In this tutorial we’ll learn how to install Snort on Ubuntu 16.04. We will also install and configure its prerequisites. Snort is a popular choice for running a network intrusion detection method or NIDS. It monitors the bundle data sent and received through a specific network interface. NIDS can capture risks targeting your system vulnerabilities employing signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can determine the most recent strikes, malware infections, compromised systems, and community policy violations.
I recommend to use a minimal Ubuntu server setup as a basis for the tutorial, that can be a virtual or a root server image with an Ubuntu 16.04 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.
Install Snort on Ubuntu 16.04
Step 1. First, ensure your system and apt package lists are fully up-to-date by running the following:
apt-get update -y apt-get upgrade -y
Step 2. Install required Dependencies.
Before installing snort, you will need to install required dependencies on your system:
apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
Step 2. Installing Snort.
First, install DAQ:
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -zxvf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && make install
Next, download the Snort source code with wget:
wget https://www.snort.org/downloads/snort/snort-22.214.171.124.tar.gz tar -xvzf snort-126.96.36.199.tar.gz cd snort-188.8.131.52 ./configure --enable-sourcefire && make && make install
Step 3. Configuring Snort to run in NIDS mode.
Next, you will need to configure Snort for your system, Start with updating the shared libraries using the command underneath:
Create a symlink to the Snort binary:
ln -s /usr/local/bin/snort /usr/sbin/snort
You can verify the installation and configuration with the following command:
Step 4. Setting up username and folder structure.
Run Snort on Ubuntu safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under:
groupadd snort useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Create the folder structure to house the Snort configuration, just copy over the commands below:
mkdir -p /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules
Set the permissions for the new directories:
chmod -R 5775 /etc/snort chmod -R 5775 /var/log/snort chmod -R 5775 /usr/local/lib/snort_dynamicrules chown -R snort:snort /etc/snort chown -R snort:snort /var/log/snort chown -R snort:snort /usr/local/lib/snort_dynamicrules
Create new files for the white and black lists as well as the local rules:
touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules
Copy the configuration files and the dynamic preprocessors:
cp ~/snort_src/snort-184.108.40.206/etc/*.conf* /etc/snort cp ~/snort_src/snort-220.127.116.11/etc/*.map /etc/snort
If you just want to quickly test out Snort, grab the community rules using wget with the command below:
wget https://www.snort.org/rules/community -O ~/community.tar.gz tar -xvf ~/community.tar.gz -C ~/ cp ~/community-rules/* /etc/snort/rules
Snort on Ubuntu expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath:
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
To run Snort on Ubuntu as a service in the background you will need to add a startup script for Snort. Open a new a file in a text editor for example with the next command:
Enter the following to the file, save and exit the editor:
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target
With the service defined, reload the systemctl daemon:
Snort can then be run with the configuration you set up using the command below:
systemctl start snort
Congratulation’s! You have successfully install and configured Snort on your Ubuntu 16.04 server. Thanks for using this tutorial for installing Snort network monitoring on Ubuntu 16.04 LTS (Xenial Xerus) system.