How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa) | CyberITHub (2024)

In this article, we will see how to install snort on Ubuntu 20.04 LTS (Focal Fossa). Snort is a free and open source network intrusion detection system for identifying and detecting the emerging threats on Windows and Linux based systems using a series of rules defined. Snort IDS uses those rules to detect the malicious packet and generate alerts for users in real time. So at any point of time Snort is not just used as packet sniffer but also as the network debugger and full-blown network intrusion prevention system. It can be used for both personal as well as business purposes. Here we will see how to install and use snort on Ubuntu 20.04 LTS based systems.

Also Read: How to Install LuaJIT library on Ubuntu/Debian Linux

Step 1: Prerequisites

a) You should have a running Ubuntu 20.04 LTS Server.

b) You should have sudo or root access to run privileged commands.

c) You should have apt or apt-get utility available in your Server.

d) You should also have make, wget and tar utility available in your server in case you are looking to install snort through source code.

Step 2: Update Your Server

Before installing snort package, it is essential to check for all the available updates from default Ubuntu repo and install them by using sudo apt update && sudo apt upgrade command as shown below.

cyberithub@ubuntu:~$ sudo apt update && sudo apt upgradeHit:1 https://d3nt0h4h6pmmc4.cloudfront.net/ubuntu focal InReleaseHit:2 http://in.archive.ubuntu.com/ubuntu focal InReleaseHit:3 http://in.archive.ubuntu.com/ubuntu focal-updates InReleaseHit:4 http://security.ubuntu.com/ubuntu focal-security InReleaseHit:5 http://ppa.launchpad.net/flatpak/stable/ubuntu focal InReleaseHit:6 https://dl.google.com/linux/chrome/deb stable InReleaseHit:7 https://dl.winehq.org/wine-builds/ubuntu focal InReleaseGet:8 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]Hit:9 http://ppa.launchpad.net/gencfsm/ppa/ubuntu focal InReleaseHit:10 http://ppa.launchpad.net/juju/stable/ubuntu focal InReleaseHit:11 https://download.sublimetext.com apt/stable/ InReleaseHit:12 https://ngrok-agent.s3.amazonaws.com buster InReleaseHit:13 http://ppa.launchpad.net/libreoffice/ppa/ubuntu focal InReleaseHit:14 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/focal pgadmin4 InReleaseHit:15 http://ppa.launchpad.net/mojo-maintainers/ppa/ubuntu focal InReleaseHit:16 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InReleaseFetched 108 kB in 23s (4,722 B/s)Reading package lists... DoneBuilding dependency treeReading state information... Done2 packages can be upgraded. Run 'apt list --upgradable' to see them.Reading package lists... DoneBuilding dependency treeReading state information... DoneCalculating upgrade... DoneGet more security updates through Ubuntu Pro with 'esm-apps' enabled:node-hosted-git-info python2.7-minimal python2.7 node-tar libgsasl7libopusfile0 libjs-jquery-ui libsdl2-2.0-0 libsdl2-2.0-0libpython2.7-minimal libpython2.7-stdlibLearn more about Ubuntu Pro at https://ubuntu.com/proThe following packages have been kept back:xdg-desktop-portal xdg-desktop-portal-gtk0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

Step 3: Install Snort

There are multiple ways to install snort on your Ubuntu 20.04 LTS Server. You can choose to use any of the below methods depending on your requirements and needs.

a) Using APT

In the next step, you can install Snort from default Ubuntu repo by using sudo apt install snort command as shown below. This will download and install the package along with all its dependencies.

cyberithub@ubuntu:~$ sudo apt install snortReading package lists... DoneBuilding dependency treeReading state information... DoneThe following additional packages will be installed:libdaq2 libdumbnet1 oinkmaster snort-common snort-common-libraries snort-rules-defaultSuggested packages:snort-docThe following NEW packages will be installed:libdaq2 libdumbnet1 oinkmaster snort snort-common snort-common-libraries snort-rules-default0 upgraded, 7 newly installed, 0 to remove and 2 not upgraded.Need to get 1,424 kB of archives.After this operation, 7,338 kB of additional disk space will be used.Do you want to continue? [Y/n] YGet:1 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-common-libraries amd64 2.9.7.0-5build1 [413 kB]Get:2 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-rules-default all 2.9.7.0-5build1 [140 kB]Get:3 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-common all 2.9.7.0-5build1 [39.8 kB]Get:4 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 libdaq2 amd64 2.0.4-3build2 [65.2 kB]Get:5 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 libdumbnet1 amd64 1.12-9build1 [25.4 kB]Get:6 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort amd64 2.9.7.0-5build1 [656 kB]Get:7 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 oinkmaster all 2.0-4 [84.0 kB]Fetched 1,424 kB in 2s (611 kB/s).........................................................

Always remember, if you are installing snort for the first time in your system then during installation it will ask you provide the interface to which it should listen on. By default it will take eth0 but depending on your system interface, you have to provide the correct interface name. For example, I would like snort to listen on enp0s8 interface so I have given the same here and pressed tab to click on Ok to continue with the installation.

It will ask you to provide the address range for the local network. By default, it will take 192.168.0.0/16 as shown below. If you would like to change this network according to your requirements then you can change it otherwise use the default one and then Press Tab to click on Ok to continue with the installation. In a while, you will see installation is successful.

b) Using Source Code

You have to visit the official website and download the latest source code by using wget utility as shown below.

cyberithub@ubuntu:~$ wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz--2023-09-06 00:19:19-- https://www.snort.org/downloads/snort/snort-2.9.20.tar.gzResolving www.snort.org (www.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, ...Connecting to www.snort.org (www.snort.org)|104.18.138.9|:443... connected.HTTP request sent, awaiting response... 302 FoundLocation: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/025/687/original/snort-2.9.20.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAU7AK5ITMJQBJPARJ%2F20230905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230905T184920Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18c602ab4c2657111175379056f0f514f6e234b13b57b7e660aa75396c451fd2 [following]--2023-09-06 00:19:20-- https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/025/687/original/snort-2.9.20.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAU7AK5ITMJQBJPARJ%2F20230905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230905T184920Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18c602ab4c2657111175379056f0f514f6e234b13b57b7e660aa75396c451fd2Resolving snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)... 54.231.160.153, 52.217.175.9, 52.216.38.177, ...Connecting to snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)|54.231.160.153|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 7009894 (6.7M) [binary/octet-stream]Saving to: ‘snort-2.9.20.tar.gz’snort-2.9.20.tar.gz 100%[============================================================================>] 6.68M 1.53MB/s in 4.6s2023-09-06 00:19:25 (1.45 MB/s) - ‘snort-2.9.20.tar.gz’ saved [7009894/7009894]

You have to extract the file using tar -xzf snort-2.9.20.tar.gz command as shown below.

cyberithub@ubuntu:~$ tar -xzf snort-2.9.20.tar.gz

Then switch to snort directory using cd snort-2.9.20 command.

cyberithub@ubuntu:~$ cd snort-2.9.20

Now configure the code according to your local system architecture by running ./configure script as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ ./configurechecking for a BSD-compatible install... /usr/bin/install -cchecking whether build environment is sane... yeschecking for a thread-safe mkdir -p... /usr/bin/mkdir -pchecking for gawk... nochecking for mawk... mawkchecking whether make sets $(MAKE)... yeschecking whether make supports nested variables... yeschecking whether make supports the include directive... yes (GNU style)checking for gcc... gccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables...checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether we are using the GNU C compiler... yeschecking whether gcc accepts -g... yeschecking for gcc option to accept ISO C89... none neededchecking whether gcc understands -c and -o together... yeschecking dependency style of gcc... gcc3................................................................

Then compile all the source code by using make command as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ make...................................................libtool: link: gcc -g -O2 -DSF_VISIBILITY -fvisibility=hidden -Wall -g -O2 -DSF_VISIBILITY -fvisibility=hidden -Wall -o u2streamer u2streamer-u2streamer.o u2streamer-SpoolFileIterator.o u2streamer-Unified2.o u2streamer-Unified2File.o u2streamer-TimestampedFile.o u2streamer-UnifiedLog.o u2streamer-sf_error.o -ldaq_static /usr/lib/x86_64-linux-gnu/libdumbnet.so -lpcre -lnsl -luuid -lm -lcrypto -ldl -L/usr/lib -ldaq_static_modules -lsfbpf -lpcap -lz -lpthreadmake[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools/u2streamer'make[3]: Entering directory '/home/cyberithub/snort-2.9.20/tools'make[3]: Nothing to be done for 'all-am'.make[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'make[2]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'make[2]: Entering directory '/home/cyberithub/snort-2.9.20'make[2]: Leaving directory '/home/cyberithub/snort-2.9.20'make[1]: Leaving directory '/home/cyberithub/snort-2.9.20'

Finally install all the object files by using make install command as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ make install......................................................make[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'make[2]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'make[1]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'make[1]: Entering directory '/home/cyberithub/snort-2.9.20'make[2]: Entering directory '/home/cyberithub/snort-2.9.20'make[2]: Nothing to be done for 'install-exec-am'./usr/bin/mkdir -p '/usr/local/share/man/man8'/usr/bin/install -c -m 644 snort.8 '/usr/local/share/man/man8'/usr/bin/mkdir -p '/usr/local/lib/pkgconfig'/usr/bin/install -c -m 644 snort.pc '/usr/local/lib/pkgconfig'make[2]: Leaving directory '/home/cyberithub/snort-2.9.20'make[1]: Leaving directory '/home/cyberithub/snort-2.9.20'

Step 4: Verify Installation

After successful installation, you can verify the installed files path by using dpkg -L snort command as shown below.

cyberithub@ubuntu:~$ dpkg -L snort/./etc/etc/cron.daily/etc/default/etc/default/snort/etc/init.d/etc/init.d/snort/etc/logrotate.d/etc/logrotate.d/snort/etc/ppp/etc/ppp/ip-down.d/etc/ppp/ip-down.d/snort/etc/ppp/ip-up.d/etc/ppp/ip-up.d/snort/etc/snort/usr/usr/bin/usr/bin/u2boat/usr/bin/u2spewfoo/usr/sbin/usr/sbin/snort/usr/share/usr/share/doc..................................................

Step 5: Check Version

You can also verify the current installed version by using snort --version command as shown below.

cyberithub@ubuntu:~$ snort --version ' '_ -*> Snort! <*- o" )~ Version 2.9.7.0 GRE (Build 149) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.11

Step 6: Uninstall Snort

Once you are done using snort, you can choose to uninstall it from your system by running sudo apt remove snort command as shown below. If you are looking to remove all the dependencies along with snort package then use sudo apt remove snort --auto-remove command. But be very careful on running below command as sometimes removal of dependencies can cause problem to other running applications which are using those packages.

cyberithub@ubuntu:~$ sudo apt remove snortReading package lists... DoneBuilding dependency treeReading state information... DoneThe following packages were automatically installed and are no longer required:libdaq2 libdumbnet1 oinkmaster snort-common snort-common-libraries snort-rules-defaultUse 'sudo apt autoremove' to remove them.The following packages will be REMOVED:snort0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.After this operation, 1,987 kB disk space will be freed.Do you want to continue? [Y/n] Y(Reading database ... 258556 files and directories currently installed.)Removing snort (2.9.7.0-5build1) ...Stopping snort (via systemctl): snort.service.Processing triggers for man-db (2.9.1-1) ...