Complete snort installation

What is snort?

From www.snort.org : Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

How to install snort?

I’ve written a series of posts that explain different steps of a Snort installation. If you know what all the tools are, follow these links. If you want an explanation of all the tools, keep on reading.

What are these tools

Open vSwitch

Website : http://openvswitch.org
By default, your libvirt will connect all guests to a regular software bridge. A regular software bridge acts like a switch for the guests. Since a regular software bridge is very limited, I’m exchanged the bridge for an Open vSwitch. This is the full list of features. The most important feature for us is the SPAN or mirror port.
I wrote 2 posts regarding Open vSwitch.
Switch your KVM from regular bridge to Open vSwitch
How to configure a mirror port on Open vSwitch
If you have a physical switch like a Cisco Catalyst or any other switch that is able to mirror traffic to a certain port, you probably don’t need the Open vSwitch.

Snort

Snort is the IDS/IPS software that listens on an interface and logs any traffic which matches a certain pattern. The log files are written in a certain format. The format is called unified2.
This post describes how you can install snort.

Pulled Pork

In order for Snort to do a good job, it needs to have up-to-date pattern files. These are similar to the pattern files of your desktop antivirus. Pulled Pork is tool which downloads and copies the pattern files to right location.
This post describes how to download, install and configure Pulled Pork.

Barnyard2

Barnyard2 is a tool which reads the Unified2 log files. These are the log files which are generated by Snort. After reading them, the tool converts and sends the events to a database, syslog server,…
This post describes how to build Barnyard2 from source. The next post described how to configure it.

Snorby

We – as human beings – want to have a GUI to look at the events that are detected by Snort. Snorby is such a tool. It presents all events from the database and gives the administrator the possibility the classify all detected events.
This post described how to download and configure Snorby to your needs.
Snort LogoSnort is a registered trademark of Sourcefire, Inc.

2 thoughts on “Complete snort installation

  1. Jim Jacob

    Hi Sir, I do enjoy reading your articles on Snort but I want to write a project on Snort ruleset can you guide me in few lines on how to set up the lab in virtual bo please.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *