|
|
| Line 1: |
Line 1: |
| [[Category:Wiki]] | | [[Category:Wiki]] |
|
| |
|
| == Step 1: Update Your System ==
| | <nowiki> |
| | | apt install -y tree strace vim screen unzip unrar-free p7zip-full nmap traceroute sysstat locate openssh-server htop iftop iotop tcpdump curl wget rsync dnsutils dnstop iputils-ping iputils-tracepath locales-all iproute2 net-tools mtr-tiny snmp whois apt-transport-https ca-certificates software-properties-common dirmngr</nowiki> |
| Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands:
| |
| | |
| <nowiki>
| |
| sudo apt update
| |
| sudo apt upgrade -y
| |
| </nowiki>
| |
| | |
| This will update all the existing packages on your system.
| |
| | |
| == Step 2: Install Required Dependencies ==
| |
| | |
| Snort requires several dependencies to compile and run. Install them by running the following command:
| |
| | |
| <nowiki> | |
| sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \
| |
| libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \
| |
| liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config
| |
| </nowiki>
| |
| | |
| This installs development tools and libraries needed for compiling Snort from source.
| |
| | |
| == Step 3: Download and Extract Snort Source Code ==
| |
| | |
| 1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing):
| |
| | |
| <nowiki>
| |
| wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz | |
| </nowiki>
| |
| | |
| 2. **Extract the downloaded file**:
| |
| | |
| <nowiki>
| |
| tar -xvzf snort-3.1.0.0.tar.gz
| |
| cd snort-3.1.0.0
| |
| </nowiki>
| |
| | |
| This will extract the archive and change the directory to the Snort source folder.
| |
| | |
| == Step 4: Compile and Install Snort ==
| |
| | |
| 1. **Create a build directory**:
| |
| | |
| <nowiki>
| |
| mkdir build
| |
| cd build
| |
| </nowiki>
| |
| | |
| 2. **Run `cmake` to configure the build environment**:
| |
| | |
| <nowiki>
| |
| cmake ..
| |
| </nowiki>
| |
| | |
| 3. **Compile Snort**:
| |
| | |
| <nowiki>
| |
| make -j$(nproc)
| |
| </nowiki>
| |
| | |
| This command compiles Snort using all available CPU cores to speed up the process.
| |
| | |
| 4. **Install Snort**:
| |
| | |
| <nowiki>
| |
| sudo make install
| |
| </nowiki>
| |
| | |
| This will install Snort on your system.
| |
| | |
| == Step 5: Configure Snort ==
| |
| | |
| Now that Snort is installed, you need to configure it.
| |
| | |
| 1. **Create the necessary directories**:
| |
| | |
| <nowiki>
| |
| sudo mkdir /etc/snort
| |
| sudo mkdir /etc/snort/rules
| |
| sudo mkdir /var/log/snort
| |
| </nowiki>
| |
| | |
| 2. **Copy the default configuration files**:
| |
| | |
| <nowiki>
| |
| sudo cp /usr/local/etc/snort/snort.conf /etc/snort/
| |
| sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/
| |
| </nowiki>
| |
| | |
| 3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor:
| |
| | |
| <nowiki>
| |
| sudo nano /etc/snort/snort.conf
| |
| </nowiki>
| |
| | |
| Within this file, make sure to configure:
| |
| * The **interface** to monitor, e.g., `eth0` (replace with your network interface).
| |
| <nowiki>
| |
| var interface eth0
| |
| </nowiki>
| |
| * The **home network** (change this to match your network setup):
| |
| <nowiki>
| |
| var HOME_NET [192.168.1.0/24]
| |
| </nowiki>
| |
| | |
| Save and close the file (press `CTRL+X`, then `Y` to confirm).
| |
| | |
| == Step 6: Test Snort Configuration ==
| |
| | |
| To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file:
| |
| | |
| <nowiki>
| |
| sudo snort -T -c /etc/snort/snort.conf
| |
| </nowiki>
| |
| | |
| If everything is configured correctly, you should see a message like:
| |
| | |
| <nowiki>
| |
| Snort successfully validated the configuration!
| |
| </nowiki>
| |
| | |
| == Step 7: Run Snort in IDS Mode ==
| |
| | |
| To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command:
| |
| | |
| <nowiki>
| |
| sudo snort -A console -c /etc/snort/snort.conf -i eth0
| |
| </nowiki>
| |
| | |
| Where:
| |
| * `-A console`: Outputs alerts to the terminal.
| |
| * `-c /etc/snort/snort.conf`: Specifies the configuration file.
| |
| * `-i eth0`: Specifies the network interface to monitor (replace `eth0` with the correct interface).
| |
| | |
| Snort will now start analyzing network traffic and generate alerts based on suspicious activity.
| |
| | |
| == Step 8: (Optional) Set Up Snort as a System Service ==
| |
| | |
| To have Snort start automatically when your system boots, configure it as a systemd service.
| |
| | |
| 1. **Create a systemd service file**:
| |
| | |
| <nowiki>
| |
| sudo nano /etc/systemd/system/snort.service
| |
| </nowiki>
| |
| | |
| 2. **Add the following content**:
| |
| | |
| <nowiki>
| |
| [Unit]
| |
| Description=Snort Intrusion Detection System
| |
| After=network.target
| |
| | |
| [Service]
| |
| Type=simple
| |
| ExecStart=/usr/local/bin/snort -A console -c /etc/snort/snort.conf -i eth0
| |
| ExecReload=/bin/kill -HUP $MAINPID
| |
| Restart=on-failure
| |
| | |
| [Install]
| |
| WantedBy=multi-user.target
| |
| </nowiki>
| |
| | |
| 3. **Reload systemd and enable the Snort service**:
| |
| | |
| <nowiki>
| |
| sudo systemctl daemon-reload
| |
| sudo systemctl enable snort
| |
| sudo systemctl start snort
| |
| </nowiki> | |
apt install -y tree strace vim screen unzip unrar-free p7zip-full nmap traceroute sysstat locate openssh-server htop iftop iotop tcpdump curl wget rsync dnsutils dnstop iputils-ping iputils-tracepath locales-all iproute2 net-tools mtr-tiny snmp whois apt-transport-https ca-certificates software-properties-common dirmngr
