How To Install Snort NIDS In Ubuntu 15.04

Introduction

we have discussed about Snort NIDS in detail in our previous tutorial, In this article we have tried simplify the process of installing snort with Ubuntu.

Requirements

• Ubuntu 14.04/15.04 OS
• Latest DAQ Package available with https://www.snort.org/downloads
• Latest Snort Package available with https://www.snort.org/downloads
• PCAP package available with Ubuntu
• Libdnet package available with Ubuntu
• DCRE package available with Ubuntu
• Our hosname is snort
• Our ubuntu user is  snort
• Snort Server IP ADDR 192.168.1.10

We will configure snort via remote PC using ssh

Installation Steps

1. Update system
2. Install ssh-server
3. Install Snort requisites
4. Install Snort DAQ requisites
5. Create a new directory to download package download Snort DAQ and Install DAQ.
6. Download and Install Snort in Same directory created in above step
7. Configure Snort and test your installation
8. Create Directories to configure snort to run in nids mode

Installation

First of all prepare Snort Desktop

# apt-get update

# apt-get install openssh-server

# reboot

Make sure ethtool is installed

# apt-get install ethtool

Make sure build-essential is installed

# apt-get install -y build-essential

Install Snort prerequisites

Install libpcap-dev, libpcre3-dev, zlib1g-dev and libdumbnet-dev packages

# apt-get install -y libpcap-dev

# apt-get install  libpcre3-dev

# apt-get install -y libdumbnet-dev

# apt-get install zlib1g-dev

Install Snort DAQ Prerequisites

bison and flex are the requirement for Snort DAQ installation

# apt-get install bison flex

Create a separate directory in which will will install tar packages of snort and Snort DAQ

# mkdir /home/snort/snort_src

Change working directory to newly created directory.

# cd /home/snort/snort_src/

 Download and install latest version of DAQ

# wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Install the Package

# tar -xvf daq-2.0.6.tar.gz

# cd daq-2.0.6

# cd daq-2.0.6

# ./configure

# make root@snort:/home/snort/snort_src/daq-2.0.6# make install

Install Snort in same directory

# wget https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz

Extract and Install the snort package

# gunzip snort-2.9.7.5.tar.gz

# tar -xvf snort-2.9.7.5.tar

# cd snort-2.9.7.5

# ./configure --enable-sourcefire

# make

# make install

# ldconfig

Create a Soft Link for Snort binary 

# ln -s /usr/local/bin/snort /usr/sbin/snort

Verify your Snort is installed correctly or not

# snort -V

 

Configure Snort for NIDS Mode

Create following Directories

# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/preproc_rules
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules

Create Log Directory for snort

# mkdir /var/log/snort

Create a Directory for snort Dynamics rules

# mkdir /usr/local/lib/snort_dynamicrules

Change permissions

# chmod -R 5775 /etc/snort/
# chmod -R 5775 /var/log/snort/
# chmod -R 5775 /usr/local/lib/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules/

Copy *.conf and *.map files from snort download directory to /etc/snort

# cp /home/snort/snort_src/snort-2.9.7.5/etc/*.conf* /etc/snort/
# cp -v /home/snort/snort_src/snort-2.9.7.5/etc/*.map* /etc/snort/

Configure /etc/snort/snort.conf

# cp /etc/snort/snort.conf /etc/snort/snort.conf_orig

Give following Command

# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

Go to line 45 of /etc/snort/snort.conf, edit to make like below

ipvar HOME_NET 192.168.1.0/24

ipvar EXTERNAL_NET !$HOME_NET

 

Go to line  104 and put following entries

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

##include $RULE_PATH/local.rules

 

Save and Quit

# snort -T -c /etc/snort/snort.conf

 

 

Have Fun!!