, we will download and update community rules.

To install and update the rules, create a directory for the rules.

$ mkdir /usr/local/etc/rules

Download the community rules using the following command.

$ wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz

Or else, you can browse the link below and download the rules.

https://www.snort.org/downloads/#snort-3.0

Extract the downloaded files in the previously created directory.

$ tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/

Enable Promiscuous Mode

We need to make Snot computer’s network interface listen to all traffic. To make this happen, enable promiscuous mode . Run the following command with the interface name.

$ sudo ip link set ens33 promisc on

Where ens33 is the interface name

Set network interface to promisc mode

Running snort

Now we are good to start the Snort. Follow the syntax below and substitute the parameters accordingly.

$ sudo snort -d -l /var/log/snort/ -h 192.168.218.0/24 -A console -c /etc/snort/snort.conf

Where,

-d is used to filter application layer packets

-l is used to setup the logging directory

-h is used to specify the home network

-A is used to send the alert to the console windows

-c is used to specify the snort configuration

Once the Snort is started, you will get the following output in the terminal.

Using Snort on Ubuntu

You can check the log files to get information about intrusion detection.

Snort works on the basis of rulesets. So, always keep the rulesets up to date. You can set up a cronjob to download the rules and update them periodically.

Conclusion

In this tutorial, we learned how to use snort as a network intrusion prevention system in Linux. Also, I have covered how to install and use snort on an Ubuntu system and use it to monitor real-time traffic and do threat detection.

Snort – A Network Intrusion Detection System for Ubuntu

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn