Installing Snort

This howto will explain how to install snort on Ubuntu 12.04. We start from an Ubuntu server with 2 interfaces. eth0 is the management interface. eth1 is the dedicated sniffing interface. The sensor is not inline. eth1 will be connected to a mirror port on the switch. I’m using a software switch called Open vSwitch. More info in this post. Of course you can also connect the interface to a physical port on a hardware switch. Just make sure to configure to port in mirror or SPAN mode.

Prepare the OS

By default, the unused interface eth1 will stay down. By adding the following to /etc/network/interfaces , the interface will be enabled at boot time.

auto eth1
iface eth1 inet manual
        up ifconfig $IFACE up

After rebooting the machine, the interface should be enabled automatically. You can now use tcpdump to test if the interface is UP. tcpdump should return a lot of traffic. That means that the mirror port is also working as expected.

 # tcpdump -ni eth1

Install Snort

The following command will download and install snort on your machine.

apt-get install snort

Proceed with answering all questions that popup during the installation process.

Adapt the default installation

After the installation, edit /etc/snort/snort.conf . Make sure to comment out all lines that start with ‘output’. Copy and paste the following output setting to your configuration file. If you forget this, you’ll have problems with Barnyard2.

output unified2: filename merged.log, limit 128

Also edit /etc/snort/snort.debian.conf and set the interface to eth1 instead of the default eth0

DEBIAN_SNORT_INTERFACE="eth1"

Reboot

Now it’s best to reboot the machine to make sure that you’re machine boots fine and automatically start snort to do intrusion detection on the network.

# reboot

After logging in, have a look in /var/log/snort/merged.conf . If all is well, it should log suspicious traffic to that file.

Install up-to-date rules

We’ve done everything to install snort on our machine. In the next post, I’ll explain how to install some up-to-date rules. This is necessary to make sure Snort is able to detect the latest threats.
This page is part of a series about a complete installation and configuration of Snort.

Snort LogoSnort is a registered trademark of Sourcefire, Inc.

10 thoughts on “Installing Snort

  1. Pingback: Updating Snort Rules using Pulled Pork | The A to Z of IT

  2. Pingback: Howto configure a mirror (SPAN) port on Open vSwitch | The A to Z of IT

  3. Pingback: Installing and configuring barnyard2 | Thomas Elsen Security Blog

  4. Alan McKay

    Is there any reason not to run snort on the main interface instead of having a port mirror? I have 2 places I want to run this – one at home on a home firewall with 2 interfaces one for the internet and one for the internal home network. I’d also like to run this on a DMZ web server at work where I only have 1 interface.

    Reply
    1. Thomas Elsen Post author

      Well, I like to keep my management interface separate from the monitoring interface because all my machines are setup with 1 leg on separate higher security management network. The other interface is meant for the production traffic.

      It all depends on your needs.

      Reply
  5. Marek

    What is the proper “ubuntu” way to run modern snort on two interfaces e.g. eth0 and eth1? For older snort, one must set DEBIAN_SNORT_INTERFACE=”eth0 eth1″ and that’s all. Modern snort needs barnyard2 to output logs to e.g. mysql database or prelude SIEM. Do I need to hack snort’s init.d script to make snort use different .conf file for different interface with two different unified2 log filename bases so every barnyard2 daemon will have its own log file (or rather set of files with timestamps)?

    Reply
  6. Pingback: Instalasi Snort buat ubuntu – Bingung mau kasih title apa...

  7. Pingback: Snort How To Install | Wcstarwar

Leave a Reply

Your email address will not be published. Required fields are marked *