Official website for Linux User & Developer
FOLLOW US ON:
Apr
6

Protect your network with Snort

by Michael Reed

Whether meaning to be mischievous or malicious, hackers can wreak havoc on your network. Fortunately, Snort makes it easy to spot them and set up protection

Snort is an intrusion detection system (IDS). It works by monitoring network activity and raising an alert in the case of suspicious activity. What constitutes suspicious activity is definable by rules, and it comes with a massive selection. It can protect a single machine from attacks or even an entire network. This guide will show you how to set up and use Snort and also take you through some typical security scenarios in which Snort will prove useful.

As you get to know Snort, you might consider setting up a testing environment using virtual machines. A simple approach would be to use a virtual machine that has its network adaptor configured to be visible on your network (the setting is called ‘bridged adaptor’ in VirtualBox, for example). The techniques outlined here are not dangerous, but they can be considerably easier to get working within a controllable environment.

network sniff
Snort runs on a single machine, but can monitor an entire network

Resources

Snort

The Snort manual

A second network card (optional)

Step by Step

Step 01

Install Snort

Install Snort with ‘sudo apt-get install snort’. If you need the very latest version, visit the website and fetch, build and install it.

Step 02

Set Up a ‘quiet’ network environment

When first setting up Snort, it helps to have as little activity on the network as possible. Disconnect other computers or even set up a VM with a bridged adaptor which you can operate upon from the host machine.

Step 03

Test Snort installation

Nearly all Snort operations need to be carried out by the root user. On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts Snort into packet sniffer mode.

Step 04

Create network activity

Presuming that the network you are on is reasonably quiet, you can generate some network activity by pinging the server. Open another terminal and type ‘ping [IP address of server]’, and cancel after a couple of successful pings. Now, go back to the terminal with Snort running.

Step 05

Interpreting the data

In this example, the ping activity is reported in entries that end with lines ‘ECHO’ and ‘ECHO REPLY’. You may have to scroll back in the terminal to see these entries. Notice that the entries contain the time that the activity occurred and the source and destination of the traffic.

Step 06

Exiting Snort

Exit Snort by hitting Ctrl+C. When you exit Snort, it prints a statistical summary of the traffic that it observed. In this example, there should have been some ICMP traffic from the ping operation.

network sniffer
Exiting Snort

Step 07

More detail

Here’s a more extensive command line: ‘snort -vde’. This produces more output due to the d (display packet data) and e (application layer). For example, if you fetch POP email without SSL selected, you’ll be able to see the username and password scroll past.

Step 08

log packet data

Make a directory called ‘snort_logs’. Now run ‘snort -d -l ./snort_logs’ and Snort will log all recorded traffic into the log directory with a separate file for each interface. We’ll skip the verbose flag (-v), as all of the screen output eats into Snort’s throughput.

Step 09

Back up Snort configuration file

Snort comes with a default configuration file which we will back up. Type ‘locate snort.conf’ to find the file and then make a copy of it. ‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for Ubuntu, for example.

Step 10

Initial configuration

Open the config file in a text editor. For now, make sure that the variable ‘HOME_NET’ accurately describes your network. For example, if your computers have IP addresses that begin at 192.168.0.1, set it to 192.168.0.1/24.

Step 11

Create launch script

Make a startup script to save time. Create an empty file with ‘nano start_snort’, then add the line ‘snort -de -l [full path to script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now type “chmod +x start_ snort”. This will launch snort in IDS mode, with reasonable defaults.

Pages: 1 2
  • Tell a Friend
  • Follow our Twitter to find out about all the latest Linux news, reviews, previews, interviews, features and a whole more.
    • cybernard

      1. Step 23 you need to use ipset it is more efficient on the cpu than 2000 iptables block rules
      2. Someone needs to write instructions on how to automate this process as nobody has time to sit there any monitor log files all day.
      3. You need to log to a database
      4. Without an automated response system when you go to sleep at night nobody will be there so hackers can generate all the alerts they want and not be blocked. awesome!!!

    • Scotty Bones

      @Cybernard

      Checkout fail2ban for that kind of automation.

    • http://127.0.0.1 rooter

      check this out:
      http://securityonion.blogspot.cz/

      full blown,automated Snort/Suricata based IDS as ready-made distribution,running Ubuntu 12

    • Lucas Rodrigues

      On the Step 12, when I try to execute the startup script, I keep getting the following error:
      “ERROR: spo_unified2.c(320) Could not open /etc/snort/start_snort/var/log/snort/snort_logs/snort.log: Not a directory”

      my script is in /etc/snort/
      log folder is: /var/log/snort/snort_logs/

      What am I doing wrong?

      Thanks, Lucas