Download Snort For Ubuntu
Alcmena Sadin
The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.
With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file in your favourite text editor, for example using nano with the command below.
In case you get an error, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.
Snort records the alerts to a log under /var/log/snort/snort.log.timestamp, where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.
Hi Abreu, thanks for reaching out. The snort -r command is for reading logs and needs a file as the last parameter instead of a directory. Try something like snort -r /var/log/snort/archived_logs/snort.log where snort.log is one of your archived log files.
Hi Ismael, thanks for the question. It seems your rule path in the /etc/snort/snort.conf is set relative to the working directory but uses the whole path. Check the snort.conf file and set the rule path exactly like this: var RULE_PATH /etc/snort/rules
thanks for the guide, really appreciate it.
however i need to be able to send my logs to arcsight SIEM which my connector is installed to read the /var/log/snort/snort.log.* files but files have permissions granted to only the snort user.
how can i make this possible to send logs to my SIEM?
Hi there, thanks for the question. You need to enter a couple of command-line parameters to successfully run Snort. The -i switch refers to the network interface Snort should listen to such as eth0. For example: sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
Hi Rory, thanks for the question. You would need to replace the server_public_ip in your /etc/snort/snort.conf with your own IP address to set the home network, for example, ipvar HOME_NET 94.123.234.214/32
Hello dear Ruostemaa,
Thank you for the documentation.
I did these configurations from beginning till the end but I cannot get the effect of detection.
Also, there is nothing in the log file: /var/log/snort#
Please help me.
Hi there, thanks for the comment. I would first suggest checking that your rules are being included. Any local rules like the ping detection in the example need to be added manually while community rules have many useful detector rules. You can test your configuration with snort -T -c /etc/snort/snort.conf but note that it exits the program after the test. Start Snort on the front ground e.g. with snort -v -c /etc/snort/snort.conf which will allow you to see any reports right away.
Hi Markus, thanks for the question. According to the error message, it seems your user name does not have permission to access the log files. You may wish to use sudo to run the snort log command or switch temporarily to the root user.
Hello, I follow this manual and works fine, but when i put sudo systemctl status snort
i am getting Unit snort.service could not be found.
I dont know for what reason if snort is looking the traffic
Hi Dion, thanks for the question. The problem likely occurred if you installed the latest version on top of an older installation. Check the dynamic preprocessors with ls -la /usr/local/lib/snort_dynamicpreprocessor and remove any libsf_sdf_preproc.* files older than the newest files in that directory.
Hi Martin, thanks for the question. Snort often gives this error when the log file is empty. Try to run Snort on the console to see if your rules trigger alerts sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf . If the alerts show, e.g. when pinging the server, you should also be able to read the logs.
Hi there, thanks for the question. You should be able to have snort read captured network package files in .pcap format by using the following commands snort -c /etc/snort/snort.conf -r /path/to/test/traffic.pcap as an example. You may want to set a specific configuration for analysis. As for classifying the alert types you mentioned, presumably, you would need to know the type for each network package and compare e.g. timestamps with recorded alerts in /var/log/snort/alert.log to figure out how Snort responded to the network event.
should i run snort on other nologin user using the following command,
snort -i eth0 -dev icmp and src xxxx -D -u snort -g snort
this means snort is running in another non-root user?
thank you
You can also configure the service file to take a parameter to define which NIC you want to start.
Rename the snort.service to /lib/systemd/system/[email protected] and set the ExecStart as follows.
Hi sir, I understood installation part I have a basic doubt if I mention HOME_NET cidr block can my snort server be able to detect packets flowing in the HOME_NET or is it only the reference in logs to print appropriate timestamp with local ip address.
Hi Yashaswi, thanks for the comment. The error at the end of the test indicates that Snort is using a relative path for the rules directory. You should remove the /etc/snort/ from your snort.conf file to make it look like the following:
Hi Alccy, thanks for the comment. The error would indicate that you have a formatting error in your local.rules file. It could be an issue of different typeface so try to copy and paste the test rule as is and try running the snort config test again.
Hi Alexandros, thanks for the comment. Your output settings might be slightly different to create this type of functionality. You might want to check your snort.conf and set the unified2 output to log the alerts instead of printing them to the command line.
I seen that you suggested to go into the /etc/snort/snort.conf file and set the rule path to: var RULE_PATH /etc/snort/rules, which I did and I even changed the site specific rules to include the /etc/snort/rules/community.rules, yet I am still running into the same error.
Hi Janne,
Thanks for this great tutorial, i have successfully installed snort and the test ICMP ping is also detected.
I have registered and downloaded the rules with my code but about 90 percent of all the rule files have no rules, they only have the copyright text at the top of these files.
Any
It will seem that to setup snort as IPS, you need to install snort on one computer and set it up as IPS, then connect other computers that you actually want to protect.
This will mean that you cannot setup snort in single cloud Server as IPS and for the purpose of protecting this same single Cloud Server. Is this right?
Thanks for the reply Janne.
I understand that it can be used for monitoring on a single cloud server triggering alerts when setup as NDS, What am not sure about is, if snort is setup as IPS on a single cloud Server, can it protect this single Server like drop incoming packets?
Like if i only have one single cloud server, can i setup snort as IPS on this single server, to protect it like drop packets?
Hi Radu, thanks for the question. Running snort in the background seems to cause some difference in logging. You should try disabling the unified2 output and enabling the log_tcpdump instead. Then restart your snort service and test if the ping rules trigger.
Hello Jaan , thank you for your effort ,I have 2 question if you can help me as soon is possible
1-i have a project in univ and we want to send defferent attack from onother machine to snort machine and i want to see all the alert and evenement what snort react for each attack is the output configure like you do and just read the log file or there is other configuriation with syslog or any interface grafic to show alert
2-I have a probleme whene i try to running snort in the back ground the statut of snort is failed
when i try the commend : sudo systemctl status snort
Hi Mohamed, thanks for the question. Looking at the error output, it seems your process start command is incomplete. Check the /lib/systemd/system/snort.service file, it should have the following line:
Seems your Snort config is expecting to find /etc/snort/rules/app-detect.rules but the file does not exist. You can either download the community rules or disable the app-detect rules by commenting out the include line in your Snort config.
So you need to confirm that the path to that file (classification.config) is correct. Did you move that classification.config file to folder: /etc/snort/ ?
sudo cp /snort_src/snort-2.9.16/etc/*.conf* /etc/snort
Hi Ryo, thanks for the question. Snort gives this error when the log file is empty. Try to run Snort on the console to see if your rules trigger alerts sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf . If the alerts show, e.g. when pinging the server, you should also be able to read the logs.
Thank you for this great tutorial! But if I try to run snort:
sudo snort -A console -i venet0 -u snort -g snort -c /etc/snort/snort.conf
I receive this error: ERROR: Cannot decode data link type 113
Fatal Error, Quitting..
Do you have a solution?
I'm setting up a mass deployment image that includes snort. Since I don't know the network address range that each image will reside on I thought about using an environment variable to hold the network range and use this environment variable in the snort.conf file to set HOME_NET.
If you save that file as snort.sh, make it executable (chmod a+x snort.sh) and run it, it will update the /HOME_NET.conf file with the right IP range before launching snort so everything should work as you expect it to.
760c119bf3