Ugacomp

How to configure Snort on Ubuntu for Intrusion Detection

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM

CLOUD VPS M

$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM

CLOUD VPS L

$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

Snort is a widely used open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) developed by Sourcefire, now owned by Cisco. It is designed to detect and prevent network-based attacks in real time. Snort is known for its flexibility, robustness, and ability to analyze network traffic for signs of malicious activity.

Key features of Snort

Snort offers a variety of features, which are used for enhancing the security configuration of your Linux systems. Some of these features include;.

  • Packet Sniffing: Snort can capture and analyze network packets as they traverse a network.
  • Signature-Based Detection: It uses a rule-based system where administrators define specific patterns or signatures of known attacks. When Snort identifies a packet that matches a signature, it generates an alert or takes predefined actions.
  • Protocol Analysis: Snort can analyze network protocols to detect abnormalities or deviations from standard behavior.
  • Logging and Alerting: Snort can log detected events and generate alerts in real time, allowing administrators to respond promptly to potential security threats.
  • Flexibility: Snort is highly configurable, allowing administrators to customize rules and policies based on the specific needs of their network.
  • Active Responses: Snort can be configured to take active responses, such as blocking traffic from a specific IP address or resetting connections, acting as an Intrusion Prevention System (IPS).
  • Community and Rule Updates: The Snort community actively contributes to the development of rules, and regular updates are available to address emerging threats.

Snort is commonly used by network administrators and security professionals to enhance the security posture of networks by identifying and mitigating potential security threats. It is a valuable tool in network security, especially when used in conjunction with other security measures and best practices.

So, to install Snort on Ubuntu Linux, use the following steps;

Install necessary packages

Use the following commands to update the system and then install Snort on your Linux system;

sudo apt-get update
sudo apt-get install snort

Download and configure rules

Snort rules are a set of instructions that define what network traffic or events should be considered as potentially malicious or suspicious. These rules are the core components of the Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Snort uses a rule-based language to match specific patterns or signatures in network traffic and generate alerts or take action when potential security threats are detected.

Now, you can download the latest rules from the Snort website:

sudo mkdir /etc/snort/rules
cd /etc/snort
sudo wget https://www.snort.org/rules/snortrules-snapshot-3.0.tar.gz
sudo tar -xvzf snortrules-snapshot-3.0.tar.gz -C /etc/snort/

Each Snort rule consists of various components, including:

Rule Header

  • Action: Specifies the action to be taken when a rule matches. Common actions include “alert” (generate an alert), “log” (log the event), and “drop” (block the traffic).
  • Protocol: Specifies the network protocol being monitored (e.g., TCP, UDP, ICMP).
  • Source/Destination IP Addresses and Ports: Defines the source and destination IP addresses and port numbers involved in the rule.

Rule Options

  • Content: Specifies the payload or pattern to match within the packet.
  • Threshold: Sets thresholds for triggering the rule based on the number of occurrences.
  • Flow: Defines specific flow conditions for the rule.
  • Reference: Provides references to external resources, such as CVE (Common Vulnerabilities and Exposures) identifiers.

Here is a simplified example of a Snort rule

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; flow:to_server,established; content:"Failed password"; threshold: type threshold, track by_src, count 5, seconds 60; sid:1000001;)

Explanation of components:

  • Action: alert (generate an alert).
  • Protocol: tcp (TCP protocol).
  • Source/Destination IP Addresses and Ports: $EXTERNAL_NET any -> $HOME_NET 22 (from any external IP to the local network on port 22).
  • Options:
  • msg:"SSH Brute Force Attempt" (Alert message).
  • flow:to_server,established (Established TCP connection to the server).
  • content:"Failed password" (Matching content within the payload).
  • threshold: type threshold, track by_src, count 5, seconds 60 (Threshold condition).
  • sid:1000001 (Unique Snort ID for the rule).

These rules are stored in rule files, and Snort allows users to create custom rules or use predefined rule sets provided by the Snort community or organizations like Emerging Threats. Regularly updating and fine-tuning rules is essential for an effective intrusion detection system.

Configure Snort

The main configuration file used to configure Snort is typically named snort.conf. This file contains various settings that define how Snort should behave, what rules it should use, and other parameters related to its operation.

The default location for the snort.conf file is often in the /etc/snort/ directory. Therefore, the full path to the configuration file is often /etc/snort/snort.conf. However, the exact location may vary depending on your installation and configuration.

You can use a text editor like nano or vi to edit the snort.conf file. For example:

sudo nano /etc/snort/snort.conf

Within the snort.conf file, you can configure various aspects of Snort, including network variables, rule paths, preprocessors, output options, and more. It’s important to review and customize the configuration based on your network environment and security requirements.

Here is the sample snort.conf file you can manipulate based on your needs;

# Setup the network variables
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET

# Set the path to your rules
var RULE_PATH /etc/snort/rules

# Configure output plugin
output unified2: filename snort.log, limit 128

# Include rule sets
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
include $RULE_PATH/emerging-threats.rules

# Configure preprocessors
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor frag3_global: max_frags 65536

# Configure detection options
config detection: search-method lowmem
config detection: search-optimize
config detection: sticky-buffer-size 32

# Configure performance options
config policy_mode: permissive
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config event_queue: max_queue 8 log 5 order_events content_length

# Configure output plugins
output alert_fast: alert.log

Let’s break down the basics of the snort.conf file

Set the path to the rules

In the snort.conf file, you need to set the path to the Snort rules directory. By default, Snort rules are often stored in the /etc/snort/rules/ directory. However, depending on your installation or configuration, this path might differ.

Here’s how you can set the path to the Snort rules in the snort.conf file:

  • Open the snort.conf file for editing using a text editor like nano or vi. For example: sudo nano /etc/snort/snort.conf
  • Look for a line similar to the following, where the variable RULE_PATH is defined: var RULE_PATH /path/to/snort/rules If this line is not present, you can add it to specify the path to your Snort rules. Make sure to replace /path/to/snort/rules with the actual path where your Snort rules are stored.
  • Save the changes and exit the text editor.

Here’s an example with the default rules path:

var RULE_PATH /etc/snort/rules

If your Snort rules are stored in a different location, adjust the path accordingly. Setting the correct path is crucial for Snort to locate and apply the rules during its operation.

Configure Network Variables

Set the network variables to match your network environment. Adjust the following lines:

var HOME_NET any
var EXTERNAL_NET !$HOME_NET

In the context of Snort’s snort.conf file, network variables define specific network-related settings that Snort uses to determine the scope of its monitoring and detection. These variables help Snort identify what is considered the local network (HOME_NET) and what is considered external to it (EXTERNAL_NET). Adjusting these variables is crucial to tailoring Snort to the specifics of your network environment. Here are the key network variables:

  1. HOME_NET:
  • var HOME_NET <IP_address>/<subnet_mask> This variable defines the IP range of your local network that Snort should consider as “home.” All traffic originating from or destined for this network is considered internal. It’s important to set this variable to match your specific network configuration. Example:
 var HOME_NET 192.168.1.0/24
  1. EXTERNAL_NET:
  • var EXTERNAL_NET !$HOME_NET This variable defines the IP range of the external network or networks that Snort should consider as potential threats. The default setting (!$HOME_NET) means anything not in the local network is external. Example:
 var EXTERNAL_NET !$HOME_NET

In the examples above, 192.168.1.0/24 represents the local network, and !$HOME_NET means everything that is not in the local network. These settings are crucial for Snort to understand what traffic it should monitor and analyze.

Now. you can adjust these variables based on the specifics of your network configuration. If you have a more complex network, you may need to define multiple HOME_NET variables to cover different internal subnets. Ensure that these variables accurately reflect your network topology to avoid false positives or misses in intrusion detection.

Configure Output Plugins

Choose how Snort should log events. For example, to log alerts to a unified2 binary file, uncomment or add the following lines:

output unified2: filename snort.log, limit 128

Enable Rule Sets

Include the appropriate rule sets based on your needs. Uncomment or add lines similar to the following:

include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
include $RULE_PATH/emerging-threats.rules

Configure Preprocessors

Preprocessors enhance Snort’s ability to detect and respond to certain types of attacks. Uncomment or configure preprocessor lines based on your needs. For example:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor frag3_global: max_frags 65536

Configure Detection Options

Adjust detection options based on your network environment and needs:

config detection: search-method lowmem
config detection: search-optimize
config detection: sticky-buffer-size 32

Configure Performance Options

Configure performance-related options according to your hardware and network characteristics:

config policy_mode: permissive
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config event_queue: max_queue 8 log 5 order_events content_length

Test the Configuration

Run a syntax check to ensure there are no errors:

sudo snort -T -c /etc/snort/snort.conf

If there are no errors, start Snort in daemon mode:

sudo snort -A fast -b -q -c /etc/snort/snort.conf -i <your_network_interface>

Replace <your_network_interface> with the actual network interface you want Snort to monitor.

Start Snort

Start Snort in daemon mode:

sudo snort -A fast -b -q -c /etc/snort/snort.conf -i <your_network_interface>

Replace <your_network_interface> with the actual network interface you want Snort to monitor.

Test intrusion detection

Generate some network traffic to test if Snort is detecting intrusions. You can use tools like Nmap or Metasploit to simulate attacks.

Automatic startup (Optional):

You can configure Snort to start automatically on system boot:

sudo systemctl enable snort


You can also consult the official documentation and consider the specific needs of your environment when configuring an IDS. IDS configuration can be complex, and it’s essential to regularly update rules and monitor the logs for any suspicious activity.

RECOMMENDED READING: How to audit your Linux Server for optimal Security

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.
 

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.