Network IDS or NIDS performs as its name suggests, it monitors the package data sent and received through a specific network interface it was configured for. It aims to catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software when installed and configured properly can identify the latest attacks, malware infections, compromised systems, and network policy violations.

Snort is one of the most commonly used for network based IDSs. It’s an open source system available for a multitude of platforms, light weight, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand on.

Preparing your server

Setting up a basic Snort configuration is fairly simple but takes a few steps to complete. You’ll first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the following packages with this command

sudo apt-get install build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev libdnet

With the prerequisites fulfilled, next download and install Snort directly from the source.

Installing from the source

Setting up Snort from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code and lastly installing it. First up make a temporary download folder to your home directory and then move into it with the these commands

mkdir ~/snort_src
cd ~/snort_src

Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command below, replace the version number if there’s a newer source available

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

The download will only take a few seconds, when complete extract the source code and jump into the new directory with the following commands

tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6

Run the configuration script with defaults, then use make to compile the program and then finally install DAQ.

./configure
make
sudo make install

With the DAQ installed you can get started with Snort, change back to the download folder

cd ~/snort_src

Then download the Snort source code with wget, check the latest version number from Snort website and replace it in the command if necessary

wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz

Once the download is complete, extract the source and change into the new directory with these commands

tar -xvzf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0

Then configure the installation with sourcefire mode enabled, run make and make install.

./configure --enable-sourcefire
make
sudo make install

With that done, continue below on how to setup the configuration files.

Configuring Snort to run as NIDS

Next you’ll need to setup Snort for your system, this includes editing some configuration files, downloading rules that Snort will follow and taking Snort for a test run.

Start with updating the shared libraries using the command underneath.

sudo ldconfig

Snort gets installed to /usr/local/bin/snort directory, it’s good practice to create a symbolic link to /usr/sbin/snort with

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

To run Snort safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

sudo groupadd snort 
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Then create the folder structure to house the snort configuration, just copy over the commands below.

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /var/log/snort

Create new files for the white and black lists as well as the local rules, and change the permissions for the new directories.

sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Then copy the configuration files from the source to your configuration directory.

sudo cp ~/snort_src/snort-2.9.8.0/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.8.0/etc/*.map /etc/snort

Next up you’ll need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.

  • Community rules are freely available though slightly limited.
  • By registering for free to their website you’ll get access to your Oink code, which lets you download the registered users rules.
  • Lastly subscriber rules are just that, available to users with active subscription to Snort services.

If you just want to quickly test out Snort, grab the community rules using wget with the command below, and extract the rules to your configuration folder.

wget https://www.snort.org/rules/community -O ~/community.tar.gz
sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

You can also take a moment and register on Snort website, then use the Oink code to download the registered user rules. Replace the <oinkcode> with your personal code, which you can find in the Snort user account details.

wget https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz

After the download is finished, extract the rules and copy them over to your configuration directory with

sudo tar -xvf ~/registered.tar.gz -C /etc/snort

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file to edit with the following

sudo nano /etc/snort/snort.conf

Find the following sections in the configuration file and change the parameters to reflect the examples underneath.

# Setup the network addresses you are protecting
ipvar HOME_NET 10.0.0.0/8
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path)
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Lastly scroll down to the bottom of the file to find the list of included rule sets. You’ll need to uncomment the local.rules include line to allow Snort to load any custom rules.

include $RULE_PATH/local.rules

If you are using the community rules, add the line underneath here to your rule set, for example just below your local.rules line.

include $RULE_PATH/community.rules

Once you are done with the configuration file, save the changes and exit the editor.

Your Snort should now be ready to run, test the configuration using the parameter -T to enable test mode.

sudo snort -T -c /etc/snort/snort.conf

After running the Snort configuration test, you should get a message like this example below.

Snort successfully validated the configuration!
Snort exiting

In case you get an error message, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out the inclusion line in the snort.conf -file. Check through the configuration part and try again.

Even on a successful test run you’ll notice a list of warnings about flowbits, this is normal and is no cause for concern.

Now to run Snort with the configuration you set up, use the command below by replacing the <interface> with the public network interface on your server, for example eth0.

sudo snort -i <interface> -u snort -g snort -c /etc/snort/snort.conf

If you are not sure which interface to use, check your UpCloud Control Panel for your server’s public IPv4 address in the Network settings, and then run the following on you server.

ip addr

The output will list all of your currently configured network interfaces, find the one with the same public IP address as shown in the Network -tab and use that.

Testing the configuration

To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules -file. Open your local rules with

sudo nano /etc/snort/rules/local.rules

Then add the following line to the file.

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

The rule consist of the following parts:

  • action for traffic matching the rule, alert in this case
  • traffic protocol like TCP, UDP or ICMP like here
  • source address and port, simply marked as any to include all addresses and ports
  • destination address and port, $HOME_NET as declared in the configuration and any for port
  • some additional bits
    • log message
    • unique rule identifier (sid) which for local rules needs to be 1000001 or higher
    • rule version number.

Save the local.rules and exit the editor. You then need to restart Snort since you made changes to the files it loads. Start Snort with -A console -q options to print the alerts to stdout but otherwise runs in quiet mode.

sudo snort -A console -q -i <interface> -u snort -g snort -c /etc/snort/snort.conf

With Snort up and running you have successfully configured a network based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and IDS in general. To get more out of your installation, check out the deployment guides over at https://snort.org/documents.