How to Install Snort on Ubuntu 16.04

r00t October 31, 2017

Install Snort on Ubuntu 16.04

In this tutorial we’ll learn how to install Snort on Ubuntu 16.04. We will also install and configure its prerequisites. Snort is a popular choice for running a network intrusion detection method or NIDS. It monitors the bundle data sent and received through a specific network interface. NIDS can capture risks targeting your system vulnerabilities employing signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can determine the most recent strikes, malware infections, compromised systems, and community policy violations.

I recommend to use a minimal Ubuntu server setup as a basis for the tutorial, that can be a virtual or a root server image with an Ubuntu 16.04 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.

Install Snort on Ubuntu 16.04

Step 1. First, ensure your system and apt package lists are fully up-to-date by running the following:

apt-get update -y
apt-get upgrade -y

Step 2. Install required Dependencies.

Before installing snort, you will need to install required dependencies on your system:

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

Step 2. Installing Snort.

First, install DAQ:

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install

Next, download the Snort source code with wget:

wget https://www.snort.org/downloads/snort/snort-2.9.8.3.tar.gz
tar -xvzf snort-2.9.8.3.tar.gz
cd snort-2.9.8.3
./configure --enable-sourcefire && make && make install

Step 3. Configuring Snort to run in NIDS mode.

Next, you will need to configure Snort for your system, Start with updating the shared libraries using the command underneath:

ldconfig

Create a symlink to the Snort binary:

ln -s /usr/local/bin/snort /usr/sbin/snort

You can verify the installation and configuration with the following command:

snort -V

Step 4. Setting up username and folder structure.

Run Snort on Ubuntu safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under:

groupadd snort
useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Create the folder structure to house the Snort configuration, just copy over the commands below:

mkdir -p /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules

Set the permissions for the new directories:

chmod -R 5775 /etc/snort
chmod -R 5775 /var/log/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create new files for the white and black lists as well as the local rules:

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules

Copy the configuration files and the dynamic preprocessors:

cp ~/snort_src/snort-2.9.9.0/etc/*.conf* /etc/snort
cp ~/snort_src/snort-2.9.9.0/etc/*.map /etc/snort

If you just want to quickly test out Snort, grab the community rules using wget with the command below:

wget https://www.snort.org/rules/community -O ~/community.tar.gz
tar -xvf ~/community.tar.gz -C ~/
cp ~/community-rules/* /etc/snort/rules

Snort on Ubuntu expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath:

sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

To run Snort on Ubuntu as a service in the background you will need to add a startup script for Snort. Open a new a file in a text editor for example with the next command:

nano /lib/systemd/system/snort.service

Enter the following to the file, save and exit the editor:

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install]
WantedBy=multi-user.target

With the service defined, reload the systemctl daemon:

systemctl daemon-reload

Snort can then be run with the configuration you set up using the command below:

systemctl start snort

Congratulation’s! You have successfully install and configured Snort on your Ubuntu 16.04 server. Thanks for using this tutorial for installing Snort network monitoring on Ubuntu 16.04 LTS (Xenial Xerus) system.

The Tags:

Leave a Comment

Comments are closed.