Install and Configure Snort 3 Intrusion Detecting System on Ubuntu 22.04

Snort is an Open Source Intrusion Prevention and Detection System (IDS) to defend against DDoS attacks. It uses built-in rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can identify the latest attacks, malware infections, compromised systems, and network policy violations.

Features

  • Real-time traffic monitor.
  • Packet logging. Analysis of protocol.
  • Content matching. OS fingerprinting.
  • It can be installed in any network environment.
  • Creates logs.

In this tutorial, we will show you how to install Snort on Ubuntu 22.04.

Prerequisites

  • A server running Ubuntu 22.04.
  • A root password is configured on the server.

Install Required Dependencies

Before starting, you will need to install some dependencies on your server. You can install all of them by running the following command:

apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y

Once all the dependencies are installed, you can proceed to the next step.

Install Snort DAQ

Next, you will need to install the Data Acquisition library on your system. By default, it is not available in the Ubuntu default repository. So you will need to compile it from the source.

First, download the Snort DAQ from Git with the following command:

git clone https://github.com/snort3/libdaq.git

Once the download is completed, navigate to the downloaded directory and configure it with the following command:

cd libdaq
./bootstrap
./configure

You should see the following output:

    cc:             gcc
    cppflags:       
    am_cppflags:     -fvisibility=hidden -Wall -Wmissing-declarations -Wpointer-arith -Wcast-align -Wcast-qual -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wwrite-strings -Wextra -Wsign-compare -Wno-unused-parameter -fno-strict-aliasing -fdiagnostics-show-option
    cflags:         -g -O2
    am_cflags:       -Wstrict-prototypes -Wmissing-prototypes -Wold-style-definition -Wnested-externs
    ldflags:        
    am_ldflags:     
    libs:           

    code_coverage_enabled:  no
    code_coverage_cppflags: 
    code_coverage_cflags:   
    code_coverage_ldflags:  

    Build AFPacket DAQ module.. : yes
    Build BPF DAQ module....... : yes
    Build Divert DAQ module.... : no
    Build Dump DAQ module...... : yes
    Build FST DAQ module....... : yes
    Build netmap DAQ module.... : no
    Build NFQ DAQ module....... : yes
    Build PCAP DAQ module...... : yes
    Build Savefile DAQ module.. : yes
    Build Trace DAQ module..... : yes
    Build GWLB DAQ module...... : yes

Next, install it with the following command:

make
make install

Install Gperftools

First, download the latest version of Gperftools with the following command:

cd
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar xzf gperftools-2.9.1.tar.gz

Next, navigate to the downloaded directory and compile it with the following command:

cd gperftools-2.9.1/
./configure

Next, install it with the following command:

make
make install

Install Snort

Next, download the latest version of Snort with the following command:

cd
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.43.0.tar.gz

Next, extract the downloaded file with the following command:

tar -xvzf 3.1.43.0.tar.gz

Next, navigate to the extracted directory and configure it with the following command:

cd snort3-3.1.43.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

You will get the following output:

snort version 3.1.43.0

Install options:
    prefix:     /usr/local
    includes:   /usr/local/include/snort
    plugins:    /usr/local/lib/snort

Compiler options:
    CC:             /usr/bin/cc
    CXX:            /usr/bin/c++
    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUG
    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUG
    EXE_LDFLAGS:        
    MODULE_LDFLAGS:     

Feature options:
    DAQ Modules:    Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)
    libatomic:      System-provided
    Hyperscan:      OFF
    ICONV:          ON
    Libunwind:      ON
    LZMA:           ON
    RPC DB:         Built-in
    SafeC:          OFF
    TCMalloc:       ON
    JEMalloc:       OFF
    UUID:           ON
-------------------------------------------------------

-- Configuring done
-- Generating done
-- Build files have been written to: /root/snort3-3.1.43.0/build

Next, change the directory to the build directory and install the Snort with the following command:

cd build
make
make install
ldconfig

You can now verify the Snort version using the following command:

snort -V

You will get the following output:

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.43.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.9
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 3.0.2 15 Mar 2022
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using LZMA version 5.2.5

Configure Snort

First, you will need to set your network interface on promiscuous mode so that it can be able to see all of the network traffic sent to it.

You can set it using the following command:

ip link set dev eth0 promisc on

You can now verify it with the following command:

ip add sh eth0

Next, you will also need to disable Interface Offloading. First, check whether this feature is enabled or not using the following command:

ethtool -k eth0 | grep receive-offload

You will get the following output:

generic-receive-offload: on
large-receive-offload: off [fixed]

You can now disable it using the following command:

ethtool -K eth0 gro off lro off

Create a Systemd Service File for Snort NIC

Next, you will need to create a systemd service file for Snort NIC.

nano /etc/systemd/system/snort3-nic.service

Add the following lines:

[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

Save and close the file, then reload the systemd daemon to apply the changes:

systemctl daemon-reload

Next, start and enable to Snort with the following command:

systemctl start snort3-nic.service
systemctl enable snort3-nic.service

You can check the status of the Snort with the following command:

systemctl status snort3-nic.service

You will get the following output:

? snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
     Loaded: loaded (/etc/systemd/system/snort3-nic.service; disabled; vendor preset: enabled)
     Active: active (exited) since Tue 2022-10-11 16:24:15 UTC; 6s ago
    Process: 95745 ExecStart=/usr/sbin/ip link set dev eth0 promisc on (code=exited, status=0/SUCCESS)
    Process: 95746 ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off (code=exited, status=0/SUCCESS)
   Main PID: 95746 (code=exited, status=0/SUCCESS)
        CPU: 11ms

Oct 11 16:24:15 ubuntu2204 systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Oct 11 16:24:15 ubuntu2204 systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.

Install Snort Rules

Rules are very important for the Snorts intrusion detection engine. First, create a directory to store all rules:

mkdir /usr/local/etc/rules

Next, download the community rules with the following command:

wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/

Next, edit the Snort main configuration file:

nano /usr/local/etc/snort/snort.lua

Define your network as shown below:

HOME_NET = '192.168.56.124/32'
EXTERNAL_NET = '!$HOME_NET'

Next, define your Snort rules path:

ips =
{
    -- use this to enable decoder and inspector alerts
    --enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    -- (see also related path vars at the top of snort_defaults.lua)

    variables = default_variables,
    rules = [[
    include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules
    ]]

}

Save and close the file when you are finished.

Install Snort OpenAppID

OpenAppID is a plugin that allows Snort to detect various applications, Facebook, Netflix, Twitter, and Reddit, used in the network.

You can download it with the following command:

wget https://www.snort.org/downloads/openappid/26425 -O OpenAppId-26425.tgz

Once the download is completed, extract the downloaded file with the following command:

tar -xzvf OpenAppId-26425.tgz

Next, copy the OpenAppID binary file to the system directory:

cp -R odp /usr/local/lib/

Next, edit the Snort configuration file and define your OpenAppID location:

nano /usr/local/etc/snort/snort.lua

Change the following lines:

appid =
{
    app_detector_dir = '/usr/local/lib',
    log_stats = true,

}

Save and close the file, then create a Snort log directory:

mkdir /var/log/snort

Finally, verify the Snort configuration file with the following command:

snort -c /usr/local/etc/snort/snort.lua

If everything is fine, you will get the following output:

--------------------------------------------------
fast pattern groups
                      src: 59
                      dst: 158
                      any: 4
                to_server: 56
                to_client: 39
--------------------------------------------------
search engine
                instances: 316
                 patterns: 10282
            pattern chars: 166369
               num states: 112212
         num match states: 9885
             memory scale: MB
             total memory: 3.42574
           pattern memory: 0.550588
        match list memory: 1.25256
        transition memory: 1.58402
        fast pattern only: 6822
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Create Snort Custom Rules

You can also create your own custom rules as per your requirement. Let's create a custom rules for incoming ICMP request:

nano /usr/local/etc/rules/local.rules

Add the following line:

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

Next, verify the rules with the following command:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

You will get the following output:

search engine
                instances: 316
                 patterns: 10282
            pattern chars: 166369
               num states: 112212
         num match states: 9885
             memory scale: MB
             total memory: 3.42574
           pattern memory: 0.550588
        match list memory: 1.25256
        transition memory: 1.58402
        fast pattern only: 6822
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Next, run the following command to start the Snort on your network interface using your custom rules:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none

Next, open another terminal interface and ping your server. You should see the ICMP error on the first terminal:

10/11-16:45:23.848071 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:23.848071 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:24.323038 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
^C** caught int signal
== stopping
10/11-16:45:25.353007 [**] [1:366:11] "PROTOCOL-ICMP PING Unix" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:25.353007 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18
10/11-16:45:25.353007 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 157.32.34.228 -> 209.23.11.18

Create a Systemd Service File for Snort

Next, create a systemd service file to manage the Snort via systemd.

nano /etc/systemd/system/snort3.service

Add the following configurations:

[Unit]
Description=Snort Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g root
ExecStop=/bin/kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

Save and close the file, then reload the systemd daemon with the following command:

systemctl daemon-reload

Next, start and enable the Snort service with the following command:

systemctl enable --now snort3

You can now verify the status of the Snort using the following command:

systemctl status snort3

You will get the following output:

? snort3.service - Snort Daemon
     Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-10-11 16:48:28 UTC; 17s ago
   Main PID: 95898 (snort)
      Tasks: 2 (limit: 4579)
     Memory: 233.6M
        CPU: 2.007s
     CGroup: /system.slice/snort3.service
             ??95898 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i eth0 -m 0x1b -u root -g >

Oct 11 16:48:29 ubuntu2204 snort[95898]:          num match states: 9885
Oct 11 16:48:29 ubuntu2204 snort[95898]:              memory scale: MB
Oct 11 16:48:29 ubuntu2204 snort[95898]:              total memory: 3.42574
Oct 11 16:48:29 ubuntu2204 snort[95898]:            pattern memory: 0.550588
Oct 11 16:48:29 ubuntu2204 snort[95898]:         match list memory: 1.25256
Oct 11 16:48:29 ubuntu2204 snort[95898]:         transition memory: 1.58402
Oct 11 16:48:29 ubuntu2204 snort[95898]:         fast pattern only: 6822
Oct 11 16:48:29 ubuntu2204 snort[95898]: --------------------------------------------------
Oct 11 16:48:29 ubuntu2204 snort[95898]: pcap DAQ configured to passive.
Oct 11 16:48:29 ubuntu2204 snort[95898]: Commencing packet processing

Conclusion

Congratulations! you have successfully installed and configured Snort 3 on Ubuntu 22.04. You can now implement Snort in your organization and protect it from DDoS attacks. Feel free to ask me if you have any questions.

Share this page:

5 Comment(s)