Low Orbit Flux Logo 2 D

Snort Setup and Install

snort https://www.snort.org/#get-started

Minimum 4 GB RAM and multicore CPU for better performance.


apt-get update -y
apt-get upgrade -y

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install

wget https://www.snort.org/downloads/snort/snort-2.9.15.tar.gz
tar xvzf snort-2.9.15.tar.gz
cd snort-2.9.15
./configure --enable-sourcefire && make && make install

ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V

mkdir /etc/snort
mkdir /etc/snort/preproc_rules
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules

chmod -R 5775 /etc/snort/
chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/

cd snort-2.9.8.3

cp -avr *.conf *.map *.dtd /etc/snort/
cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

vi /etc/snort/snort.conf

# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.15.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
include $RULE_PATH/local.rules

snort -T -i eth0 -c /etc/snort/snort.conf

vi /etc/snort/rules/local.rules
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:


snort -A console -q -c /etc/snort/snort.conf -i eth0

vi /lib/systemd/system/snort.service
 [Unit]
   Description=Snort NIDS Daemon
   After=syslog.target network.target
 [Service]
   Type=simple
   ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
 [Install]
  WantedBy=multi-user.target

systemctl enable snort
systemctl start snort
systemctl status snort

Oinkcode

Get the latest Snort Rules:


wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
tar -xvzf community.tar.gz -C /etc/snort/rules

https://github.com/shirkdog/pulledpork