< Part 2 - Mirroring Network Traffic | Part 4 - Installing PulledPork >
This will cover installing Snort on Ubuntu 14.04 LTS specifically. You can find other guides for your OS / distribution on the official home page.
There is an excellent guide for installing Snort 2.9.6.2 on Ubuntu 12 LTS and 14 LTS. However while working through this guide myself, I have found there were several incorrect or extra required steps. Due to this, I decided to write this purely on my personal experience.
The guide on the official home page recommends disabling these two features the ethernet interface.
# sudo apt-get install -y ethtool
# sudo ethtool -K eth0 gro off
# sudo ethtool -K eth0 lro off
Replace eth0 if that is not the ethernet interface.
At the time of writing, Snort 2.9.7.0 and DAQ 2.0.4 are the latest stable releases. Where there is a new version released, please adjust as required.
# sudo apt-get install -y build-essential
# sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev
# sudo apt-get install -y bison flex
# sudo apt-get install -y zlib1g-dev
Create a workspace directory to compile sources. We will follow the same directory as the official guide - under ~/snort_src
# mkdir ~/snort_src
# cd ~/snort_src
At the time of writing, 2.0.4 is the latest version. Modify the wget link as required when a new version is released.
# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
# tar zxvf daq-2.0.4.tar.gz
# cd daq-2.0.4
# ./configure
# make
# sudo make install
At the time of writing, 2.9.7.0 is the latest version. Modify the wget link as required when a new version is released.
One tweak I have added is passing --enable-reload to the configure script.
By including this, Snort will restart on the fly for such operations as updated rules files.
This is especially valuable when combined with PulledPork covered in part 4 on a cron schedule - Snort will automatically restart if PulledPork updates the rules.
# cd ~/snort_src
# wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
# tar zxvf snort-2.9.7.0.tar.gz
# cd snort-2.9.7.0
# ./configure --enable-sourcefire --enable-reload
# make
# sudo make install
# sudo ldconfig
# sudo ln -s /usr/local/bin/snort /usr/sbin/snort
Once Snort is built and installed properly, let's run it to make sure it starts.
# snort -V
You should see output similar to below (adjust for newer versions)
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.31 2012-07-06
Using ZLIB version: 1.2.8
We will setup an initial configuration for Snort.
The commands below are direct copy and paste from the guide on the official page. Run these one at a time and if you run into errors, action them accordingly.
# sudo groupadd snort
# sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# sudo mkdir /etc/snort
# sudo mkdir /etc/snort/rules
# sudo mkdir /etc/snort/preproc_rules
# sudo mkdir /var/log/snort
# sudo mkdir /usr/local/lib/snort_dynamicrules
# sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/ rules/local.rules
# sudo chmod -R 5775 /etc/snort
# sudo chmod -R 5775 /var/log/snort
# sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# sudo chown -R snort:snort /etc/snort
# sudo chown -R snort:snort /var/log/snort
# sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
# sudo cp ~/snort_src/snort-2.9.7.0/etc/*.conf* /etc/snort
# sudo cp ~/snort_src/snort-2.9.7.0/etc/*.map /etc/snort
Next, we will disable (comment out) all the default rule files included in snort.conf. This is because we will use PulledPork to update the rules.
# sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf
Edit the snort.conf and set your network configuration.
Note: these line numbers may be off if future releases of Snort add and/ or remove certain configuration values.
E.g., if your home network is in the 192.168.1.0/24 subnet,
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
From line 104 onwards, update the following variables.
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Uncomment line 541 to allow you to add your own custom rules to a local.rules file.
include $RULE_PATH/local.rules
Once the changes in section 2.4 has been made, let us make sure there are no errors.
It is good practice to verify your configuration after any change, no matter how small the update may be.
# sudo snort -T -c /etc/snort/snort.conf
If all goes well, a lot of text will scroll by and Snort should exit with the last 2 lines as follows.
Snort successfully validated the configuration!
Snort exiting
If Snort outputs an error message, please go over your snort.conf and double check for errors.
Add the following rule to a new line in /etc/snort/rules/local.conf
alert icmp any any -> any any (msg:"ICMP packet from all, to all"; sid:10000001; rev:001;)
This rule simply raises an alert if Snort detects an ICMP packet sent from any IP, any port, to any IP, any port. These 4 fields reflects the 4 "any" words respectively in the rule above.
Verify there are no errors with the snort.conf.
# sudo snort -T -c /etc/snort/snort.conf
If successful, let us run Snort in console mode.
# sudo /usr/local/bin/snort -A console -q -g snort -u snort -c /etc/snort/snort.conf -i eth0
Replace eth0 if that is not the ethernet interface.
Ping a machine on your home network.
To also test that port mirroring, which was set up in part 2, is working as intended, ping a machine on the network where Snort is not installed on.
You should see Snort displaying alerts for this.
Example (output will differ depending on logging format):
[**] [1:10000001:1] ICMP packet from all, to all [**]
[Priority: 0]
1/7-21:00:39.652451 192.168.1.2 -> 192.168.1.3
ICMP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
Type:8 Code:0 ID:13158 Seq:4508 ECHO
[**] [1:10000001:1] ICMP packet from all, to all [**]
[Priority: 0]
1/7-21:00:39.652604 192.168.1.3 -> 192.168.1.2
ICMP TTL:64 TOS:0x0 ID:54714 IpLen:20 DgmLen:32 DF
Type:0 Code:0 ID:13158 Seq:4508 ECHO REPLY
If you got this far, congratulations! You have a working Snort setup.
Just one more step! We don't want to manually run Snort like this, we want it to run in daemon mode, and on OS startup, so you don't have to manually intervene.
Part 3a - Snort Startup Script
We are not done yet! All rules are currently disabled due to the operations in section 2.4.2.
The next part will cover setting up PulledPork, which will automatically update Snort rules.
< Part 2 - Mirroring Network Traffic | Part 4 - Installing PulledPork >