Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ How to install and use the Snort in Ubuntu 15.04     - The most concise explanation of JavaScript closures (Programming)

- Linux run queue process scheduling (Programming)

- Applications Linux leap second problem caused (Linux)

- Ubuntu GCC, G ++ and fortran Version Switch (Linux)

- HTTP Client Hints Introduction (Server)

- C ++ hash function (Programming)

- Java NIO2: Buffer (Programming)

- Linux package management (Linux)

- Advanced Search Oracle study notes (Database)

- Using a proxy method under Linux terminal (Linux)

- Linux variable learning experience (Linux)

- MongoDB simple replication configuration (Database)

- Parameters of the extra port MySQL 5.6 (Database)

- How to use the beta / unstable version of the software in Debian library (Linux)

- MySQL loose index scan (Database)

- How to Install Android Studio on Ubuntu 15.04 / CentOS7 (Linux)

- Ceph cluster disk is no workaround for the remaining space (Server)

- linux remote control software (Linux)

- How to defragment the hard disk in Linux (Linux)

- Linux Network Programming --IP packet format Detailed (Programming)

 
         
  How to install and use the Snort in Ubuntu 15.04
     
  Add Date : 2017-01-08      
         
         
         
  For the purposes of network security intrusion detection is a very important thing. Intrusion Detection System (IDS) used to detect the network with malicious illegal request. Snort is a well-known open source intrusion detection system. Its Web interface (Snorby) can be used to better analyze the warning. Snort uses iptables / pf firewall as intrusion detection systems. This blog entry, we'll install and configure an open source intrusion detection system snort.

Snort installation

Claim

snort library use data acquisition (DAQ) call for a packet capture library abstraction layer. This will have on snort.

downloading_daq

Extract and run ./configure,make,make install to install DAQ. However, DAQ requires other tools, therefore,. / Configure script generates the following error.

flex and bison error

flexandbison_error

libpcap errors

libpcap error

Therefore, before installing DAQ install flex / bison and libcap.

install_flex

Install libpcap development libraries shown below

libpcap-dev installation

After installing the necessary tools to run again ./configure script will display the following output.

without_error_configure

The results make and make install command is as follows.

make install

make

After a successful installation DAQ, we now install snort. As shown using wget to download it.

downloading_snort

Use the following command to extract the installation package.

#tar -xvzf snort-2.9.7.3.tar.gz

snort_extraction

Create an installation directory and set the prefix parameter in the script. The same package also recommended to enable performance monitoring (PPM) of sourcefire flag.

#mkdir / usr / local / snort
#. / Configure --prefix = / usr / local / snort / --enable-sourcefire

snort_installation

The configuration script due to the lack libpcre-dev, libdumbnet-dev development libraries and zlib and error.

Lack of libpcre configuration script library error.

pcre-error

Configuration script due to the lack dnet (libdumbnet) library and error.

libdnt error

Configuration script and given the lack of zlib library

zlib error

As shown below, install all the required development libraries.

# Aptitude install libpcre3-dev

libpcre3-dev install

# Aptitude install libdumbnet-dev
libdumnet-dev installation

# Aptitude install zlib1g-dev

zlibg-dev installation

After installing snort required libraries, run the configuration script again not being given.

Run make and make install commands to complete the installation in / usr / local / snort directory.

# Make

make snort

# Make install

make install snort

Finally, run snort from / usr / local / snort / bin in. Now it's all traffic eth0 are in promisc mode (packet dump mode).

snort running

snort dump traffic.

traffic

Snort rules and configuration

From source to install snort also you need to set rules and configuration, so we need to copy the rules and configuration to / etc / snort below. We have created a separate bash script for setting rules and configuration. It sets the following snort settings.

Create linux user for snort snort IDS services.
Create snort configuration files and folders in the / etc below.
Permission settings and copy the data from the source code etc directory.
Remove rule # (note symbol) from snort file.
 

#! / Bin / bash #
Path # snort source code
snort_src = "/ home / test / Downloads / snort-2.9.7.3"
echo "adding group and user for snort ..."
groupadd snort &> / dev / null
useradd snort -r -s / sbin / nologin -d / var / log / snort -c snort_idps -g snort &> / dev / null # snort configuration
echo "Configuring snort ..." mkdir -p / etc / snort
mkdir -p / etc / snort / rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/local.rules
mkdir / etc / snort / preproc_rules
mkdir / var / log / snort
mkdir -p / usr / local / lib / snort_dynamicrules
chmod -R 775 / etc / snort
chmod -R 775 / var / log / snort
chmod -R 775 / usr / local / lib / snort_dynamicrules
chown -R snort: snort / etc / snort
chown -R snort: snort / var / log / snort
chown -R snort: snort / usr / local / lib / snort_dynamicrules
### Copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to / etc / snort ....."
echo $ snort_src
echo "-------------"
cp $ snort_src / etc / *. conf * / etc / snort
cp $ snort_src / etc / *. map / etc / snort ## enable rules
sed -i 's / include \ $ RULE \ _PATH / # include \ $ RULE \ _PATH /' /etc/snort/snort.conf
echo "--- DONE ---"
Change the script in the source directory path and run snort. The following is a successful output.

running script

The above script to copy the following files and folders from the source folder to snort / etc / snort configuration file

files copied

snort configuration is very complex and can work to make IDS requires the following necessary changes.

ipvar HOME_NET 192.168.1.0/24# LAN side
ipvar EXTERNAL_NET! $ HOME_NET # WAN side
veriable set

var RULE_PATH / etc / snort / rules # snort signature path
var SO_RULE_PATH / etc / snort / so_rules #rules in shared libraries
var PREPROC_RULE_PATH / etc / snort / preproc_rules # Preproces path
var WHITE_LIST_PATH / etc / snort / rules # dont scan
var BLACK_LIST_PATH / etc / snort / rules # Must scan

main path

include $ RULE_PATH / local.rules # file for custom rules
Remove ftp.rules, annotation symbols exploit.rules front (#).

path rules

Download Community rules now and unzip / etc / snort / rules. Enable snort.conf Community rules and urgent threat.
wget_rules

community rules

Carried out the above changes, run the following command to verify the configuration file.

# Snort -T -c /etc/snort/snort.conf

snort running

to sum up

This blog entry, we are concerned about the open source IDPS system snort installation and configuration on Ubuntu. Usually it is used to monitor events, but it can be configured online mode for network protection. snort rules can be used pcap capture files in offline mode for testing and analysis
     
         
         
         
  More:      
 
- Understanding the type in C ++ bitset (Programming)
- Oracle partition table data migration, process management automation (Database)
- Android realize RippleEffect water (Programming)
- Python context managers (Programming)
- Ubuntu Install OpenSSL (Linux)
- AngularJS application unit testing started (Programming)
- Oracle Client Dedicated and Shared connection mode (Database)
- Archlinux installation tutorial (Linux)
- Install Ubuntu Software Center App Grid (Linux)
- CentOS 6.6 installation certification system based on the ftp service (Server)
- using the ssh command to check the socket / Network Connections (Linux)
- DataGuard the MRP can not start to analyze and solve problems (Database)
- Shell script to delete empty folders recursively (Linux)
- How to implement large-scale distributed Yahoo depth study on the Hadoop cluster (Server)
- To install Redis under Linux (Database)
- Linux system security check method (Linux)
- To compile install and test Swift under Linux (Linux)
- Redhat 7 modify the default run level method --RHEL7 use systemd to create a symbolic link to the default runlevel (Linux)
- How common Linux automation tasks (Server)
- 11.2.04 Oracle RAC directory crfclust.bdb file is too large, Bug 20186278 (Database)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.