Complete Guide to Installing and Using Snort on Linux for Network Intrusion Detection

Snort is an open-source, lightweight Network Intrusion Detection System (NIDS), written in C. It supports both Windows and Linux platforms. Personally, I prefer the Linux operating system, so I study and research Snort on Linux. Snort has three operation modes: sniffing, packet logging, and intrusion detection. However, it can also be configured to function in intrusion prevention mode, though this process is quite complex. As a lightweight intrusion detection system, Snort’s functionalities are somewhat focused, and its configuration can be intricate, which is beneficial for studying the system’s source code and writing rules. Snort has five types of rule actions, with the common ones being alert, ignore, and log, among others. More details will be explained later.

Environment: Ubuntu 15.10 + Snort 2.9.8.0 + DAQ 2.0.4. Snort can be installed using the command line, making it very convenient for setup and usage. Most people prefer to install it from source to facilitate studying and researching the source code, debugging Snort, writing Snort rules, and testing its functionalities. The various plugins for Snort are also not very user-friendly, and installing from source requires significant effort.

1. Install Dependent Software for Snort Linux

1.1 Install DAQ on Snort Linux

Download DAQ source code:

 wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Extract the DAQ source package. Installing DAQ directly at this point will result in errors due to missing dependencies, so install the required packages first: bison, flex, libpcap

1.2 Additional Dependencies for Snort Linux

First, install bison and flex by entering the following command:

 liang@ubuntu:~/snort/daq$ sudo apt-get install bison flex

Download the libpcap source code:

 liang@ubuntu:~/snort/libpcap$ wget http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz

Extract and install libpcap:

 liang@ubuntu:~/snort/libpcap$ tar -zxvf libpcap-1.7.4.tar.gz
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ ./configure
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ sudo make
liang@ubuntu:~/snort/libpcap/libpcap-1.7.4$ sudo make install
liang@ubuntu:~/snort/daq$ sudo cp /usr/local/lib/libpcap.* /usr/lib/

 

1.3 Compile and Install DAQ on Snort Linux

Configure DAQ again:

 liang@ubuntu:~/snort/daq$ ./configure

The following output indicates a successful configuration, and DAQ can be installed:

 Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no

Compile DAQ:

 liang@ubuntu:~/snort/daq$ sudo autoreconf -ivf
liang@ubuntu:~/snort/daq$ sudo make

Install DAQ:

liang@ubuntu:~/snort/daq$ sudo make install

At this point, DAQ installation is successful.

2. Install Snort

2.1 Download Snort Linux source code:

wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

Extracting and installing Snort reveals that various dependencies are missing. Therefore, first install the following software: libdumbnet-dev, zlib1g-dev

2.2 Additional Dependencies for Snort Linux:

Enter the following command line:

 liang@ubuntu:~/snort/snort$ sudo apt-get install libdumbnet-dev zlib1g-dev

 

2.3 Install Snort

Compile Snort:

liang@ubuntu:~/snort/snort$ ./configure –enable-sourcefire

Install Snort:

 liang@ubuntu:~/snort/snort$ sudo autoreconf -ivf 
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install

Snort will be installed in the following directories:

snort: /usr/local/bin/snort /usr/local/lib/snort

3. Start Snort

Enter the command to start Snort:

liang@ubuntu:~/snort/snort$ sudo snort

The following output indicates a successful start:

 Running in packet dump mode


        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eno16777736".
Decoding Ethernet


        --== Initialization Complete ==--


   ,,_     -*>  Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.35 2014-04-04
           Using ZLIB version: 1.2.8


Commencing packet processing (pid=47760)

To view Snort options, enter the command:

 liang@ubuntu:/etc/snort$ snort --help

The following output is displayed, and it is in English:

    ,,_     -*>  Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.35 2014-04-04
           Using ZLIB version: 1.2.8

USAGE: snort [-options]  
Options:
        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -B    Obfuscated IP addresses in alerts and packet dumps using CIDR mask
        -c   Use Rules File  
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F     Read BPF filters from file  
        -g   Run snort gid as   group (or gid) after initialization
        -G <0xid>   Log Identifier (to uniquely id events for multiple snorts)
        -h      Set home network =  
                   (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
        -H         Make hash tables deterministic.
        -i      Listen on interface  
        -I         Add Interface name to alert output
        -k    Checksum mode (all,noip,notcp,noudp,noicmp,none)
        -K    Logging mode (pcap[default],ascii,none)
        -l      Log to directory  
        -L    Log to this tcpdump file
        -M         Log messages to syslog (not alerts)
        -m 

Set umask =
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P Set explicit snap length of packet (default: 1514)
-q Quiet. Don’t show banner and status report
-Q Enable inline mode operation
-r Read and process tcpdump file
-R Include ‘id’ in snort_intf.pid file name
-s Log alert messages to syslog
-S <n=v> Set rules file variable n equal to value v
-t

Chroots process toafter initialization
-T Test and report on the current Snort configuration
-u Run Snort with UID as user (or UID) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
-Z Set the performonitor preprocessor file path and name
-? Show this information
are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
–logid <0xid> Same as -G
–perfmon-file Same as -Z
–pid-pathSpecify the directory for the Snort PID file
–snaplen Same as -P
–help Same as -?
–version Same as -V
–alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,…
–treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
–treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
–process-all-events Process all queued events (drop, alert,…), default stops after 1st action group
–enable-inline-test Enable Inline-Test Mode Operation
–dynamic-engine-lib Load a dynamic detection engine
–dynamic-engine-lib-dir Load all dynamic engines from directory
–dynamic-detection-lib Load a dynamic rules library
–dynamic-detection-lib-dir Load all dynamic rules libraries from directory
–dump-dynamic-rules Creates stub rule files of all loaded rules libraries
–dynamic-preprocessor-lib Load a dynamic preprocessor library
–dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory
–dynamic-output-lib Load a dynamic output library
–dynamic-output-lib-dir Load all dynamic output libraries from directory
–create-pidfile Create PID file, even when not in Daemon mode
–nolock-pidfile Do not try to lock Snort PID file
–no-interface-pidfile Do not include the interface name in Snort PID file
–disable-attribute-reload-thread Do not create a thread to reload the attribute table
–pcap-single Same as -r
–pcap-file File that contains a list of pcaps to read – read mode is implied
–pcap-list ” ” A space-separated list of pcaps to read – read mode is implied
–pcap-dirA directory to recurse to look for pcaps – read mode is implied
–pcap-filter Filter to apply when getting pcaps from file or directory
–pcap-no-filter Reset to use no filter when getting pcaps from file or directory
–pcap-loop This option will read the pcaps specified on command line continuously for times. A value of 0 will read until Snort is terminated
–pcap-reset If reading multiple pcaps, reset Snort to post-configuration state before reading next pcap
–pcap-reload If reading multiple pcaps, reload Snort config between pcaps
–pcap-show Print a line saying what pcap is currently being read
–exit-check Signal termination after callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called
–conf-error-out Same as -x
–enable-mpls-multicast Allow multicast MPLS
–enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
–max-mpls-labelchain-len Specify the max MPLS label chain
–mpls-payload-type Specify the protocol (IPv4, IPv6, Ethernet) that is encapsulated by MPLS
–require-rule-sid Require that all Snort rules have SID specified
–daq Select packet acquisition module (default is pcap)
–daq-mode Select the DAQ operating mode
–daq-var <name=value> Specify extra DAQ configuration variable
–daq-dirTell Snort where to find desired DAQ
–daq-list[=] List DAQs found in the specified directory (or default if no directory is specified) List packet acquisition modules available in dir. Default is static modules only.
–dirty-pig Don’t flush packets and release memory on shutdown.
–cs-dirDirectory to use for control socket.
–ha-peer Activate live high-availability state sharing with peer.
–ha-out Write high-availability events to this file.
–ha-in Read high-availability events from this file on startup (warm-start).
–suppress-config-log Suppress configuration information output.

4. Configure Snort

Snort’s configuration file is located at: snort/etc/snort.conf directory. You can refer to the official documentation for configuration, although there is a Chinese version, it is not comprehensive.

5. Snort Rules

Manually writing Snort rules:

 alert tcp any any -> 192.168.213.170 80 (msg:"Telnet Login";sid:26287)
alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)

Save these into a new rules file, and include this new rules file in the Snort startup configuration to activate these rules.

Snort rules are generally divided into two parts: the rule header and the rule options. The rule header contains protocol, port, address information, and the action to take on the packet. The protocol, port, address information is the basic information commonly seen on networks, including both source and destination. Actions include alerting, ignoring, logging, alerting and starting another dynamic rule chain, and calling by other rule packages.

Rule options are more detailed and complex.
The sid is necessary content, msg is the alert message, and content is the pattern to match in the packet. Other detailed items can be found in the official documentation. I have always wondered if content can be used to detect malicious code. If so, the malicious code could be detected and handled at the gateway, preventing its spread to the host.

6. Test Cases

6.1 Starting Snort on the Local Machine

 sudo snort -i eth0 -c /etc/snort/snort.conf -A fast -l /var/log/snort

6.2 Real-Time Monitoring of Snort Alert Logs:

 liang@ubuntu:~/snort/run/log$ tail -f /var/log/snort/alert 

6.3 Testing Rules

Ping the Snort host from another machine to trigger alerts:

 03/21-16:15:13.164956  [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:14.164567  [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:15.164590  [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170
03/21-16:15:16.166108  [**] [1:8886288:0] "ICMP PING" [**] [Priority: 0] {ICMP} 192.168.213.162 -> 192.168.213.170

Scan the Snort host’s port 80 (with Apache server configured on Snort host) from another machine to trigger alerts:

 03/21-14:43:04.242200  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38250 -> 192.168.213.170:80
03/21-14:45:46.621115  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.621268  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.621409  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38270 -> 192.168.213.170:80
03/21-14:45:46.629345  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
03/21-14:45:46.629466  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80
03/21-14:45:46.633859  [**] [1:26287:0] "Telnet Login" [**] [Priority: 0] {TCP} 192.168.213.162:38322 -> 192.168.213.170:80