SNORT - Install On Ubuntu 24.4: Difference between revisions
From IT-Arts.net
Created page with "Category:Wiki == Step 1: Update Your System == Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands: <nowiki> sudo apt update sudo apt upgrade -y </nowiki> This will update all the existing packages on your system. == Step 2: Install Required Dependencies == Snort requires several dependencies to compile and run. Install them by running the following command: <nowiki> sudo apt install -y build-essential cma..." |
No edit summary |
||
| Line 5: | Line 5: | ||
Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands: | Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands: | ||
<nowiki> | <nowiki> | ||
sudo apt update | sudo apt update | ||
sudo apt upgrade -y | sudo apt upgrade -y | ||
| Line 16: | Line 16: | ||
Snort requires several dependencies to compile and run. Install them by running the following command: | Snort requires several dependencies to compile and run. Install them by running the following command: | ||
<nowiki> | <nowiki> | ||
sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ | sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ | ||
libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ | libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ | ||
| Line 28: | Line 28: | ||
1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing): | 1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing): | ||
<nowiki> | <nowiki> | ||
wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz | wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz | ||
</nowiki> | </nowiki> | ||
| Line 34: | Line 34: | ||
2. **Extract the downloaded file**: | 2. **Extract the downloaded file**: | ||
<nowiki> | <nowiki> | ||
tar -xvzf snort-3.1.0.0.tar.gz | tar -xvzf snort-3.1.0.0.tar.gz | ||
cd snort-3.1.0.0 | cd snort-3.1.0.0 | ||
| Line 45: | Line 45: | ||
1. **Create a build directory**: | 1. **Create a build directory**: | ||
<nowiki> | <nowiki> | ||
mkdir build | mkdir build | ||
cd build | cd build | ||
| Line 52: | Line 52: | ||
2. **Run `cmake` to configure the build environment**: | 2. **Run `cmake` to configure the build environment**: | ||
<nowiki> | <nowiki> | ||
cmake .. | cmake .. | ||
</nowiki> | </nowiki> | ||
| Line 58: | Line 58: | ||
3. **Compile Snort**: | 3. **Compile Snort**: | ||
<nowiki> | <nowiki> | ||
make -j$(nproc) | make -j$(nproc) | ||
</nowiki> | </nowiki> | ||
| Line 66: | Line 66: | ||
4. **Install Snort**: | 4. **Install Snort**: | ||
<nowiki> | <nowiki> | ||
sudo make install | sudo make install | ||
</nowiki> | </nowiki> | ||
| Line 78: | Line 78: | ||
1. **Create the necessary directories**: | 1. **Create the necessary directories**: | ||
<nowiki> | <nowiki> | ||
sudo mkdir /etc/snort | sudo mkdir /etc/snort | ||
sudo mkdir /etc/snort/rules | sudo mkdir /etc/snort/rules | ||
| Line 86: | Line 86: | ||
2. **Copy the default configuration files**: | 2. **Copy the default configuration files**: | ||
<nowiki> | <nowiki> | ||
sudo cp /usr/local/etc/snort/snort.conf /etc/snort/ | sudo cp /usr/local/etc/snort/snort.conf /etc/snort/ | ||
sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/ | sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/ | ||
| Line 93: | Line 93: | ||
3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor: | 3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor: | ||
<nowiki> | <nowiki> | ||
sudo nano /etc/snort/snort.conf | sudo nano /etc/snort/snort.conf | ||
</nowiki> | </nowiki> | ||
| Line 99: | Line 99: | ||
Within this file, make sure to configure: | Within this file, make sure to configure: | ||
* The **interface** to monitor, e.g., `eth0` (replace with your network interface). | * The **interface** to monitor, e.g., `eth0` (replace with your network interface). | ||
<nowiki> | |||
var interface eth0 | |||
</nowiki> | |||
* The **home network** (change this to match your network setup): | * The **home network** (change this to match your network setup): | ||
<nowiki> | |||
var HOME_NET [192.168.1.0/24] | |||
</nowiki> | |||
Save and close the file (press `CTRL+X`, then `Y` to confirm). | Save and close the file (press `CTRL+X`, then `Y` to confirm). | ||
| Line 113: | Line 113: | ||
To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file: | To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file: | ||
<nowiki> | <nowiki> | ||
sudo snort -T -c /etc/snort/snort.conf | sudo snort -T -c /etc/snort/snort.conf</nowiki> | ||
</nowiki> | |||
If everything is configured correctly, you should see a message like: | If everything is configured correctly, you should see a message like: | ||
<nowiki> | <nowiki> | ||
Snort successfully validated the configuration! | Snort successfully validated the configuration!</nowiki> | ||
</nowiki> | |||
== Step 7: Run Snort in IDS Mode == | == Step 7: Run Snort in IDS Mode == | ||
| Line 127: | Line 125: | ||
To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command: | To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command: | ||
<nowiki> | <nowiki> | ||
sudo snort -A console -c /etc/snort/snort.conf -i eth0 | sudo snort -A console -c /etc/snort/snort.conf -i eth0</nowiki> | ||
</nowiki> | |||
Where: | Where: | ||
| Line 144: | Line 141: | ||
1. **Create a systemd service file**: | 1. **Create a systemd service file**: | ||
<nowiki> | <nowiki> | ||
sudo nano /etc/systemd/system/snort.service | sudo nano /etc/systemd/system/snort.service</nowiki> | ||
</nowiki> | |||
2. **Add the following content**: | 2. **Add the following content**: | ||
<nowiki> | <nowiki> | ||
[Unit] | [Unit] | ||
Description=Snort Intrusion Detection System | Description=Snort Intrusion Detection System | ||
| Line 162: | Line 158: | ||
[Install] | [Install] | ||
WantedBy=multi-user.target | WantedBy=multi-user.target</nowiki> | ||
</nowiki> | |||
3. **Reload systemd and enable the Snort service**: | 3. **Reload systemd and enable the Snort service**: | ||
<nowiki> | <nowiki> | ||
sudo systemctl daemon-reload | sudo systemctl daemon-reload | ||
sudo systemctl enable snort | sudo systemctl enable snort | ||
sudo systemctl start snort | sudo systemctl start snort</nowiki> | ||
</nowiki> | |||
Revision as of 15:24, 14 December 2025
Step 1: Update Your System
Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands:
sudo apt update sudo apt upgrade -y
This will update all the existing packages on your system.
Step 2: Install Required Dependencies
Snort requires several dependencies to compile and run. Install them by running the following command:
sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config
This installs development tools and libraries needed for compiling Snort from source.
Step 3: Download and Extract Snort Source Code
1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing):
wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz
2. **Extract the downloaded file**:
tar -xvzf snort-3.1.0.0.tar.gz cd snort-3.1.0.0
This will extract the archive and change the directory to the Snort source folder.
Step 4: Compile and Install Snort
1. **Create a build directory**:
mkdir build cd build
2. **Run `cmake` to configure the build environment**:
cmake ..
3. **Compile Snort**:
make -j$(nproc)
This command compiles Snort using all available CPU cores to speed up the process.
4. **Install Snort**:
sudo make install
This will install Snort on your system.
Step 5: Configure Snort
Now that Snort is installed, you need to configure it.
1. **Create the necessary directories**:
sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /var/log/snort
2. **Copy the default configuration files**:
sudo cp /usr/local/etc/snort/snort.conf /etc/snort/ sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/
3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor:
sudo nano /etc/snort/snort.conf
Within this file, make sure to configure:
- The **interface** to monitor, e.g., `eth0` (replace with your network interface).
var interface eth0
- The **home network** (change this to match your network setup):
var HOME_NET [192.168.1.0/24]
Save and close the file (press `CTRL+X`, then `Y` to confirm).
Step 6: Test Snort Configuration
To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file:
sudo snort -T -c /etc/snort/snort.conf
If everything is configured correctly, you should see a message like:
Snort successfully validated the configuration!
Step 7: Run Snort in IDS Mode
To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command:
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Where:
- `-A console`: Outputs alerts to the terminal.
- `-c /etc/snort/snort.conf`: Specifies the configuration file.
- `-i eth0`: Specifies the network interface to monitor (replace `eth0` with the correct interface).
Snort will now start analyzing network traffic and generate alerts based on suspicious activity.
Step 8: (Optional) Set Up Snort as a System Service
To have Snort start automatically when your system boots, configure it as a systemd service.
1. **Create a systemd service file**:
sudo nano /etc/systemd/system/snort.service
2. **Add the following content**:
[Unit] Description=Snort Intrusion Detection System After=network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -A console -c /etc/snort/snort.conf -i eth0 ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target
3. **Reload systemd and enable the Snort service**:
sudo systemctl daemon-reload sudo systemctl enable snort sudo systemctl start snort
