Snort is a widely used open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) developed by Sourcefire, now owned by Cisco. It is designed to detect and prevent network-based attacks in real time. Snort is known for its flexibility, robustness, and ability to analyze network traffic for signs of malicious activity.
Key features of Snort
Snort offers a variety of features, which are used for enhancing the security configuration of your Linux systems. Some of these features include;.
- Packet Sniffing: Snort can capture and analyze network packets as they traverse a network.
- Signature-Based Detection: It uses a rule-based system where administrators define specific patterns or signatures of known attacks. When Snort identifies a packet that matches a signature, it generates an alert or takes predefined actions.
- Protocol Analysis: Snort can analyze network protocols to detect abnormalities or deviations from standard behavior.
- Logging and Alerting: Snort can log detected events and generate alerts in real time, allowing administrators to respond promptly to potential security threats.
- Flexibility: Snort is highly configurable, allowing administrators to customize rules and policies based on the specific needs of their network.
- Active Responses: Snort can be configured to take active responses, such as blocking traffic from a specific IP address or resetting connections, acting as an Intrusion Prevention System (IPS).
- Community and Rule Updates: The Snort community actively contributes to the development of rules, and regular updates are available to address emerging threats.
Snort is commonly used by network administrators and security professionals to enhance the security posture of networks by identifying and mitigating potential security threats. It is a valuable tool in network security, especially when used in conjunction with other security measures and best practices.
So, to install Snort on Ubuntu Linux, use the following steps;
Install necessary packages
Use the following commands to update the system and then install Snort on your Linux system;
sudo apt-get update
sudo apt-get install snort
Download and configure rules
Snort rules are a set of instructions that define what network traffic or events should be considered as potentially malicious or suspicious. These rules are the core components of the Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Snort uses a rule-based language to match specific patterns or signatures in network traffic and generate alerts or take action when potential security threats are detected.
Now, you can download the latest rules from the Snort website:
sudo mkdir /etc/snort/rules
cd /etc/snort
sudo wget https://www.snort.org/rules/snortrules-snapshot-3.0.tar.gz
sudo tar -xvzf snortrules-snapshot-3.0.tar.gz -C /etc/snort/
Each Snort rule consists of various components, including:
Rule Header
- Action: Specifies the action to be taken when a rule matches. Common actions include “alert” (generate an alert), “log” (log the event), and “drop” (block the traffic).
- Protocol: Specifies the network protocol being monitored (e.g., TCP, UDP, ICMP).
- Source/Destination IP Addresses and Ports: Defines the source and destination IP addresses and port numbers involved in the rule.
Rule Options
- Content: Specifies the payload or pattern to match within the packet.
- Threshold: Sets thresholds for triggering the rule based on the number of occurrences.
- Flow: Defines specific flow conditions for the rule.
- Reference: Provides references to external resources, such as CVE (Common Vulnerabilities and Exposures) identifiers.
Here is a simplified example of a Snort rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; flow:to_server,established; content:"Failed password"; threshold: type threshold, track by_src, count 5, seconds 60; sid:1000001;)
Explanation of components:
- Action:
alert
(generate an alert). - Protocol:
tcp
(TCP protocol). - Source/Destination IP Addresses and Ports:
$EXTERNAL_NET any -> $HOME_NET 22
(from any external IP to the local network on port 22). - Options:
msg:"SSH Brute Force Attempt"
(Alert message).flow:to_server,established
(Established TCP connection to the server).content:"Failed password"
(Matching content within the payload).threshold: type threshold, track by_src, count 5, seconds 60
(Threshold condition).sid:1000001
(Unique Snort ID for the rule).
These rules are stored in rule files, and Snort allows users to create custom rules or use predefined rule sets provided by the Snort community or organizations like Emerging Threats. Regularly updating and fine-tuning rules is essential for an effective intrusion detection system.
Configure Snort
The main configuration file used to configure Snort is typically named snort.conf
. This file contains various settings that define how Snort should behave, what rules it should use, and other parameters related to its operation.
The default location for the snort.conf
file is often in the /etc/snort/
directory. Therefore, the full path to the configuration file is often /etc/snort/snort.conf
. However, the exact location may vary depending on your installation and configuration.
You can use a text editor like nano
or vi
to edit the snort.conf
file. For example:
sudo nano /etc/snort/snort.conf
Within the snort.conf
file, you can configure various aspects of Snort, including network variables, rule paths, preprocessors, output options, and more. It’s important to review and customize the configuration based on your network environment and security requirements.
Here is the sample snort.conf file you can manipulate based on your needs;
# Setup the network variables
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
# Set the path to your rules
var RULE_PATH /etc/snort/rules
# Configure output plugin
output unified2: filename snort.log, limit 128
# Include rule sets
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
include $RULE_PATH/emerging-threats.rules
# Configure preprocessors
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor frag3_global: max_frags 65536
# Configure detection options
config detection: search-method lowmem
config detection: search-optimize
config detection: sticky-buffer-size 32
# Configure performance options
config policy_mode: permissive
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config event_queue: max_queue 8 log 5 order_events content_length
# Configure output plugins
output alert_fast: alert.log
Let’s break down the basics of the snort.conf file
Set the path to the rules
In the snort.conf
file, you need to set the path to the Snort rules directory. By default, Snort rules are often stored in the /etc/snort/rules/
directory. However, depending on your installation or configuration, this path might differ.
Here’s how you can set the path to the Snort rules in the snort.conf
file:
- Open the
snort.conf
file for editing using a text editor likenano
orvi
. For example:sudo nano /etc/snort/snort.conf
- Look for a line similar to the following, where the variable
RULE_PATH
is defined:var RULE_PATH /path/to/snort/rules
If this line is not present, you can add it to specify the path to your Snort rules. Make sure to replace/path/to/snort/rules
with the actual path where your Snort rules are stored.
- Save the changes and exit the text editor.
Here’s an example with the default rules path:
var RULE_PATH /etc/snort/rules
If your Snort rules are stored in a different location, adjust the path accordingly. Setting the correct path is crucial for Snort to locate and apply the rules during its operation.
Configure Network Variables
Set the network variables to match your network environment. Adjust the following lines:
var HOME_NET any
var EXTERNAL_NET !$HOME_NET
In the context of Snort’s snort.conf
file, network variables define specific network-related settings that Snort uses to determine the scope of its monitoring and detection. These variables help Snort identify what is considered the local network (HOME_NET) and what is considered external to it (EXTERNAL_NET). Adjusting these variables is crucial to tailoring Snort to the specifics of your network environment. Here are the key network variables:
- HOME_NET:
var HOME_NET <IP_address>/<subnet_mask>
This variable defines the IP range of your local network that Snort should consider as “home.” All traffic originating from or destined for this network is considered internal. It’s important to set this variable to match your specific network configuration. Example:
var HOME_NET 192.168.1.0/24
- EXTERNAL_NET:
var EXTERNAL_NET !$HOME_NET
This variable defines the IP range of the external network or networks that Snort should consider as potential threats. The default setting (!$HOME_NET
) means anything not in the local network is external. Example:
var EXTERNAL_NET !$HOME_NET
In the examples above, 192.168.1.0/24
represents the local network, and !$HOME_NET
means everything that is not in the local network. These settings are crucial for Snort to understand what traffic it should monitor and analyze.
Now. you can adjust these variables based on the specifics of your network configuration. If you have a more complex network, you may need to define multiple HOME_NET
variables to cover different internal subnets. Ensure that these variables accurately reflect your network topology to avoid false positives or misses in intrusion detection.
Configure Output Plugins
Choose how Snort should log events. For example, to log alerts to a unified2 binary file, uncomment or add the following lines:
output unified2: filename snort.log, limit 128
Enable Rule Sets
Include the appropriate rule sets based on your needs. Uncomment or add lines similar to the following:
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
include $RULE_PATH/emerging-threats.rules
Configure Preprocessors
Preprocessors enhance Snort’s ability to detect and respond to certain types of attacks. Uncomment or configure preprocessor lines based on your needs. For example:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor frag3_global: max_frags 65536
Configure Detection Options
Adjust detection options based on your network environment and needs:
config detection: search-method lowmem
config detection: search-optimize
config detection: sticky-buffer-size 32
Configure Performance Options
Configure performance-related options according to your hardware and network characteristics:
config policy_mode: permissive
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config event_queue: max_queue 8 log 5 order_events content_length
Test the Configuration
Run a syntax check to ensure there are no errors:
sudo snort -T -c /etc/snort/snort.conf
If there are no errors, start Snort in daemon mode:
sudo snort -A fast -b -q -c /etc/snort/snort.conf -i <your_network_interface>
Replace <your_network_interface>
with the actual network interface you want Snort to monitor.
Start Snort
Start Snort in daemon mode:
sudo snort -A fast -b -q -c /etc/snort/snort.conf -i <your_network_interface>
Replace <your_network_interface>
with the actual network interface you want Snort to monitor.
Test intrusion detection
Generate some network traffic to test if Snort is detecting intrusions. You can use tools like Nmap or Metasploit to simulate attacks.
Automatic startup (Optional):
You can configure Snort to start automatically on system boot:
sudo systemctl enable snort
You can also consult the official documentation and consider the specific needs of your environment when configuring an IDS. IDS configuration can be complex, and it’s essential to regularly update rules and monitor the logs for any suspicious activity.
RECOMMENDED READING: How to audit your Linux Server for optimal Security