Setting Up and Configuring Snort IDS (Intrusion Detection System) on Linux Servers

Leave a comment on Setting Up and Configuring Snort IDS (Intrusion Detection System) on Linux Servers

Introduction

Cybersecurity threats are becoming increasingly sophisticated, making it crucial to implement a strong defense system on your Linux server. One effective tool for this is an Intrusion Detection System (IDS), and Snort is one of the most popular open-source options available. In this guide, we will walk you through the steps to install, configure, and set up Snort IDS to monitor and protect your Linux server.

What is Snort?

Snort is a popular open-source Network Intrusion Detection System (NIDS) that can analyze network traffic, log packets, and identify potential threats in real-time. It operates in three main modes:

  • Sniffer Mode: Captures and displays network traffic in real-time.
  • Packet Logger Mode: Records network packets for later analysis.
  • Network Intrusion Detection Mode: Monitors network traffic against a set of predefined rules and alerts on suspicious activity.

Installation

For this guide, we’ll use Ubuntu 22.04 as the base server operating system. Follow the steps below to get Snort up and running on your server.

Step 1: Update System Packages

Start by ensuring your system is up-to-date:

sudo apt update
sudo apt upgrade

Step 2: Install Required Packages

Snort requires several packages to function properly. Install the necessary dependencies:

sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

Next, we need to install Data Acquisition (DAQ), which Snort uses for packet capture. First, download the DAQ source file from Snort’s official website:

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar -xzvf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure
make
sudo make install

Step 3: Install Snort

Now, download and compile Snort. If you want the latest version, you can download the latest version of Snort from their website here.

wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar -xzvf snort-2.9.20.tar.gz
cd snort-2.9.20
./configure --enable-sourcefire
make
sudo make install

After installation, verify Snort is correctly installed by checking its version:

snort -V

Step 4: Configure Network Interfaces for Snort

Determine which network interface you want Snort to monitor. You can list all available interfaces with the following command:

sudo ifconfig

Alternatively, use:

ip a

Step 5: Configure Snort Rules

Snort works by using predefined rules to monitor network traffic. You can either use existing rule sets or create your own.

1. Create a Basic Rule

Navigate to the Snort rules directory and create a new rule file:

    sudo vi /etc/snort/rules/local.rules

    Add a sample rule to detect ICMP (ping) traffic:

    alert icmp any any -> any any (msg:"ICMP Packet Detected"; sid:1000001; rev:1;)

    2. Modify Snort Configuration

    Edit the main Snort configuration file to include your custom rules:

    sudo nano /etc/snort/snort.conf

    Find the line that includes the rule file and change it to point to your custom local.rules file:

    include /etc/snort/rules/local.rules

    Step 6: Run Snort in IDS Mode

    With Snort configured, you can now run it in IDS Mode to monitor network traffic:

    sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

    Replace eth0 with the network interface you wish to monitor. Snort will start monitoring traffic and alert you based on the configured rules.

    Step 7: Log Management and Analysis

    By default, Snort logs alerts in the /var/log/snort/ directory. You can view the logs using:

    sudo tail -f /var/log/snort/alert

    For easier log analysis and visualization, consider integrating Snort with tools like Snorby, BASE, or Splunk.

    Step 8: Automate Snort as a Service

    To ensure Snort starts automatically on boot, create a systemd service file:

    sudo vi /etc/systemd/system/snort.service

    Add the following content:

    [Unit]
Description=Snort IDS
After=network.target

[Service]
ExecStart=/usr/local/bin/snort -D -c /etc/snort/snort.conf -i eth0
ExecReload=/bin/kill -HUP $MAINPID
Restart=always

[Install]
WantedBy=multi-user.target

    Save the file, enable the service, and start Snort:

    sudo systemctl enable snort
sudo systemctl start snort

    Conclusion

    Setting up Snort on your Linux server significantly enhances its security by providing continuous monitoring of network traffic and alerting you to potential threats. While the initial configuration may require some attention to detail, the result is a powerful IDS that helps protect your infrastructure.

    To keep your Snort installation up-to-date, regularly update the rule sets and fine-tune your configuration. For even greater effectiveness, consider integrating Snort with visualization tools for better monitoring and analysis. Once configured, Snort provides peace of mind, knowing your server is safeguarded against potential cyber threats.

    Server Hosting Solutions by RackNerd:

    Shared Hosting
    cPanel Web Hosting in US, Europe, and Asia datacenters
    Logo
    SEE PLANS
    Reseller Hosting
    Create your new income stream today with a reseller account
    Logo
    SEE PLANS
    VPS (Virtual Private Server)
    Fast and Affordable VPS services - Instantly Deployed
    Logo
    LINUX VPS WINDOWS VPS
    Dedicated Servers
    Bare-metal servers, ideal for the performance-demanding use case.
    Logo
    SEE PLANS

    Leave a comment

    Your email address will not be published. Required fields are marked *