Snort as NIDS. Installation and configuration Step by Step.

Install Required Dependencies
#############################

apt-get update -y

apt-get upgrade -y

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

tar -zxvf daq-2.0.6.tar.gz

cd cd daq-2.0.6

./configure && make && make install


Install Snort from Source:
##########################


wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz

tar -xvzf snort-2.9.11.1.tar.gz

cd snort-2.9.11.1

./configure --enable-sourcefire && make && make install

ldconfig

ln -s /usr/local/bin/snort /usr/sbin/snort

snort -V


Configure Snort
###############
mkdir /etc/snort
mkdir /etc/snort/preproc_rules
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules

chmod -R 5775 /etc/snort/
chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/

cd /usr/share/doc/snort-2.9.11.1/etc
cp -avr *.conf *.map *.dtd *.config /etc/snort/

cd ..

cp -avr src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

vi /etc/snort/snort.conf

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
include $RULE_PATH/local.rules


Validate the configuration file with the following command:

snort -T -i eth0 -c /etc/snort/snort.conf


This will give as :

Snort successfully validated the configuration!
Snort exiting

Testing Snort:
##############

vi /etc/snort/rules/local.rules

alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

:wq!

Now start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:

snort -A console -q -c /etc/snort/snort.conf -i eth0

Now if we ping the snort installed server's ip 192.168.11.59 it will give the below logs in the terminal.

04/19-16:59:44.826558  [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.10.117 -> 192.168.11.59
04/19-16:59:44.826631  [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.11.59 -> 192.168.10.117
04/19-16:59:45.831347  [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 192.168.10.117 -> 192.168.11.59


Now Finally Creating the Snort Startup Script:
##############################################

vi  /lib/systemd/system/snort.service

[Unit]
   Description=Snort NIDS Daemon
   After=syslog.target network.target
[Service]
   Type=simple
   ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
[Install]
  WantedBy=multi-user.target


safe and close.

Save the file, then enable the script to run at boot time:

systemctl enable snort
Finally, start Snort:

systemctl start snort
You can check the status of Snort by running the following command:

systemctl status snort
You should see the following output:

root@machinexx:~# systemctl status snort
● snort.service - Snort NIDS Daemon
   Loaded: loaded (/lib/systemd/system/snort.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-04-19 17:06:27 IST; 6s ago
 Main PID: 707 (snort)
   CGroup: /system.slice/snort.service
           └─707 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i enp3s0

Apr 19 17:06:27 machine01.ndzhome.com systemd[1]: Started Snort NIDS Daemon.



Thanks,
That is all.