SNORT - Install On Ubuntu 24.4: Difference between revisions
No edit summary |
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' " |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Wiki]] | [[Category:Wiki]] | ||
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' | |||
== Step 1: Update Your System == | == Step 1: Update Your System == | ||
| Line 7: | Line 10: | ||
<nowiki> | <nowiki> | ||
sudo apt update | sudo apt update | ||
sudo apt upgrade -y | sudo apt upgrade -y</nowiki> | ||
</nowiki> | |||
This will update all the existing packages on your system. | This will update all the existing packages on your system. | ||
| Line 19: | Line 21: | ||
sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ | sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ | ||
libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ | libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ | ||
liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config | liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config</nowiki> | ||
</nowiki> | |||
This installs development tools and libraries needed for compiling Snort from source. | This installs development tools and libraries needed for compiling Snort from source. | ||
| Line 29: | Line 30: | ||
<nowiki> | <nowiki> | ||
wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz | wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz</nowiki> | ||
</nowiki> | |||
2. **Extract the downloaded file**: | 2. **Extract the downloaded file**: | ||
| Line 36: | Line 36: | ||
<nowiki> | <nowiki> | ||
tar -xvzf snort-3.1.0.0.tar.gz | tar -xvzf snort-3.1.0.0.tar.gz | ||
cd snort-3.1.0.0 | cd snort-3.1.0.0</nowiki> | ||
</nowiki> | |||
This will extract the archive and change the directory to the Snort source folder. | This will extract the archive and change the directory to the Snort source folder. | ||
Latest revision as of 08:36, 17 January 2026
Step 1: Update Your System
Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands:
sudo apt update sudo apt upgrade -y
This will update all the existing packages on your system.
Step 2: Install Required Dependencies
Snort requires several dependencies to compile and run. Install them by running the following command:
sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config
This installs development tools and libraries needed for compiling Snort from source.
Step 3: Download and Extract Snort Source Code
1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing):
wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz
2. **Extract the downloaded file**:
tar -xvzf snort-3.1.0.0.tar.gz cd snort-3.1.0.0
This will extract the archive and change the directory to the Snort source folder.
Step 4: Compile and Install Snort
1. **Create a build directory**:
mkdir build cd build
2. **Run `cmake` to configure the build environment**:
cmake ..
3. **Compile Snort**:
make -j$(nproc)
This command compiles Snort using all available CPU cores to speed up the process.
4. **Install Snort**:
sudo make install
This will install Snort on your system.
Step 5: Configure Snort
Now that Snort is installed, you need to configure it.
1. **Create the necessary directories**:
sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /var/log/snort
2. **Copy the default configuration files**:
sudo cp /usr/local/etc/snort/snort.conf /etc/snort/ sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/
3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor:
sudo nano /etc/snort/snort.conf
Within this file, make sure to configure:
- The **interface** to monitor, e.g., `eth0` (replace with your network interface).
var interface eth0
- The **home network** (change this to match your network setup):
var HOME_NET [192.168.1.0/24]
Save and close the file (press `CTRL+X`, then `Y` to confirm).
Step 6: Test Snort Configuration
To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file:
sudo snort -T -c /etc/snort/snort.conf
If everything is configured correctly, you should see a message like:
Snort successfully validated the configuration!
Step 7: Run Snort in IDS Mode
To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command:
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Where:
- `-A console`: Outputs alerts to the terminal.
- `-c /etc/snort/snort.conf`: Specifies the configuration file.
- `-i eth0`: Specifies the network interface to monitor (replace `eth0` with the correct interface).
Snort will now start analyzing network traffic and generate alerts based on suspicious activity.
Step 8: (Optional) Set Up Snort as a System Service
To have Snort start automatically when your system boots, configure it as a systemd service.
1. **Create a systemd service file**:
sudo nano /etc/systemd/system/snort.service
2. **Add the following content**:
[Unit] Description=Snort Intrusion Detection System After=network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -A console -c /etc/snort/snort.conf -i eth0 ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target
3. **Reload systemd and enable the Snort service**:
sudo systemctl daemon-reload sudo systemctl enable snort sudo systemctl start snort
