For the purposes of network security intrusion detection is a very important thing. Intrusion Detection System (IDS) used to detect the network with malicious illegal request. Snort is a well-known open source intrusion detection system. Its Web interface (Snorby) can be used to better analyze the warning. Snort uses iptables / pf firewall as intrusion detection systems. This blog entry, we'll install and configure an open source intrusion detection system snort.
snort library use data acquisition (DAQ) call for a packet capture library abstraction layer. This will have on snort.
Extract and run ./configure,make,make install to install DAQ. However, DAQ requires other tools, therefore,. / Configure script generates the following error.
flex and bison error
Therefore, before installing DAQ install flex / bison and libcap.
Install libpcap development libraries shown below
After installing the necessary tools to run again ./configure script will display the following output.
The results make and make install command is as follows.
After a successful installation DAQ, we now install snort. As shown using wget to download it.
Use the following command to extract the installation package.
#tar -xvzf snort-220.127.116.11.tar.gz
Create an installation directory and set the prefix parameter in the script. The same package also recommended to enable performance monitoring (PPM) of sourcefire flag.
#mkdir / usr / local / snort
#. / Configure --prefix = / usr / local / snort / --enable-sourcefire
The configuration script due to the lack libpcre-dev, libdumbnet-dev development libraries and zlib and error.
Lack of libpcre configuration script library error.
Configuration script due to the lack dnet (libdumbnet) library and error.
Configuration script and given the lack of zlib library
As shown below, install all the required development libraries.
# Aptitude install libpcre3-dev
# Aptitude install libdumbnet-dev
# Aptitude install zlib1g-dev
After installing snort required libraries, run the configuration script again not being given.
Run make and make install commands to complete the installation in / usr / local / snort directory.
# Make install
make install snort
Finally, run snort from / usr / local / snort / bin in. Now it's all traffic eth0 are in promisc mode (packet dump mode).
snort dump traffic.
Snort rules and configuration
From source to install snort also you need to set rules and configuration, so we need to copy the rules and configuration to / etc / snort below. We have created a separate bash script for setting rules and configuration. It sets the following snort settings.
Create linux user for snort snort IDS services.
Create snort configuration files and folders in the / etc below.
Permission settings and copy the data from the source code etc directory.
Remove rule # (note symbol) from snort file.
#! / Bin / bash #
Path # snort source code
snort_src = "/ home / test / Downloads / snort-18.104.22.168"
echo "adding group and user for snort ..."
groupadd snort &> / dev / null
useradd snort -r -s / sbin / nologin -d / var / log / snort -c snort_idps -g snort &> / dev / null # snort configuration
echo "Configuring snort ..." mkdir -p / etc / snort
mkdir -p / etc / snort / rules
mkdir / etc / snort / preproc_rules
mkdir / var / log / snort
mkdir -p / usr / local / lib / snort_dynamicrules
chmod -R 775 / etc / snort
chmod -R 775 / var / log / snort
chmod -R 775 / usr / local / lib / snort_dynamicrules
chown -R snort: snort / etc / snort
chown -R snort: snort / var / log / snort
chown -R snort: snort / usr / local / lib / snort_dynamicrules
### Copy configuration and rules from etc directory under source code of snort
echo "copying from snort source to / etc / snort ....."
echo $ snort_src
cp $ snort_src / etc / *. conf * / etc / snort
cp $ snort_src / etc / *. map / etc / snort ## enable rules
sed -i 's / include \ $ RULE \ _PATH / # include \ $ RULE \ _PATH /' /etc/snort/snort.conf
echo "--- DONE ---"
Change the script in the source directory path and run snort. The following is a successful output.
The above script to copy the following files and folders from the source folder to snort / etc / snort configuration file
snort configuration is very complex and can work to make IDS requires the following necessary changes.
ipvar HOME_NET 192.168.1.0/24# LAN side
ipvar EXTERNAL_NET! $ HOME_NET # WAN side
var RULE_PATH / etc / snort / rules # snort signature path
var SO_RULE_PATH / etc / snort / so_rules #rules in shared libraries
var PREPROC_RULE_PATH / etc / snort / preproc_rules # Preproces path
var WHITE_LIST_PATH / etc / snort / rules # dont scan
var BLACK_LIST_PATH / etc / snort / rules # Must scan
include $ RULE_PATH / local.rules # file for custom rules
Remove ftp.rules, annotation symbols exploit.rules front (#).
Download Community rules now and unzip / etc / snort / rules. Enable snort.conf Community rules and urgent threat.
Carried out the above changes, run the following command to verify the configuration file.
# Snort -T -c /etc/snort/snort.conf
to sum up
This blog entry, we are concerned about the open source IDPS system snort installation and configuration on Ubuntu. Usually it is used to monitor events, but it can be configured online mode for network protection. snort rules can be used pcap capture files in offline mode for testing and analysis