Install and Configure Snort 3 Intrusion Detecting System on Ubuntu 22.04
Snort is an Open Source Intrusion Prevention and Detection System (IDS) to defend against DDoS attacks. It uses built-in rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can identify the latest attacks, malware infections, compromised systems, and network policy violations.
Features
- Real-time traffic monitor.
- Packet logging. Analysis of protocol.
- Content matching. OS fingerprinting.
- It can be installed in any network environment.
- Creates logs.
In this tutorial, we will show you how to install Snort on Ubuntu 22.04.
Prerequisites
- A server running Ubuntu 22.04.
- A root password is configured on the server.
Install Required Dependencies
Before starting, you will need to install some dependencies on your server. You can install all of them by running the following command:
apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y
Once all the dependencies are installed, you can proceed to the next step.
Install Snort DAQ
Next, you will need to install the Data Acquisition library on your system. By default, it is not available in the Ubuntu default repository. So you will need to compile it from the source.
First, download the Snort DAQ from Git with the following command:
git clone https://github.com/snort3/libdaq.git
Once the download is completed, navigate to the downloaded directory and configure it with the following command:
cd libdaq
./bootstrap
./configure
You should see the following output:
cc: gcc cppflags: am_cppflags: -fvisibility=hidden -Wall -Wmissing-declarations -Wpointer-arith -Wcast-align -Wcast-qual -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wwrite-strings -Wextra -Wsign-compare -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option cflags: -g -O2 am_cflags: -Wstrict-prototypes -Wmissing-prototypes -Wold-style-definition -Wnested-externs ldflags: am_ldflags: libs: code_coverage_enabled: no code_coverage_cppflags: code_coverage_cflags: code_coverage_ldflags: Build AFPacket DAQ module.. : yes Build BPF DAQ module....... : yes Build Divert DAQ module.... : no Build Dump DAQ module...... : yes Build FST DAQ module....... : yes Build netmap DAQ module.... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Build Savefile DAQ module.. : yes Build Trace DAQ module..... : yes Build GWLB DAQ module...... : yes
Next, install it with the following command:
make
make install
Install Gperftools
First, download the latest version of Gperftools with the following command:
cd
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar xzf gperftools-2.9.1.tar.gz
Next, navigate to the downloaded directory and compile it with the following command:
cd gperftools-2.9.1/
./configure
Next, install it with the following command:
make
make install
Install Snort
Next, download the latest version of Snort with the following command:
cd
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.43.0.tar.gz
Next, extract the downloaded file with the following command:
tar -xvzf 3.1.43.0.tar.gz
Next, navigate to the extracted directory and configure it with the following command:
cd snort3-3.1.43.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
You will get the following output:
snort version 3.1.43.0 Install options: prefix: /usr/local includes: /usr/local/include/snort plugins: /usr/local/lib/snort Compiler options: CC: /usr/bin/cc CXX: /usr/bin/c++ CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG EXE_LDFLAGS: MODULE_LDFLAGS: Feature options: DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace) libatomic: System-provided Hyperscan: OFF ICONV: ON Libunwind: ON LZMA: ON RPC DB: Built-in SafeC: OFF TCMalloc: ON JEMalloc: OFF UUID: ON ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3-3.1.43.0/build
Next, change the directory to the build directory and install the Snort with the following command:
cd build
make
make install
ldconfig
You can now verify the Snort version using the following command:
snort -V
You will get the following output:
,,_ -*> Snort++ <*- o" )~ Version 3.1.43.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.9 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 3.0.2 15 Mar 2022 Using libpcap version 1.10.1 (with TPACKET_V3) Using PCRE version 8.39 2016-06-14 Using ZLIB version 1.2.11 Using LZMA version 5.2.5
Configure Snort
First, you will need to set your network interface on promiscuous mode so that it can be able to see all of the network traffic sent to it.
You can set it using the following command:
ip link set dev eth0 promisc on
You can now verify it with the following command:
ip add sh eth0
Next, you will also need to disable Interface Offloading. First, check whether this feature is enabled or not using the following command:
ethtool -k eth0 | grep receive-offload
You will get the following output:
generic-receive-offload: on large-receive-offload: off [fixed]
You can now disable it using the following command:
ethtool -K eth0 gro off lro off
Create a Systemd Service File for Snort NIC
Next, you will need to create a systemd service file for Snort NIC.
nano /etc/systemd/system/snort3-nic.service
Add the following lines:
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev eth0 promisc on ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target
Save and close the file, then reload the systemd daemon to apply the changes:
systemctl daemon-reload
Next, start and enable to Snort with the following command:
systemctl start snort3-nic.service
systemctl enable snort3-nic.service
You can check the status of the Snort with the following command:
systemctl status snort3-nic.service
You will get the following output:
? snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; disabled; vendor preset: enabled) Active: active (exited) since Tue 2022-10-11 16:24:15 UTC; 6s ago Process: 95745 ExecStart=/usr/sbin/ip link set dev eth0 promisc on (code=exited, status=0/SUCCESS) Process: 95746 ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 95746 (code=exited, status=0/SUCCESS) CPU: 11ms Oct 11 16:24:15 ubuntu2204 systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Oct 11 16:24:15 ubuntu2204 systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.
Install Snort Rules
Rules are very important for the Snorts intrusion detection engine. First, create a directory to store all rules:
mkdir /usr/local/etc/rules
Next, download the community rules with the following command:
wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/
Next, edit the Snort main configuration file:
nano /usr/local/etc/snort/snort.lua
Define your network as shown below:
HOME_NET = '192.168.56.124/32' EXTERNAL_NET = '!$HOME_NET'
Next, define your Snort rules path:
ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules ]] }
Save and close the file when you are finished.
Install Snort OpenAppID
OpenAppID is a plugin that allows Snort to detect various applications, Facebook, Netflix, Twitter, and Reddit, used in the network.
You can download it with the following command:
wget https://www.snort.org/downloads/openappid/26425 -O OpenAppId-26425.tgz
Once the download is completed, extract the downloaded file with the following command:
tar -xzvf OpenAppId-26425.tgz
Next, copy the OpenAppID binary file to the system directory:
cp -R odp /usr/local/lib/
Next, edit the Snort configuration file and define your OpenAppID location:
nano /usr/local/etc/snort/snort.lua
Change the following lines:
appid = { app_detector_dir = '/usr/local/lib', log_stats = true, }
Save and close the file, then create a Snort log directory:
mkdir /var/log/snort
Finally, verify the Snort configuration file with the following command:
snort -c /usr/local/etc/snort/snort.lua
If everything is fine, you will get the following output:
-------------------------------------------------- fast pattern groups src: 59 dst: 158 any: 4 to_server: 56 to_client: 39 -------------------------------------------------- search engine instances: 316 patterns: 10282 pattern chars: 166369 num states: 112212 num match states: 9885 memory scale: MB total memory: 3.42574 pattern memory: 0.550588 match list memory: 1.25256 transition memory: 1.58402 fast pattern only: 6822 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Create Snort Custom Rules
You can also create your own custom rules as per your requirement. Let's create a custom rules for incoming ICMP request:
nano /usr/local/etc/rules/local.rules
Add the following line:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
Next, verify the rules with the following command:
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules
You will get the following output:
search engine instances: 316 patterns: 10282 pattern chars: 166369 num states: 112212 num match states: 9885 memory scale: MB total memory: 3.42574 pattern memory: 0.550588 match list memory: 1.25256 transition memory: 1.58402 fast pattern only: 6822 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Next, run the following command to start the Snort on your network interface using your custom rules:
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none
Next, open another terminal interface and ping your server. You should see the ICMP error on the first terminal:
10/11-16:45:23.848071 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:23.848071 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:24.323038 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:24.323038 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:24.323038 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 ^C** caught int signal == stopping 10/11-16:45:25.353007 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:25.353007 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18 10/11-16:45:25.353007 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
Create a Systemd Service File for Snort
Next, create a systemd service file to manage the Snort via systemd.
nano /etc/systemd/system/snort3.service
Add the following configurations:
[Unit] Description=Snort Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g root ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target
Save and close the file, then reload the systemd daemon with the following command:
systemctl daemon-reload
Next, start and enable the Snort service with the following command:
systemctl enable --now snort3
You can now verify the status of the Snort using the following command:
systemctl status snort3
You will get the following output:
? snort3.service - Snort Daemon Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-10-11 16:48:28 UTC; 17s ago Main PID: 95898 (snort) Tasks: 2 (limit: 4579) Memory: 233.6M CPU: 2.007s CGroup: /system.slice/snort3.service ??95898 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g > Oct 11 16:48:29 ubuntu2204 snort[95898]: num match states: 9885 Oct 11 16:48:29 ubuntu2204 snort[95898]: memory scale: MB Oct 11 16:48:29 ubuntu2204 snort[95898]: total memory: 3.42574 Oct 11 16:48:29 ubuntu2204 snort[95898]: pattern memory: 0.550588 Oct 11 16:48:29 ubuntu2204 snort[95898]: match list memory: 1.25256 Oct 11 16:48:29 ubuntu2204 snort[95898]: transition memory: 1.58402 Oct 11 16:48:29 ubuntu2204 snort[95898]: fast pattern only: 6822 Oct 11 16:48:29 ubuntu2204 snort[95898]: -------------------------------------------------- Oct 11 16:48:29 ubuntu2204 snort[95898]: pcap DAQ configured to passive. Oct 11 16:48:29 ubuntu2204 snort[95898]: Commencing packet processing
Conclusion
Congratulations! you have successfully installed and configured Snort 3 on Ubuntu 22.04. You can now implement Snort in your organization and protect it from DDoS attacks. Feel free to ask me if you have any questions.