SNORT - Install On Ubuntu 24.4: Difference between revisions

Return to Wiki Index

Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade -y

This will update all the existing packages on your system.

Snort requires several dependencies to compile and run. Install them by running the following command:

sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \
libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \
liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config

This installs development tools and libraries needed for compiling Snort from source.

1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing):

wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz

2. **Extract the downloaded file**:

tar -xvzf snort-3.1.0.0.tar.gz
cd snort-3.1.0.0

This will extract the archive and change the directory to the Snort source folder.

1. **Create a build directory**:

mkdir build
cd build

2. **Run `cmake` to configure the build environment**:

cmake ..

3. **Compile Snort**:

make -j$(nproc)

This command compiles Snort using all available CPU cores to speed up the process.

4. **Install Snort**:

sudo make install

This will install Snort on your system.

Now that Snort is installed, you need to configure it.

1. **Create the necessary directories**:

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /var/log/snort

2. **Copy the default configuration files**:

sudo cp /usr/local/etc/snort/snort.conf /etc/snort/
sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/

3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor:

sudo nano /etc/snort/snort.conf

Within this file, make sure to configure:

• The **interface** to monitor, e.g., `eth0` (replace with your network interface).

var interface eth0

• The **home network** (change this to match your network setup):

var HOME_NET [192.168.1.0/24]

Save and close the file (press `CTRL+X`, then `Y` to confirm).

To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file:

sudo snort -T -c /etc/snort/snort.conf

If everything is configured correctly, you should see a message like:

Snort successfully validated the configuration!

To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command:

sudo snort -A console -c /etc/snort/snort.conf -i eth0

Where:

• `-A console`: Outputs alerts to the terminal.
• `-c /etc/snort/snort.conf`: Specifies the configuration file.
• `-i eth0`: Specifies the network interface to monitor (replace `eth0` with the correct interface).

Snort will now start analyzing network traffic and generate alerts based on suspicious activity.

To have Snort start automatically when your system boots, configure it as a systemd service.

1. **Create a systemd service file**:

sudo nano /etc/systemd/system/snort.service

2. **Add the following content**:

[Unit]
Description=Snort Intrusion Detection System
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -A console -c /etc/snort/snort.conf -i eth0
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

3. **Reload systemd and enable the Snort service**:

sudo systemctl daemon-reload
sudo systemctl enable snort
sudo systemctl start snort