CRC-Blogs

Compiling, Configuring and Running Snort 2.9.9.0 on Ubuntu

The document below uses the following color codes for items/steps the user should be aware of during the configuration and installation of DAQ-2.0.6 and Snort-2.9.9.0:

Snort is an open source network intrusion prevention system for both UNIX and Windows, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It has three primary uses: It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system. You can download the latest Snort Releases and Snort Rules on https://www.snort.org/. Although Snort is capable of much more than just network monitoring, this guide shows how to compile and run Snort 2.9.9.0 in NIDS mode in Eclipse on Ubuntu with a basic setup that you can later expand as needed.

* I prefer to use a Virtual Machine inside of VMware Workstation Pro when installing and/or upgrading Snort, so if something goes wrong, I can simply remove the virtual machine and reload the operating environment from scratch, without damaging any production systems that may be running Snort or other critical services.

Preparing your System

Before starting, ensure your system is up to date and all installed software is running the latest version. First, log in to root user and update your system by running the following command:

apt-get update –y

apt-get upgrade -y

Setting up a basic configuration of Snort on Ubuntu 19.04 is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your system for installing Snort itself. Install the required libraries with the following command.:

sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet

With the prerequisites fulfilled, next up is how to install Snort on Ubuntu 19.04. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.

Installing from the source code

Setting up Snort on Ubuntu from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.

Start by making a temporary download folder to your home directory and then changing into it with the command below.

mkdir ~/snort_src && cd ~/snort_src

Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source available.

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.

* At the time, DAQ 2.0.6 is available. If new version is available, then replace the version number in the following command.

tar -xvzf daq-2.0.6.tar.gz

cd daq-2.0.6

Run the configuration script using its default values, then compile the program with make and finally install DAQ.

./configure && make && sudo make install

With the DAQ installed you can get started with Snort, change back to the download folder.

cd ~/snort_src

Next, download the Snort source code with wget. You can find the latest version number on the Snort downloads page. Replace it in the following command if necessary.

wget https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz

Once the download is complete, extract the source and change into the new directory with these commands.

tar -xvzf snort-2.9.9.0.tar.gz

cd snort-2.9.12

Then configure the installation with sourcefire enabled, run make and make install.

./configure --enable-sourcefire && make && sudo make install

With that done, continue below on how to set up the configuration files.

Configuring Snort to run in NIDS mode

Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.

Start with updating the shared libraries using the command underneath.

sudo ldconfig

Snort on Ubuntu gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Setting up username and folder structure

To run Snort on Ubuntu safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Then create the folder structure to house the Snort configuration, just copy over the commands below.

sudo mkdir -p /etc/snort/rules

sudo mkdir /var/log/snort

sudo mkdir /usr/local/lib/snort_dynamicrules

 

Set the permissions for the new directories accordingly.

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create new files for the white and blacklists as well as the local rules.

* I prefer to use gedit since it has a simple interface.

sudo gedit /etc/snort/rules/white_list.rules

sudo gedit /etc/snort/rules/black_list.rules

sudo gedit /etc/snort/rules/local.rules

Then copy the configuration files from the download folder.

sudo cp ~/snort_src/snort-2.9.12/etc/*.conf* /etc/snort

sudo cp ~/snort_src/snort-2.9.12/etc/*.map /etc/snort

Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.

  • Community rules are freely available though slightly limited.
  • By registering for free on their website you get access to your Oink code, which lets you download the registered users rule sets.
  • Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.

Underneath you can find instructions for downloading both community rules or registered user rule sets.

Option 1: Using community rules

If you just want to quickly test out Snort, grab the community rules using wget with the command below.

wget https://www.snort.org/rules/community -O ~/community.tar.gz

Extract the rules and copy them to your configuration folder.

sudo tar -xvf ~/community.tar.gz -C ~/

sudo cp ~/community-rules/* /etc/snort/rules

By default, Snort on Ubuntu expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath.

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

Option 2: Obtaining registered user rules

You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.

Replace the oinkcode in the following command with your personal code.

wget https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=oinkcode -O ~/registered.tar.gz

Once downloaded, extract the rules over to your configuration directory.

sudo tar -xvf ~/registered.tar.gz -C /etc/snort

The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.

Configuring the network and rule sets

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file in your favourite text editor, for example using gedit with the command below.

sudo gedit /etc/snort/snort.conf

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

* Replace server_public_ip with your system ip address.

# Setup the network addresses you are protecting

ipvar HOME_NET server_public_ip /32

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET !$HOME_NET

# Path to your rules files (this can be a relative path)

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

# Set the absolute path appropriately

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.

# unified2# Recommended for most installs

output unified2: filename snort.log, limit 128

Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.

include $RULE_PATH/local.rules

If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.

include $RULE_PATH/community.rules

Once you are done with the configuration file, save the changes and exit the editor.

Validating settings

Your Snort should now be ready to run. Test the configuration using the parameter -T to enable test mode.

sudo snort -T -c /etc/snort/snort.conf

After running the Snort configuration test, you should get a message like this example below.

       --== Initialization Complete ==--

   ,,_      -*> Snort! <*-

  o"  )~   Version 2.9.9.0 GRE (Build 56)

   ''''  By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

         Using libpcap version 1.8.1           Using PCRE version: 8.39 2016-06-14           Using ZLIB version: 1.2.11           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0                 Preprocessor Object: SF_DNS  Version 1.1 

           Preprocessor Object: SF_SSH  Version 1.1 

           Preprocessor Object: SF_DNP3  Version 1.1 

           Preprocessor Object: SF_MODBUS  Version 1.1 

           Preprocessor Object: SF_GTP  Version 1.1 

           Preprocessor Object: SF_FTPTELNET  Version 1.2 

           Preprocessor Object: SF_SMTP  Version 1.1 

           Preprocessor Object: SF_REPUTATION  Version 1.1 

           Preprocessor Object: SF_IMAP  Version 1.0 

           Preprocessor Object: SF_SIP  Version 1.1 

           Preprocessor Object: SF_SSLPP  Version 1.1 

           Preprocessor Object: SF_DCERPC2  Version 1.0 

           Preprocessor Object: SF_SDF  Version 1.1 

           Preprocessor Object: SF_POP  Version 1.0   

Snort successfully validated the configuration!

Snort exiting

In case you get an error, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.

Testing the configuration

To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming TCP connections to the local.rules file. Open your local rules in a text editor.

sudo gedit /etc/snort/rules/local.rules

Then add the following line to the file.

alert tcp any any -> $HOME_NET any (msg:"GOT TCP PACKET"; content:"Bahria"; sid:10000001; rev:001;)

Save the local.rules and exit the editor.

Start Snort with -A console options to print the alerts to stdout. You will need to select the correct network interface with the public IP address of your server, for example, ens33.

sudo snort -A console -i ens33 -u snort -g snort -c /etc/snort/snort.conf

If you are not sure which interface to use, you can use the following command on your server.

ip addr

The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0.

With Snort up and running, visit https://bahria.edu.pk/ on your system. You should see a notice for each alert call in the terminal running Snort.

09/12-14:58:46.472630  [**] [1:2000000:1] GOT TCP PACKET! [**] [Priority: 0] {TCP} 111.68.99.6:443 -> 192.168.160.131:53326

After the alerts show up you can stop Snort with ctrl+C.

Snort records the alerts to a log under /var/log/snort/snort.log., where the time stamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.

snort -r /var/log/snort/snort.log.xxxxxxxxx

WARNING: No preprocessors configured for policy 0.

09/12-14:58:46.472630 111.68.99.6:443 -> 192.168.160.131:53326

TCP TTL:128 TOS:0x0 ID:55861 IpLen:20 DgmLen:524

***AP*** Seq: 0x664E23FD  Ack: 0x5A473900  Win: 0xFAF0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The log shows a warning for each TCP call with source and destination IPs, time and date, plus some additional info as shown in the example above.