How To Install Snort NIDS In Ubuntu 15.04

networking1

Introduction

we have discussed about Snort NIDS in detail in our previous tutorial, In this article we have tried simplify the process of installing snort with Ubuntu.

Requirements

  • Ubuntu 14.04/15.04 OS
  • Latest DAQ Package available with https://www.snort.org/downloads
  • Latest Snort Package available with https://www.snort.org/downloads
  • PCAP package available with Ubuntu
  • Libdnet package available with Ubuntu
  • DCRE package available with Ubuntu
  • Our hosname is snort
  • Our ubuntu user is  snort
  • Snort Server IP ADDR 192.168.1.10

We will configure snort via remote PC using ssh

Installation Steps

  1. Update system
  2. Install ssh-server
  3. Install Snort requisites
  4. Install Snort DAQ requisites
  5. Create a new directory to download package download Snort DAQ and Install DAQ.
  6. Download and Install Snort in Same directory created in above step
  7. Configure Snort and test your installation
  8. Create Directories to configure snort to run in nids mode

Installation

First of all prepare Snort Desktop
# apt-get update
# apt-get install openssh-server
# reboot
Make sure ethtool is installed
# apt-get install ethtool
Make sure build-essential is installed
# apt-get install -y build-essential

Install Snort prerequisites

Install libpcap-dev, libpcre3-dev, zlib1g-dev and libdumbnet-dev packages
# apt-get install -y libpcap-dev
# apt-get install  libpcre3-dev
# apt-get install -y libdumbnet-dev
# apt-get install zlib1g-dev

Install Snort DAQ Prerequisites

bison and flex are the requirement for Snort DAQ installation
# apt-get install bison flex
Create a separate directory in which will will install tar packages of snort and Snort DAQ
# mkdir /home/snort/snort_src
Change working directory to newly created directory.
# cd /home/snort/snort_src/
 Download and install latest version of DAQ
# wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
Install the Package
# tar -xvf daq-2.0.6.tar.gz
# cd daq-2.0.6
# cd daq-2.0.6
# ./configure
# make root@snort:/home/snort/snort_src/daq-2.0.6# make install
Install Snort in same directory
# wget https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz
Extract and Install the snort package
# gunzip snort-2.9.7.5.tar.gz
# tar -xvf snort-2.9.7.5.tar
# cd snort-2.9.7.5
# ./configure --enable-sourcefire
# make
# make install
# ldconfig
Create a Soft Link for Snort binary 
# ln -s /usr/local/bin/snort /usr/sbin/snort
Verify your Snort is installed correctly or not
# snort -V
 Selection_007

Configure Snort for NIDS Mode

Create following Directories
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/preproc_rules
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules
Create Log Directory for snort
# mkdir /var/log/snort
Create a Directory for snort Dynamics rules
# mkdir /usr/local/lib/snort_dynamicrules
Change permissions
# chmod -R 5775 /etc/snort/
# chmod -R 5775 /var/log/snort/
# chmod -R 5775 /usr/local/lib/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules/
Copy *.conf and *.map files from snort download directory to /etc/snort
# cp /home/snort/snort_src/snort-2.9.7.5/etc/*.conf* /etc/snort/
# cp -v /home/snort/snort_src/snort-2.9.7.5/etc/*.map* /etc/snort/
Configure /etc/snort/snort.conf
Before editing snort.conf get the backup of that file first
# cp /etc/snort/snort.conf /etc/snort/snort.conf_orig
Give following Command
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

Note:Above Command will comment all rulesets which we will edit line by line

Go to line 45 of /etc/snort/snort.conf, edit to make like below
ipvar HOME_NET 192.168.1.0/24

ipvar EXTERNAL_NET !$HOME_NET
(Note: replace above ip address with your ip address)
 Selection_008
Go to line  104 and put following entries
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

 Selection_009

To enable local rules go to line 551 and uncomment following line
##include $RULE_PATH/local.rules
 Selection_010
Save and Quit
Now Download Community rules from following link
Extract these rules and copy to /etc/snort/rules.
Run following Command (This time i am logged in directly to the Ubuntu VM, only to make sure that every thing is working properly)
# snort -T -c /etc/snort/snort.conf
Sample Out put:
 Selection_013
 Selection_012
Have Fun!!