Snort is a powerful open-source, cross-platform intrusion detection tool that supports multiple platforms including Linux, AIX, and Windows. Snort is capable of packet capture and analysis on the network and responds and processes according to defined rules. It supports various alert response methods like email and custom scripts. Typically, Snort is deployed at the DMZ area boundary with detectors distributed across different areas, and it can be integrated with firewalls during use.
Installing Snort on Ubuntu 17.04 via source is very simple, as it can be installed using the official source.
1. Ensure that the /etc/apt/source.list file has an available source list.
2. Update the package list:
root@compute-node:~#apt update
3. Install the Snort service:
root@compute-node:~#apt install snort
4. During the installation, a window will pop up to set the listening network segment, which can be configured as needed.
5. Start the Snort service:
root@compute-node:~#service snort restart
6. Check if the configuration file is correct:
root@compute-node:~#snort -T -c /etc/snort/snort.conf
If the configuration file is correct, it should display:
7. Print Snort listening data:
root@compute-node:~#snort At this time, all monitored packets will be printed out.
root@compute-node:~#vim /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:”ICMP Test NOW!!!”; classtype:not-suspicious; sid:1000001; rev:1;)
root@compute-node:~#vim /etc/snort/snort.conf
include $RULE_PATH/local.rules
9. Start the listening mode
root@compute-node:~#snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i Note: is the network card to be monitored. After pressing Enter, Snort will be in listening status, and if no marked packets are detected, there will be no echo like this
We just defined ICMP packet monitoring, so when we ping the Snort host,
the listening window will print out ICMP data in real-time.
Snort also comes with many detection templates for common protocols like HTTP, FTP, SMB, PPTP, etc. The template files are located in the /etc/snort/rules directory, and you can explore them.