A command-line network intrusion detection system
Command Line – Snort
Snort lets you protect your network from intruders with a customizable ruleset.
Snort [1] is one of the oldest and most reliable network intrusion detection systems. Founded in 1998 by Martin Roesch, then the CTO of Sourcefire, Snort quickly became so popular that in 2009 InfoWorld declared it one of the top 36 pieces of free software [2]. Like the definitions in a virus detector, Snort relies on a series of rules to detect all known means of compromising a system. It is not difficult to install, but it requires preparation, and, the more customization, the more time-consuming your installation will be. What follows are instructions for a minimal installation for Debian-like distributions, which should be good enough for many users, especially on standalone machines.
To get the very latest protection, install Snort from source [3], using the usual ./configure
, make
, and install
commands. Most distributions also offer a package, although the package is often older than the latest version. However, in a mature application such as Snort, the differences between versions are apt to be minimal, and the rules you install are probably more important. Whichever version you use, you might want to create a Snort group and user solely for running the app, just for added protection. In addition, before installation, gather the necessary information (Figure 1) by running:
ip a
You will need the name of the network interface (the second item on the list) and the IP address (on the line starting with inet
). Keep the terminal open so you can copy and paste as needed. If you use the Snort package from the Debian repository, the installation will offer you one or more choices, depending on the distribution and its version (Figure 2). As a beginner, you can simply select OK to continue and edit the configuration later if necessary.
Configuring Snort
When installation is complete, you need to edit /etc/snort/snort.conf
as root (Figure 3). At a minimum, you need to find the lines that begin with ipvar
and replace the placeholder HOME_NET
with your network address. The snort.conf
file is heavily commented; eventually, you should go through its dozens of options with the Snort documentation and read.me
files open, uncommenting and adding entries as needed for your circumstances – a process that can take hours to do completely. For now, however, all you should note is that snort.conf
is divided into nine steps, each containing dozens of fields:
- Set the network variables/addresses.
- Configure the decoder.
- Configure the basic detection engine.
- Configure dynamic loaded libraries.
- Configure preprocessors.
- Configure output plugins.
- Customize your rulesets.
- Customize your preprocessor and decoder alerts.
Finally, customize your Shared Object Snort Rules.
Figure 3: The snort.conf file is well-structured and heavily commented, making it easy to read.
Debian also has a Step 0 for a Debian-specific configuration as a separate configuration. Beginners, though, can ignore the Debian-specific choices.
Probably the most important place to begin is with the steps that involve rules. Intrusion detection is only as good as the rules it uses, and some rules may be out of date by the time you install.
Downloading Rules
Snort has three types of rules (Figure 4) for detection:
- Community rules are rules written by the community and available for free (Figure 5). These can be useful but may become obsolete, or may be developed some time after a new means of intrusion is known. Their quality depends on how conscientious the developers are.
- Registered rules are free rules, but they are only available to registered users. In order to download rules, you will need to first enter your personal code.
- Subscription rules are registered rules that are available only to paid subscribers. Subscribers can download them before a software release, which offers the very latest protection. The price differs for personal and business users.
Other rules are available on developer sites such as GitHub. If none of the available rules meet your needs, you can try writing your own. Online diagrams that parse the components of rules are widely available online [4].
For all rules, create the directory /usr/local/etc/rules
, and add a symbolic link to /usr/sbin/snort
. If you are using a Snort user or group, transfer ownership of these directories to them. Rules should be downloaded and uncompressed as root to /usr/local/etc/rules
from https://www.snort.org/downloads/#snort-3.0.
Final Touches
Usually, you want Snort to listen to all traffic, which is known as promiscuous mode. To configure promiscuous mode, run the command:
ip link set NETWORK-INTERFACE promisc on
At this point, you can run Snort in test mode to check that it is ready. As root, run:
snort -T -c /etc/snort/snort.conf
If configuration is successful, a copyright notice displays, followed by build notices and a message that the installation has been validated (Figure 6). If validation fails, the messages will most likely involve directories you need to add or rules that can be commented out before trying to validate again. As a final test, you can add a rule and then run Snort to see the results [5].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.