Command Line – Snort

Snort [1] is one of the oldest and most reliable network intrusion detection systems. Founded in 1998 by Martin Roesch, then the CTO of Sourcefire, Snort quickly became so popular that in 2009 InfoWorld declared it one of the top 36 pieces of free software [2]. Like the definitions in a virus detector, Snort relies on a series of rules to detect all known means of compromising a system. It is not difficult to install, but it requires preparation, and, the more customization, the more time-consuming your installation will be. What follows are instructions for a minimal installation for Debian-like distributions, which should be good enough for many users, especially on standalone machines.

To get the very latest protection, install Snort from source [3], using the usual ./configure, make, and install commands. Most distributions also offer a package, although the package is often older than the latest version. However, in a mature application such as Snort, the differences between versions are apt to be minimal, and the rules you install are probably more important. Whichever version you use, you might want to create a Snort group and user solely for running the app, just for added protection. In addition, before installation, gather the necessary information (Figure 1) by running:

ip a

Figure 1: Installing Snort requires the network interface's name and IP address.

You will need the name of the network interface (the second item on the list) and the IP address (on the line starting with inet). Keep the terminal open so you can copy and paste as needed. If you use the Snort package from the Debian repository, the installation will offer you one or more choices, depending on the distribution and its version (Figure 2). As a beginner, you can simply select OK to continue and edit the configuration later if necessary.

Figure 2: As part of the installation, Debian systems ask one or two questions about package configuration. Usually, users can accept the installer's defaults.

Configuring Snort

When installation is complete, you need to edit /etc/snort/snort.conf as root (Figure 3). At a minimum, you need to find the lines that begin with ipvar and replace the placeholder HOME_NET with your network address. The snort.conf file is heavily commented; eventually, you should go through its dozens of options with the Snort documentation and read.me files open, uncommenting and adding entries as needed for your circumstances – a process that can take hours to do completely. For now, however, all you should note is that snort.conf is divided into nine steps, each containing dozens of fields:

1. Set the network variables/addresses.
2. Configure the decoder.
3. Configure the basic detection engine.
4. Configure dynamic loaded libraries.
5. Configure preprocessors.
6. Configure output plugins.
7. Customize your rulesets.
8. Customize your preprocessor and decoder alerts.

9. Finally, customize your Shared Object Snort Rules.

   

   Figure 3: The snort.conf file is well-structured and heavily commented, making it easy to read.

Debian also has a Step 0 for a Debian-specific configuration as a separate configuration. Beginners, though, can ignore the Debian-specific choices.

Probably the most important place to begin is with the steps that involve rules. Intrusion detection is only as good as the rules it uses, and some rules may be out of date by the time you install.

Downloading Rules

Snort has three types of rules (Figure 4) for detection:

• Community rules are rules written by the community and available for free (Figure 5). These can be useful but may become obsolete, or may be developed some time after a new means of intrusion is known. Their quality depends on how conscientious the developers are.
• Registered rules are free rules, but they are only available to registered users. In order to download rules, you will need to first enter your personal code.
• Subscription rules are registered rules that are available only to paid subscribers. Subscribers can download them before a software release, which offers the very latest protection. The price differs for personal and business users.

Figure 4: Snort rules follow a concise structure of well-defined fields.

Figure 5: Community rules are freely available for the download. Other rulesets require registration and/or subscription.

Other rules are available on developer sites such as GitHub. If none of the available rules meet your needs, you can try writing your own. Online diagrams that parse the components of rules are widely available online [4].

For all rules, create the directory /usr/local/etc/rules, and add a symbolic link to /usr/sbin/snort. If you are using a Snort user or group, transfer ownership of these directories to them. Rules should be downloaded and uncompressed as root to /usr/local/etc/rules from https://www.snort.org/downloads/#snort-3.0.

Final Touches

Usually, you want Snort to listen to all traffic, which is known as promiscuous mode. To configure promiscuous mode, run the command:

ip link set NETWORK-INTERFACE promisc on

At this point, you can run Snort in test mode to check that it is ready. As root, run:

snort -T -c /etc/snort/snort.conf

If configuration is successful, a copyright notice displays, followed by build notices and a message that the installation has been validated (Figure 6). If validation fails, the messages will most likely involve directories you need to add or rules that can be commented out before trying to validate again. As a final test, you can add a rule and then run Snort to see the results [5].

Figure 6: Snort confirms that the configuration is valid.