Google
 
 
Home arrow Linux Articles arrow Install Snort on Linux

Main Menu
 Home
 Linux Articles
 FreeBSD Articles
 Apache Articles
 Perl Articles
 Other Articles
 Program Downloads
 Free Books
 News
 The Web Links
 Contact Us

Most Read
Automating SFTP using expect
FreeBSD PPTP VPN
Shorewall Router on Linux
SnortShorwall - Using Snort And Shorewall Together
Shorewall Stand Alone Firewall

Polls
Favorite Linux/BSD
Fedora
Mandrake
Debian
Slackware
Gentoo
Suse
FreeBSD
Other
  

Syndicate
Latest news direct to your desktop
RSS

Login Form
Username

Password

Remember me
Forgotten your password?
No account yet? Create one

Members Online
Linux-BSD-Central Has a Total of 701 Members   Members (701) # Online
We have 4 Guests Online. Guests 4
We have 0 Users Online. Users 0

Online Users
No Users Online

Statistics
OS: Linux w
PHP: 5.2.9
MySQL: 5.0.91-community
Time: 14:45
Members: 701
Hits: 1324415
News: 277
WebLinks: 15



-->

Install Snort on Linux   PDF  Print  E-mail 
Contributed by Chad Brandt  
Wednesday, 16 June 2004
Learn how to install and configure snort intrusion detection system on your Linux system.

1. Download the latest source from Snorts Web Site

2. Unzip and Untar the source file. This will unpack the tar file to a snort directory

   [root]# tar -zxvf snort.tar

3.Compile the source

    [root]# cd snort-
    [root]# ./configure
    [root]# make
    [root]# make install
    [root]# make clean

This will install snort /usr/local/bin/snort by default

  

4. Create the configuration directory and copy the configuration files over. This assumes you are in the snort directory
 
   [root]# mkdir /etc/snort
   [root]# cp -rf etc/* /etc/snort
   [root]# cp -rf rules/* /etc/snort

5. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful

   [root]# cd /etc/snort
   [root]# vi snort.conf

- Change your rule path RULE_PATH /etc/snort
var RULE_PATH /etc/snort

- Uncomment the following line ( this will cause snort to use much less resident memory )
config detection: search-method lowmem

- Make sure the flow preprocessor is NOT commented out
preprocessor flow: stats_interval 0 hash 2

- Uncomment the flow-portscan if you want to detect port scans (change server-watchnet for your network)
preprocessor flow-portscan:
server-watchnet [172.16.0.0/16]
unique-memcap 5000000 unique-rows 50000
tcp-penalties on
server-scanner-limit 30
alert-mode all
output-mode msg
server-learning-time 3600

- Comment out / Uncomment the rules files you want. This is my file
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

6. create a snort user to run the process. and create your log directory

    [root]# adduser snort
    [root]# mkdir /var/log/snort
    [root]# chown snort:snort /var/log/snort

7. Start up snort. I just create a script to start up snort with the following command.

    #!/bin/sh
    /usr/local/bin/snort -A fast -d -u snort -g snort -D -c /etc/snort/snort.conf

Your alerts will be logged to /var/log/snort/alert.

I have a snort log parser written in perl that will parse the snort alerts and show today's alerts in an easy to read format. Example log

04/06 08:06:57  TCP  24.163.219.104:80    ->   67.173.96.51:2763        ATTACK-RESPONSES 403 Forbidden           1201 
04/06 08:07:53  TCP  24.163.219.104:80    ->   211.40.66.207:2676      ATTACK-RESPONSES 403 Forbidden           1201 
04/06 08:13:51  TCP  24.163.219.104:80    ->   211.40.211.115:2604    ATTACK-RESPONSES 403 Forbidden           1201

download log parse script here

If you use shorewall firewall script you can download my program SnortShorewall to proactively prevent hackers from compromising your machine. SnortShorewall will run in the background and monitor your alerts from snort and black list the ip address that attempt to hack your system. Read more about SnortShorwall here 


 

Comments
Use SnortShorewall
Written by Guest on 2005-08-25 05:15:19
If I want to use your SnortShorewall . 
I should be install Snort, or not ?
Written by Guest on 2005-08-25 19:01:26
Yes
thanx
Written by Guest on 2008-12-24 03:27:27
:grin

Write Comment
Name:Guest
Title:
BBCode:Web AddressEmail AddressBold TextItalic TextUnderlined TextQuoteCodeOpen ListList ItemClose List
Comment:



Powered by AkoComment 1.0 beta 2!



 
Google Ads



 

Check out TwistByte - The best mobile apps available For awesome Android and IPhone applications!!