This howto will explain how to install snort on Ubuntu 12.04. We start from an Ubuntu server with 2 interfaces. eth0 is the management interface. eth1 is the dedicated sniffing interface. The sensor is not inline. eth1 will be connected to a mirror port on the switch. I’m using a software switch called Open vSwitch. More info in this post. Of course you can also connect the interface to a physical port on a hardware switch. Just make sure to configure to port in mirror or SPAN mode.
Prepare the OS
By default, the unused interface eth1 will stay down. By adding the following to /etc/network/interfaces , the interface will be enabled at boot time.
auto eth1
iface eth1 inet manual
up ifconfig $IFACE up
After rebooting the machine, the interface should be enabled automatically. You can now use tcpdump to test if the interface is UP. tcpdump should return a lot of traffic. That means that the mirror port is also working as expected.
# tcpdump -ni eth1
Install Snort
The following command will download and install snort on your machine.
apt-get install snort
Proceed with answering all questions that popup during the installation process.
Adapt the default installation
After the installation, edit /etc/snort/snort.conf . Make sure to comment out all lines that start with ‘output’. Copy and paste the following output setting to your configuration file. If you forget this, you’ll have problems with Barnyard2.
output unified2: filename merged.log, limit 128
Also edit /etc/snort/snort.debian.conf and set the interface to eth1 instead of the default eth0
DEBIAN_SNORT_INTERFACE="eth1"
Reboot
Now it’s best to reboot the machine to make sure that you’re machine boots fine and automatically start snort to do intrusion detection on the network.
# reboot
After logging in, have a look in /var/log/snort/merged.conf . If all is well, it should log suspicious traffic to that file.
Install up-to-date rules
We’ve done everything to install snort on our machine. In the next post, I’ll explain how to install some up-to-date rules. This is necessary to make sure Snort is able to detect the latest threats.
This page is part of a series about a complete installation and configuration of Snort.
Snort is a registered trademark of Sourcefire, Inc.
Pingback: Updating Snort Rules using Pulled Pork | The A to Z of IT
Pingback: Howto configure a mirror (SPAN) port on Open vSwitch | The A to Z of IT
Pingback: Installing and configuring barnyard2 | Thomas Elsen Security Blog
Is there any reason not to run snort on the main interface instead of having a port mirror? I have 2 places I want to run this – one at home on a home firewall with 2 interfaces one for the internet and one for the internal home network. I’d also like to run this on a DMZ web server at work where I only have 1 interface.
Well, I like to keep my management interface separate from the monitoring interface because all my machines are setup with 1 leg on separate higher security management network. The other interface is meant for the production traffic.
It all depends on your needs.
What is the proper “ubuntu” way to run modern snort on two interfaces e.g. eth0 and eth1? For older snort, one must set DEBIAN_SNORT_INTERFACE=”eth0 eth1″ and that’s all. Modern snort needs barnyard2 to output logs to e.g. mysql database or prelude SIEM. Do I need to hack snort’s init.d script to make snort use different .conf file for different interface with two different unified2 log filename bases so every barnyard2 daemon will have its own log file (or rather set of files with timestamps)?
Pingback: Instalasi Snort buat ubuntu – Bingung mau kasih title apa...
Hi Man, can you send me a pdf of snort installation and configuration on ubuntu 12.04 lts 32 bit please.
🙂
Pingback: Snort How To Install | Wcstarwar