Introduction
Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It is a lightweight network intrusion detection system that uses libpcap and runs on a “sensor” host to monitor network traffic. By matching network traffic against predefined rule sets, Snort can detect potential intrusion attempts. Additionally, it can use the SPADE plugin to perform anomaly detection on the network data by applying statistical methods. This process is essential for the Ubuntu Snort installation.
This experiment is demonstrated on Ubuntu
. If you need to perform it on other versions of Linux, you can refer to this article and use large models to adapt the commands to different operating systems.
Installing Snort
1. Update the apt sources
sudo apt update
2. Install related dependencies. In Linux systems, especially when using Debian-based distributions (like Ubuntu), you can use the apt install command to install multiple software packages at once. These packages are separated by spaces.
Installing multiple packages this way can save time, as there is no need to execute a command for each package individually. Additionally, it ensures all related dependencies are updated to compatible versions simultaneously, preventing potential version conflicts.
sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev
This command includes quite a few dependency packages. Below is a brief explanation of the related dependencies:
build-essential
: This is a basic compilation environment package containing compilers (like gcc), build tools (like make), and necessary library files. It is essential for compiling most source code packages.libpcap-dev
: libpcap (Packet Capture) is a library used for network traffic capture. Snort needs it to analyze network packets.libpcre3-dev
: PCRE (Perl Compatible Regular Expressions) is a library for handling regular expressions. Snort uses PCRE to match patterns in rules.libnet1-dev
: libnet is a library used for constructing and transmitting network packets. Although Snort itself does not directly send packets, it may rely on this library to handle or parse network data.zlib1g-dev
: zlib is a compression library. Snort may use zlib to compress or decompress log data.luajit
: LuaJIT is a high-performance Lua interpreter. Snort may use Lua scripts to extend its functionalities or process rules.hwloc, libhwloc-dev
: hwloc (Hardware Locality) is a library used for detecting and utilizing hardware topology information. Snort may use hwloc to optimize its performance or resource allocation.libdnet-dev, libdumbnet-dev
: These libraries provide functions and interfaces for network programming. Snort may use them to handle network packets or perform network operations.bison, flex
: Bison is a parser generator, and Flex is a lexical analyzer generator. They are typically used in compiler development but may also be used by Snort for parsing configuration files or rules.liblzma-dev
: LZMA is a compression algorithm, liblzma provides the library interface for the algorithm. Snort may use it to compress data.openssl, libssl-dev
: OpenSSL is a powerful encryption library providing implementations of the SSL and TLS protocols. Snort may use OpenSSL to encrypt or decrypt network data.pkg-config
: pkg-config is a tool that helps compilers and linkers find library files. It simplifies dependency management.cmake
: CMake is a cross-platform automated build system. Although Snort itself may not use CMake for building, certain dependencies might.cpputest
: CppUTest is a C/C++ unit testing framework. While it’s included in Snort’s installation command, Snort itself may not directly use it for unit testing; it might be for developing or testing other components related to Snort.libsqlite3-dev
: SQLite is a lightweight embedded relational database management system. Snort may use SQLite to store log data or configuration information.uuid-dev
: The UUID (Universally Unique Identifier) library provides functionality for generating globally unique identifiers. Snort may use UUIDs to identify log entries or sessions.libcmocka-dev
: cmocka is a lightweight unit testing framework for C. Similar to CppUTest, it might be used to test components related to Snort.libnetfilter-queue-dev, libmnl-dev
: These libraries provide interfaces for interacting with the Linux kernel’s netfilter framework. Snort may use them to implement certain advanced network filtering or processing features.autotools-dev
: This is a collection of tools and libraries for automating building and testing. They might be used to build some of Snort’s dependencies.libluajit-5.1-dev
: This is the development library for LuaJIT 5.1. Similar to luajit, it is used for supporting the execution of Lua scripts.libunwind-dev
: libunwind is a library for stack unwinding and debugging. Snort may use it to manage error reports or debugging information.
3. Install Snort DAQ (Data Acquisition Library)
When installing Snort on Ubuntu, installing the DAQ (Data Acquisition Library) is an important step.
DAQ is a component of Snort that provides an abstraction layer for calling various packet capture libraries.
This abstraction layer allows Snort to flexibly handle packets from different network interfaces.
# Create a directory for the source files
mkdir snortSourceFiles
cd snortSourceFiles
# Download the daq source code from GitHub
git clone https://github.com/snort3/libdaq.git
![Ubuntu Snort installation](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-f2e26cefc08b4a0da3ad456f523229ec.png)
The daq folder can be seen in the current folder (snortSourceFiles)
# Move into the libdaq directory
cd libdaq/
# Compile and install
./bootstrap
./configure
make
make install
Enter the libdaq folder to compile and install
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-a068947674db4585a1a24b7eeb9c69dd.png)
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-66a08b19499f4b4782922a87a21cae4f.png)
Next is sudo make install Since many experiments use make and make install, here’s a simple explanation of both:
The make command is primarily responsible for compiling source code, while the make install command installs the compiled software to the specified location.
These two commands are usually used sequentially in the software development and deployment process.First, the make command is used to compile, and then the make install command is used to install.
It’s important to note thatbefore executing the make and make install commands, a configuration script (like ./configure) is usually run to generate a Makefile,
which sets the necessary parameters and options for the compile and installation process. Additionally,executing the make install command typically requires root privileges because the installation process writes files to the system.
This explains why make install sometimes fails without sudo.
4. Install Google's Thread-Caching Malloc (TCMalloc)
, which provides an efficient multi-threaded memory management implementation used to replace the memory allocation functions related to the operating system, offering reduced memory fragmentation, suitability for multi-core systems, and better concurrency support. Additionally, TCMalloc caches small memory allocations with thread-local storage (TLS), reducing lock contention and improving memory allocation performance in multi-threaded environments.
cd snortSourceFiles
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz
tar xzf gperftools-2.8.tar.gz
cd gperftools-2.8/
./configure
make
make install
If you cannot download the related installation package on Ubuntu using the wget command (e.g., showing request timeout), you can enter the following URL in a browser, directly upload the downloaded gperftools archive to the Ubuntu snortSourceFiles folder, and proceed with the related extraction. GPerftools Download Site
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-bd5e705eef0447238017f0175becd6c0.png)
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-a874f886f4b546dc80c62be6e0039ba2.png)
You can view the files in the geperftools directory.
Compile and install in the gperftools directory
Next is to make compile, which can take quite a while. After a successful compilation, use sudo make install to install
5. Compile Snort from source
cd snortSourceFiles
git clone https://github.com/snort3/snort3.git
cd snort3/
sudo ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build/
# The compilation and installation time is relatively long
make
make install
6. Update shared libraries. Shared libraries typically contain many commonly used functions and code, which can be shared by multiple programs to reduce memory usage and improve system performance.
sudo ldconfig
7. Check the Snort version
snort -V
The version compiled from source is generally the latest Snort version. Below is the version installed directly via apt. If the related dependencies mentioned above are installed, you can directly use sudo apt install snort
to install.
If the Snort command does not appear to be installed, follow the system prompts to install Snort. During installation, a configuration option may appear, confirm with Enter (here I just hit Enter for defaults. There is an item requiring network interface detection name, default is eth0, which I followed, and my network card name is ens33, but it didn’t affect anything. If incorrect, replace with your own network card name, which you can view with ifconfig).
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-e9929fe2bbfd4c9a8f1c2ba0eba668f7.png)
Now use snort -v to check if the installation was successful. The appearance of the version number indicates a successful installation . Up to this point, Snort installation is successful. Now we will introduce a simple experiment aimed at using the Snort software on Ubuntu for data detection and defense against external networks attempting to ping the server with packets larger than 800 bytes.
Simple Experiment
1. Configure rules. Snort’s rule configuration file is usually stored in /etc/snort/rules
. You can go to the relevant directory to view the rules file. Enter the command
vi /etc/snort/rules
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-b792a9081d294bf2a05c0fec7816d228.png)
Since we are going to set icmp, you need to find the icmp configuration file within the rules file, then press Enter
to add the following configuration rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499;)
A brief introduction to the meaning of this rule:
alert
: This field specifies the type of action for the rule. Here, alert indicates that when the rule matches the traffic, Snort will generate an alert.icmp
: This field specifies the type of protocol to be checked. Here, icmp represents the Internet Control Message Protocol (ICMP), a protocol used for sending control messages in an IP network, commonly employed for ping operations, error reports, etc.
$EXTERNAL_NET any -> $HOME_NET any:
This part defines the scope and direction of the rule. $EXTERNAL_NET is a variable usually representing the IP address range of an external network. any represents any port. -> indicates the direction of traffic, from the left to the right. $HOME_NET is another variable usually representing the IP address range of the protected network. The second any also represents any port. Overall, this part specifies any ICMP traffic from the external network to the protected network.
(msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499;):
This part is the rule’s detection conditions and additional information.
msg: “ICMP Large ICMP Packet”: This is a descriptive message. When the rule is triggered, Snort will include this message in the alert.
dsize:>800: This specifies the packet size condition to be detected. Here, it indicates a packet size (data size) greater than 800 bytes. ICMP packets are typically small, so ICMP packets larger than 800 bytes may be anomalous and warrant further investigation.
reference: arachnids, 246: This is a reference field providing an additional source of information about the rule or detected activity. Here, it might point to a security database or article explaining why this type of ICMP packet is considered suspicious.
classtype: bad-unknown: This specifies the classification type of the rule. Here, bad-unknown indicates that the detected activity is bad and unknown, which often means it doesn’t match known good behavior patterns, yet there’s not enough information to identify it as a specific attack.
sid: 499: This is the unique identifier (signature ID) for the rule. Every Snort rule has a unique SID, used to identify the rule in alerts.
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-af5696982ebc4d398f0181b0f016c373.png)
Save and exit
It’s important to note that when you first enter the icmp.rules file, you will actually find many rules already inside. Here’s a brief explanation of the difference between the added rule and the existing rules:
In Snort,
SID (Signature ID) is a number used to uniquely identify each rule.
When Snort processes rules, it distinguishes different rules based on their SID.REV (Revision) is a field used to indicate the version of a rule, enabling you to update a rule while keeping the SID the same.
If you add a new rule without specifying a REV field, Snort will default to considering it as revision 0 (or, based on Snort’s version and configuration, might use other default values, but usually 0). This will not conflict with an existing rule of the same SID that specifies REV: 1,because the combination of SID and REV is the unique identifier.
2. Create a snort log detection storage file
mkdir /var/log/snort
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-9b1ef0eec74e4ee293a51f50b9d259f3.png)
Normally, when Snort is installed, the log detection file is created by default. If a related file is already present, no need to create it.
3. Set the snort rule path to point to the snort rules directory
If upon opening the snort.conf file, the RULES_PATH
is already correctly set to the desired Snort rules path (RULES_PATH=pointing to the snort directory's rules folder
), then this indicates Snort is configured to load rule files from that path, and no changes are needed; just exit.
4. Use snort rules to detect traffic and log the results into the corresponding log file (replace ens33 with your network interface, which can be checked using ifconfig) Enter the command
sudo snort -i ens33 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-c2d148a5eb75490889f1c71515854356.png)
At this point, on Ubuntu, you can use snort for detection; you can proceed to step 5.
If you want to test the rules, you can follow the commands below for testing.
(Optional) Use the following command to check if the related snort configurations are correct
sudo snort -T -c /etc/snort/snort.conf
(Optional) Rule test (outputting the information below indicates successful detection)
sudo snort -T -c /etc/snort/snort.conf -i ens33
It's noted that using ens0 also successfully worked
sudo snort -T -c /etc/snort/snort.conf -i ens0
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-e3b19ff5fc50452f81ab50d554b7f2d4.png)
5. Start detection with the command from step 4
sudo snort -i ens33 -c /etc/snort/snort.conf -A fast -l /var/log/snort/
Now, do not perform any actions on Ubuntu and use a machine in the local network to ping Ubuntu with a packet size >800 bytes.
Then, Ubuntu can use ctrl+z to exit the detection page, and next, the detection results can be viewed.
6. View detection logs. Open the log storage file we previously created (or the default created one), there will be a file called alert. Open it to view log information.
cd /var/log/snort
vi alert file
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-0758776c7f65425e8738ccfacbc265ec.png)
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-d36a94e256a84ad4aaa0c90380313534.png)
![Insert image description here](https://www.ids-sax2.com/wp-content/uploads/picture/i-blog-csdnimg-cn-09ea579ad1a44ea7b58fa923f25f4753.png)
Reference Articles
Thanks to the authors for their excellent articles!