This howto will explain how to install snort on Ubuntu 12.04. We start from an Ubuntu server with 2 interfaces. eth0 is the management interface. eth1 is the dedicated sniffing interface. The sensor is not inline. eth1 will be connected to a mirror port on the switch. I’m using a software switch called Open vSwitch. More info in this post. Of course you can also connect the interface to a physical port on a hardware switch. Just make sure to configure to port in mirror or SPAN mode.
Prepare the OS
By default, the unused interface eth1 will stay down. By adding the following to /etc/network/interfaces , the interface will be enabled at boot time.
auto eth1 iface eth1 inet manual up ifconfig $IFACE up
After rebooting the machine, the interface should be enabled automatically. You can now use tcpdump to test if the interface is UP. tcpdump should return a lot of traffic. That means that the mirror port is also working as expected.
# tcpdump -ni eth1
The following command will download and install snort on your machine.
apt-get install snort
Proceed with answering all questions that popup during the installation process.
Adapt the default installation
After the installation, edit /etc/snort/snort.conf . Make sure to comment out all lines that start with ‘output’. Copy and paste the following output setting to your configuration file. If you forget this, you’ll have problems with Barnyard2.
output unified2: filename merged.log, limit 128
Also edit /etc/snort/snort.debian.conf and set the interface to eth1 instead of the default eth0
Now it’s best to reboot the machine to make sure that you’re machine boots fine and automatically start snort to do intrusion detection on the network.
After logging in, have a look in /var/log/snort/merged.conf . If all is well, it should log suspicious traffic to that file.
Install up-to-date rules
We’ve done everything to install snort on our machine. In the next post, I’ll explain how to install some up-to-date rules. This is necessary to make sure Snort is able to detect the latest threats.
This page is part of a series about a complete installation and configuration of Snort.