A command-line network intrusion detection system
Command Line – Snort
Snort lets you protect your network from intruders with a customizable ruleset.
Snort [1] is one of the oldest and most reliable network intrusion detection systems. Founded in 1998 by Martin Roesch, then the CTO of Sourcefire, Snort quickly became so popular that in 2009 InfoWorld declared it one of the top 36 pieces of free software [2]. Like the definitions in a virus detector, Snort relies on a series of rules to detect all known means of compromising a system. It is not difficult to install, but it requires preparation, and, the more customization, the more time-consuming your installation will be. What follows are instructions for a minimal installation for Debian-like distributions, which should be good enough for many users, especially on standalone machines.
To get the very latest protection, install Snort from source [3], using the usual ./configure
, make
, and install
commands. Most distributions also offer a package, although the package is often older than the latest version. However, in a mature application such as Snort, the differences between versions are apt to be minimal, and the rules you install are probably more important. Whichever version you use, you might want to create a Snort group and user solely for running the app, just for added protection. In addition, before installation, gather the necessary information (Figure 1) by running:
ip a
You will need the name of the network interface (the second item on the list) and the IP address (on the line starting with inet
). Keep the terminal open so you can copy and paste as needed. If you use the Snort package from the Debian repository, the installation will offer you one or more choices, depending on the distribution and its version (Figure 2). As a beginner, you can simply select OK to continue and edit the configuration later if necessary.
Configuring Snort
When installation is complete, you need to edit /etc/snort/snort.conf
as root (Figure 3). At a minimum, you need to find the lines that begin with ipvar
and replace the placeholder HOME_NET
with your network address. The snort.conf
file is heavily commented; eventually, you should go through its dozens of options with the Snort documentation and read.me
files open, uncommenting and adding entries as needed for your circumstances – a process that can take hours to do completely. For now, however, all you should note is that snort.conf
is divided into nine steps, each containing dozens of fields:
- Set the network variables/addresses.
- Configure the decoder.
- Configure the basic detection engine.
- Configure dynamic loaded libraries.
- Configure preprocessors.
- Configure output plugins.
- Customize your rulesets.
- Customize your preprocessor and decoder alerts.
Finally, customize your Shared Object Snort Rules.
Debian also has a Step 0 for a Debian-specific configuration as a separate configuration. Beginners, though, can ignore the Debian-specific choices.
Probably the most important place to begin is with the steps that involve rules. Intrusion detection is only as good as the rules it uses, and some rules may be out of date by the time you install.
Downloading Rules
Snort has three types of rules (Figure 4) for detection:
- Community rules are rules written by the community and available for free (Figure 5). These can be useful but may become obsolete, or may be developed some time after a new means of intrusion is known. Their quality depends on how conscientious the developers are.
- Registered rules are free rules, but they are only available to registered users. In order to download rules, you will need to first enter your personal code.
- Subscription rules are registered rules that are available only to paid subscribers. Subscribers can download them before a software release, which offers the very latest protection. The price differs for personal and business users.
Other rules are available on developer sites such as GitHub. If none of the available rules meet your needs, you can try writing your own. Online diagrams that parse the components of rules are widely available online [4].
For all rules, create the directory /usr/local/etc/rules
, and add a symbolic link to /usr/sbin/snort
. If you are using a Snort user or group, transfer ownership of these directories to them. Rules should be downloaded and uncompressed as root to /usr/local/etc/rules
from https://www.snort.org/downloads/#snort-3.0.
Final Touches
Usually, you want Snort to listen to all traffic, which is known as promiscuous mode. To configure promiscuous mode, run the command:
ip link set NETWORK-INTERFACE promisc on
At this point, you can run Snort in test mode to check that it is ready. As root, run:
snort -T -c /etc/snort/snort.conf
If configuration is successful, a copyright notice displays, followed by build notices and a message that the installation has been validated (Figure 6). If validation fails, the messages will most likely involve directories you need to add or rules that can be commented out before trying to validate again. As a final test, you can add a rule and then run Snort to see the results [5].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.