Low Orbit Flux Logo 2

Snort Setup and Install

snort https://www.snort.org/#get-started

Minimum 4 GB RAM and multicore CPU for better performance.

apt-get update -y apt-get upgrade -y

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -zxvf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && make install

wget https://www.snort.org/downloads/snort/snort-2.9.15.tar.gz tar xvzf snort-2.9.15.tar.gz cd snort-2.9.15 ./configure –enable-sourcefire && make && make install

ldconfig ln -s /usr/local/bin/snort /usr/sbin/snort snort -V

mkdir /etc/snort mkdir /etc/snort/preproc_rules mkdir /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules

chmod -R 5775 /etc/snort/ chmod -R 5775 /var/log/snort/ chmod -R 5775 /usr/local/lib/snort

chmod -R 5775 /usr/local/lib/snort_dynamicrules/

cd snort-2.9.8.3

cp -avr *.conf *.map *.dtd /etc/snort/

cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

sed -i “s/include $RULE_PATH/#include $RULE_PATH/” /etc/snort/snort.conf

nano /etc/snort/snort.conf

Setup the network addresses you are protecting

ipvar HOME_NET 192.168.15.0/24

# Set up the external network addresses. Leave as “any” in most situations ipvar EXTERNAL_NET any

var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules include $RULE_PATH/local.rules

snort -T -i eth0 -c /etc/snort/snort.conf

nano /etc/snort/rules/local.rules alert tcp any any -> $HOME_NET 21 (msg:”FTP connection attempt”; sid:1000001; rev:1;) alert icmp any any -> $HOME_NET any (msg:”ICMP connection attempt”; sid:1000002; rev:1;) alert tcp any any -> $HOME_NET 80 (msg:”TELNET connection attempt”; sid:1000003; rev:1;)

start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:

snort -A console -q -c /etc/snort/snort.conf -i eth0

nano /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target

systemctl enable snort systemctl start snort systemctl status snort

Oinkcode

Get the latest Snort Rules:

wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz tar -xvzf community.tar.gz -C /etc/snort/rules

https://github.com/shirkdog/pulledpork