A command-line network intrusion detection system
Command Line – Snort
![© Photo by Jack Seeds on Unsplash © Photo by Jack Seeds on Unsplash](/var/linux_magazin/storage/images/issues/2022/259/sniffing-out-intruders/photobyjackseedsonunsplash_cat-nose.png/804463-1-eng-US/PhotobyJackSeedsonUnsplash_Cat-Nose.png_medium.png)
© Photo by Jack Seeds on Unsplash
Snort lets you protect your network from intruders with a customizable ruleset.
Snort [1] is one of the oldest and most reliable network intrusion detection systems. Founded in 1998 by Martin Roesch, then the CTO of Sourcefire, Snort quickly became so popular that in 2009 InfoWorld declared it one of the top 36 pieces of free software [2]. Like the definitions in a virus detector, Snort relies on a series of rules to detect all known means of compromising a system. It is not difficult to install, but it requires preparation, and, the more customization, the more time-consuming your installation will be. What follows are instructions for a minimal installation for Debian-like distributions, which should be good enough for many users, especially on standalone machines.
To get the very latest protection, install Snort from source [3], using the usual ./configure
, make
, and install
commands. Most distributions also offer a package, although the package is often older than the latest version. However, in a mature application such as Snort, the differences between versions are apt to be minimal, and the rules you install are probably more important. Whichever version you use, you might want to create a Snort group and user solely for running the app, just for added protection. In addition, before installation, gather the necessary information (Figure 1) by running:
ip a
You will need the name of the network interface (the second item on the list) and the IP address (on the line starting with inet
). Keep the terminal open so you can copy and paste as needed. If you use the Snort package from the Debian repository, the installation will offer you one or more choices, depending on the distribution and its version (Figure 2). As a beginner, you can simply select OK to continue and edit the configuration later if necessary.
![](/var/linux_magazin/storage/images/issues/2022/259/sniffing-out-intruders/figure-2/804469-1-eng-US/Figure-2_large.png)
Configuring Snort
When installation is complete, you need to edit /etc/snort/snort.conf
as root (Figure 3). At a minimum, you need to find the lines that begin with ipvar
and replace the placeholder HOME_NET
with your network address. The snort.conf
file is heavily commented; eventually, you should go through its dozens of options with the Snort documentation and read.me
files open, uncommenting and adding entries as needed for your circumstances – a process that can take hours to do completely. For now, however, all you should note is that snort.conf
is divided into nine steps, each containing dozens of fields:
- Set the network variables/addresses.
- Configure the decoder.
- Configure the basic detection engine.
- Configure dynamic loaded libraries.
- Configure preprocessors.
- Configure output plugins.
- Customize your rulesets.
- Customize your preprocessor and decoder alerts.
Finally, customize your Shared Object Snort Rules.
Debian also has a Step 0 for a Debian-specific configuration as a separate configuration. Beginners, though, can ignore the Debian-specific choices.
Probably the most important place to begin is with the steps that involve rules. Intrusion detection is only as good as the rules it uses, and some rules may be out of date by the time you install.
Downloading Rules
Snort has three types of rules (Figure 4) for detection:
- Community rules are rules written by the community and available for free (Figure 5). These can be useful but may become obsolete, or may be developed some time after a new means of intrusion is known. Their quality depends on how conscientious the developers are.
- Registered rules are free rules, but they are only available to registered users. In order to download rules, you will need to first enter your personal code.
- Subscription rules are registered rules that are available only to paid subscribers. Subscribers can download them before a software release, which offers the very latest protection. The price differs for personal and business users.
![](/var/linux_magazin/storage/images/issues/2022/259/sniffing-out-intruders/figure-5/804478-1-eng-US/Figure-5_large.png)
Other rules are available on developer sites such as GitHub. If none of the available rules meet your needs, you can try writing your own. Online diagrams that parse the components of rules are widely available online [4].
For all rules, create the directory /usr/local/etc/rules
, and add a symbolic link to /usr/sbin/snort
. If you are using a Snort user or group, transfer ownership of these directories to them. Rules should be downloaded and uncompressed as root to /usr/local/etc/rules
from https://www.snort.org/downloads/#snort-3.0.
Final Touches
Usually, you want Snort to listen to all traffic, which is known as promiscuous mode. To configure promiscuous mode, run the command:
ip link set NETWORK-INTERFACE promisc on
At this point, you can run Snort in test mode to check that it is ready. As root, run:
snort -T -c /etc/snort/snort.conf
If configuration is successful, a copyright notice displays, followed by build notices and a message that the installation has been validated (Figure 6). If validation fails, the messages will most likely involve directories you need to add or rules that can be commented out before trying to validate again. As a final test, you can add a rule and then run Snort to see the results [5].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.