Network IDS or NIDS performs as its name suggests, it monitors the package data sent and received through a specific network interface it was configured for. It aims to catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software when installed and configured properly can identify the latest attacks, malware infections, compromised systems, and network policy violations.
Snort is one of the most commonly used network based IDSs. It’s an open source system available for a multitude of platforms, light weight, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand on.
Preparing your server
Setting up a basic Snort configuration is fairly simple but takes a few steps to complete. You’ll first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the following packages with this command
sudo aptitude install flex bison make libpcap-dev libdnet-dev libdumbnet-dev libpcre3-dev libghc-zlib-dev
With the prerequisites fulfilled, next download and install Snort directly from the source.
Installing from the source
Setting up Snort from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code and lastly installing it. First up make a temporary download folder to your home directory and then move into it with the these commands
mkdir ~/snort_src cd ~/snort_src
Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command below, replace the version number if there’s a newer source available
The download will only take a few seconds, when complete extract the source code and jump into the new directory with the following commands
tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6
Run the configuration script with defaults, then use make to compile the program and finally install it.
./configure make sudo make install
With the DAQ installed you can get started with Snort, change back to the download folder
Then download the Snort source code with wget, check the latest version number from Snort website and replace it in the command if necessary
Once the download is complete, extract the source and change into the new directory with these commands
tar -xvzf snort-184.108.40.206.tar.gz cd snort-220.127.116.11
Then configure the installation with sourcefire mode enabled, run make and make install.
./configure --enable-sourcefire make sudo make install
With that done, continue below on how to setup the configuration files.
Configuring Snort to run as NIDS
Next you’ll need to setup Snort for your system, this includes editing some configuration files, downloading rules that Snort will follow and taking Snort for a test run.
Start with updating the shared libraries using the command underneath.
Snort gets installed to /usr/local/bin/snort directory, it’s good practice to create a symbolic link to /usr/sbin/snort with
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
To run Snort safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Then create the folder structure to house the snort configuration, just copy over the commands below.
sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /var/log/snort
Create new files for the white and black lists as well as the local rules, and change the permissions for the new directories.
sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
Then copy the configuration files from the source to your configuration directory.
sudo cp ~/snort_src/snort-18.104.22.168/etc/*.conf* /etc/snort sudo cp ~/snort_src/snort-22.214.171.124/etc/*.map /etc/snort
Next up you’ll need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.
- Community rules are freely available though slightly limited.
- By registering for free to their website you’ll get access to your Oink code, which lets you download the registered users rules.
- Lastly subscriber rules are just that, available to users with active subscription to Snort services.
If you just want to quickly test out Snort, grab the community rules using wget with the command below, and extract the rules to your configuration folder.
wget https://www.snort.org/rules/community -O ~/community.tar.gz
sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
You can also take a moment and register on Snort website, then use the Oink code to download the registered user rules. Replace the <oinkcode> with your personal code, which you can find in the Snort user account details.
wget https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz
After the download is finished, extract the rules and copy them over to your configuration directory with
sudo tar -xvf ~/registered.tar.gz -C /etc/snort
With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file to edit with the following
sudo nano /etc/snort/snort.conf
Find the following sections in the configuration file and change the parameters to reflect the examples underneath.
# Setup the network addresses you are protecting ipvar HOME_NET <server's public IP>/32
# Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path) var RULE_PATH rules var SO_RULE_PATH so_rules var PREPROC_RULE_PATH preproc_rules
# Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.
# unified2 # Recommended for most installs output unified2: filename snort.log, limit 128
Lastly scroll down to the bottom of the file to find the list of included rule sets. You’ll need to uncomment the local.rules include line to allow Snort to load any custom rules.
If you are using the community rules, add the line underneath here to your rule set, for example just below your local.rules line.
Once you are done with the configuration file, save the changes and exit the editor.
Your Snort should now be ready to run, test the configuration using the parameter -T to enable test mode.
sudo snort -T -c /etc/snort/snort.conf
After running the Snort configuration test, you should get a message like this example below.
Snort successfully validated the configuration! Snort exiting
In case you get an error message, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out the inclusion line in the snort.conf -file. Check through the configuration part and try again.
Even on a successful test run you’ll notice a list of warnings about flowbits, this is normal and is no cause for concern.
Now to run Snort with the configuration you set up, use the command below by replacing the <interface> with the public network interface on your server, for example eth0.
sudo snort -i <interface> -u snort -g snort -c /etc/snort/snort.conf
If you are not sure which interface to use, check your UpCloud Control Panel for your server’s public IPv4 address in the Network settings, and then run the following on you server.
The output will list all of your currently configured network interfaces, find the one with the same public IP address as shown in the Network -tab and use that.
Testing the configuration
To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules -file. Open your local rules with
sudo nano /etc/snort/rules/local.rules
Then add the following line to the file.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
The rule consist of the following parts:
- action for traffic matching the rule, alert in this case
- traffic protocol like TCP, UDP or ICMP like here
- source address and port, simply marked as any to include all addresses and ports
- destination address and port, $HOME_NET as declared in the configuration and any for port
- some additional bits
- log message
- unique rule identifier (sid) which for local rules needs to be 1000001 or higher
- rule version number.
Save the local.rules and exit the editor. You then need to restart Snort since you made changes to the files it loads. Start Snort with -A console -q options to print the alerts to stdout but otherwise runs in quiet mode.
sudo snort -A console -q -i <interface> -u snort -g snort -c /etc/snort/snort.conf
With Snort up and running ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort. After the alerts show up you can stop Snort with ctrl+C.
Snort records the alerts to a log under /var/log/snort/snort.log.<timestamp>, where the time stamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you’ve only ran Snort once, there’s only one log, complete your command by pressing TAB.
snort -r /var/log/snort/snort.log.1
The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info, check the example below.
WARNING: No preprocessors configured for policy 0. 12/08-16:52:54.418592 126.96.36.199 -> 188.8.131.52 ICMP TTL:117 TOS:0x0 ID:8792 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:17 ECHO
You have now successfully configured and tested a network based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and IDS in general. To get more out of your installation, check out the deployment guides over at https://snort.org/documents.