How to use the Snort IDS – Part 1

how to use snort

When the defense of your device against attack is at stake, the name of antiviruses and IDSs must come up.

And IDS, or an intrusion detection system, tries to detect malicious activity on your computer andinforms you about it.

Snort is one of the most well-known IDSs today. In this tutorial,  I will show you how to use it to protect your system against intrusion.

Let’s forgo the disclaimer, because this is constructive.

Step 1:

Snort is a Linux application. If you use Ubuntu,  the repositories for installing Snort should already be added,  but since most serious users use Kali,  let’s see how youc an add the Snort repository to your list.

First,  open up a terminal and type:

leafpad /etc/apt/sources.lst
Your repository list should open.

Under where the lines start with ‘deb’,  add the following lines:

deb http://ch.archive.ubuntu.com/ubuntu/ saucy main restricted
deb-src http://ch.archive.ubuntu.com/ubuntu/ saucy main restricted

deb http://httpredir.debian.org/debian jessie main
deb-src http://httpredir.debian.org/debian jessie main

Save and close the text file.

Now,  we need to update our package lists.

Type:

apt-get update
Wait for it to complete.

Now,  let’s install Snort.

Type:
apt-get install snort

Wait for completion.

Now to test if it has been installed properly,  type:

snort -V

If all went well,  Snort will show its version number. Now you’re all set!

Step 2: Basic configuration

Now,  we will configure Snort. The configuration file for Snort can be found at /etc/snort/snort.conf.

Go to the terminal and type:
leafpad /etc/snort/snort.conf
Wait for the file to open.

Skip till line 39, because it is just some help text.

In line 45 (ipvar HOME_NET any),change ‘any’ to the ip address of the subnet you’re protecting in cidr notation.

Scroll down to lines 464. Lines 464-485 control Snort’s output settings. Line 481 will start out uncommented and 471 commented. Reverse this. This will allow Snort to store logs to a file.

Go to line 504. This is the ruleset for Snort. Notice  line 511. This is the path to your custom ruleset. We will use this at a later date. For now, all the includes below it are the other rulesets. To use a ruleset,  simply remove the ‘#’, and to disable one,  add a ‘#’ before it. When you’re done, save the file and close it.

Step 3: Testing!

Snort has an inbuilt function that can check your configuration. To use it,  type:
snort -T -c /etc/snort/snort.conf
Wait for it to complete.
If the configuration is okay, the message displayed will be “Snort successfully validated the configuration”.
Now, let’s try running it. Snort can run in 3 modes: as an NIDS, as a sniffer, and as a packet logger. I will show you how to run it as a sniffer and as a nids in this tutorial.
To run it as a sniffer, type :
snort -vde
To run it as an ids, you will need to give it the path to your rules. Type:
snort -vde -c /etc/snort/snort.conf
Finally, to get help, just type:
snort -?
or
snort --help

This concludes the first tutorial on Snort. In the following tutorials, I will move on to actual usage.

Related posts

Leave a Comment