Snort IPS Quickstart (2024)

Ally Petitt

Kali Linux

For my Kali friends, you might get the message that you’re unable to locate the snort package when trying to install it. This happens because the repositories that your distribution looks into when searching for apt packages doesn’t contain snort. To fix this, you can try to append the following repos to your /etc/apt/sources.list.

deb http://http.kali.org/kali kali-rolling main non-free contrib
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
deb http://old.kali.org/kali moto main non-free contrib

Let the changes take effect and install Snort.

$ sudo apt-get update
$ sudo apt-get install snort

If you’re crazy enough to build Snort from the source code, this section is for you.

Installing Dependencies

Before you can build Snort, you must first install its dependencies. These are listed in their README.md on GitHub, but for the sake of brevity, I’ll put some of them here. Keep in mind that some of the dependencies have more dependencies which is why some appear below and not in the documentation.

sudo apt update && apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev 
libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev 
bison flex libdnet autoconf libtool cmake

DAQ

Snort has another depenency called DAQ that needs to be installed. I’ll be downloading their latest release form GitHub and extracting it in a folder called daq.

$ wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.11.zip
$ unzip v3.0.11.zip -d daq && cd daq/libdaq-3.0.11

After downloading and extracting it, I’ll run bootstrap to generate the configuration script and then proceed to install it.

$ ./bootstrap
$ ./configure && make && sudo make install

hwloc

Another dependency is hwloc. You can find additional methods of installation on their GitHub and website. This is the way that I did it:

$ git clone https://github.com/open-mpi/hwloc.git
$ cd hwloc && ./autogen.sh
$ ./configure && make && sudo make install

OpenSSL

If you don’t already have openssl installed on your system, you could install it from source:

$ git clone https://github.com/openssl/openssl.git && cd openssl
$ ./Configure && make && make test

It is also possible to install it through apt. You may still need to install some additional headers for Snort to work. For this, you can try

$ sudo apt install libssl-dev openssl

Snort Install

Finally, we can start building Snort. I’ll be building directly from their source code on GitHub. Following the instructions on their README.md in GitHub, I clone their GitHub repository and run these commands:

$ git clone https://github.com/snort3/snort3.git
$ cd snort3

Then, I’ll build the program. You’ll need cmake among other packages in order to do this, so I’ve included the install command for those packages.

$ sudo apt install -y gcc cmake libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex autoconf libtool
$ ./configure_cmake.sh --prefix=$(pwd) --with-daq-libraries=/path/to/libdaq-3.0.11
$ cd build
$ make -j $(nproc) install

Capturing all Network Traffic

To start, we’ll set our network adapter to run in promiscuous mode. This means that it will capture all packets on the network rather than only the ones that were assigned to be captured by it. This can be done through WiFi settings or through the command line.

$ sudo ip link set wlan0 promisc on

Modifying the Configuration File

Most configurations will go within /etc/snort/snort.conf.

$ sudo vim /etc/snort/snort.conf

There’s many configuration options within this file that are broken up into 9 sections. Most of our changes will be in section 1.

On line 45 of the configuration file, we’ll change the value of HOME_NET from any to be the network that you would like to monitor. In my case, it is 192.168.1.0/24.

I would encourage you to go through the other variables in the configuration file to include the ports and hosts that are running various services so that Snort can detect them and apply the rules to them.

Rules are included in step #7. The syntax for rule files is include /path/to/rule.rules. In this case, $RULE_PATH refers to /etc/snort. You can include multiple rule files and add your own under /etc/snort/local.rules or whichever file name that you configure for you own rules. This structure allows you to compartmentalize various rule sets and keep them organized.

As a side note, if you would like to download the latest community rules, you can find them at the official website. You would extract the tarball and add the rule files to your /etc/snort/snort.conf.

$ wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
$ tar -xf snort3-community-rules.tar.gz

Once you have your configuration file created, you can test that everything works with the following command:

$ sudo snort -T -i wlan0 -c /etc/snort/snort.conf

You will get a lot of output. The most important pieces of information to be aware of in this output are the Snort rules. Here, you will be able to see how many were loaded in.

To actually run Snort as a daemon, you would change the -T option to -D.

$ sudo snort -D -i eth0 -c /etc/snort/snort.conf
Spawning daemon child...
My daemon child 197993 lives...
Daemon parent exiting (0)

To verify that it is working, you can use ps aux.

$ ps aux | grep snort
root 196973 0.0 0.3 450316 118644 ? Ssl 10:25 0:00 snort -D -i wlan0 -c /etc/snort/snort.conf

All alerts from Snort will be sent to /var/log/snort/alert unless otherwise specified in a command line argument.

For those who are interested in learning Snort on a deeper level, one recommendation is learning how to create your own rules and learning what the other configuration options are. It may be worth it to read their man page as well to be aware of options available on the CLI. You can also combine Snort with a SIEM such as Splunk and other solutions like pfSense.