SNORT - Install On Ubuntu 24.4
Step 1: Update Your System
Start by ensuring your system's package list is up-to-date. Open a terminal and run the following commands:
sudo apt update sudo apt upgrade -y
This will update all the existing packages on your system.
Step 2: Install Required Dependencies
Snort requires several dependencies to compile and run. Install them by running the following command:
sudo apt install -y build-essential cmake flex bison libpcap-dev libpcre3-dev libdumbnet-dev \ libluajit-5.1-dev libssl-dev libmariadb-dev libmysqlclient-dev zlib1g-dev \ liblzma-dev libgeoip-dev libpcap0.8-dev pkg-config
This installs development tools and libraries needed for compiling Snort from source.
Step 3: Download and Extract Snort Source Code
1. **Download Snort from the official website**. You can download the latest version of Snort from [Snort Downloads](https://www.snort.org/downloads) or use the following `wget` command to download Snort 3.x (latest version as of writing):
wget https://www.snort.org/downloads/snort/snort-3.1.0.0.tar.gz
2. **Extract the downloaded file**:
tar -xvzf snort-3.1.0.0.tar.gz cd snort-3.1.0.0
This will extract the archive and change the directory to the Snort source folder.
Step 4: Compile and Install Snort
1. **Create a build directory**:
mkdir build cd build
2. **Run `cmake` to configure the build environment**:
cmake ..
3. **Compile Snort**:
make -j$(nproc)
This command compiles Snort using all available CPU cores to speed up the process.
4. **Install Snort**:
sudo make install
This will install Snort on your system.
Step 5: Configure Snort
Now that Snort is installed, you need to configure it.
1. **Create the necessary directories**:
sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /var/log/snort
2. **Copy the default configuration files**:
sudo cp /usr/local/etc/snort/snort.conf /etc/snort/ sudo cp /usr/local/etc/snort/rules/* /etc/snort/rules/
3. **Edit the snort.conf file** to configure Snort for your environment. Open the file in a text editor:
sudo nano /etc/snort/snort.conf
Within this file, make sure to configure:
- The **interface** to monitor, e.g., `eth0` (replace with your network interface).
var interface eth0
- The **home network** (change this to match your network setup):
var HOME_NET [192.168.1.0/24]
Save and close the file (press `CTRL+X`, then `Y` to confirm).
Step 6: Test Snort Configuration
To ensure your configuration is correct, run Snort in **test mode** to check for any errors in the configuration file:
sudo snort -T -c /etc/snort/snort.conf
If everything is configured correctly, you should see a message like:
Snort successfully validated the configuration!
Step 7: Run Snort in IDS Mode
To run Snort in **Intrusion Detection System (IDS)** mode and begin monitoring traffic, use the following command:
sudo snort -A console -c /etc/snort/snort.conf -i eth0
Where:
- `-A console`: Outputs alerts to the terminal.
- `-c /etc/snort/snort.conf`: Specifies the configuration file.
- `-i eth0`: Specifies the network interface to monitor (replace `eth0` with the correct interface).
Snort will now start analyzing network traffic and generate alerts based on suspicious activity.
Step 8: (Optional) Set Up Snort as a System Service
To have Snort start automatically when your system boots, configure it as a systemd service.
1. **Create a systemd service file**:
sudo nano /etc/systemd/system/snort.service
2. **Add the following content**:
[Unit] Description=Snort Intrusion Detection System After=network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -A console -c /etc/snort/snort.conf -i eth0 ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target
3. **Reload systemd and enable the Snort service**:
sudo systemctl daemon-reload sudo systemctl enable snort sudo systemctl start snort
