Snort Tutorial for Beginners

What is Snort?

Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It can analyze network traffic in real time, log packets, and detect malicious activities using predefined rules.

Key features:

• Packet sniffing: Captures and inspects network packets.
• IDS mode: Detects suspicious activities.
• IPS mode: Prevents attacks in real time.
• Logging and alerting: Provides detailed logs and alerts for events.

Installing Snort

1. Prerequisites

• A Linux-based operating system (Ubuntu/Debian is ideal for beginners).

Administrative privileges.

2. Update the System

$ sudo apt update && sudo apt upgrade -y

3. Install Dependencies

$ sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

4. Download and Install Snort

1. Download Snort from the official site: $ wget https://www.snort.org/downloads/snort/snort-2.9.X.X.tar.gz

(Replace X.X with the latest version number.)

Extract and install Snort:

$ tar -xzvf snort-2.9.X.X.tar.gz

$ cd snort-2.9.X.X $ ./configure

$ make

$ sudo make install

Snort Operating Modes

Snort operates in three modes:

1. Sniffer Mode: Captures and displays network packets.
2. Packet Logger Mode: Saves captured packets to a file.
3. Network Intrusion Detection Mode: Analyzes traffic based on rules.

Snort Usage Examples

1. Sniffer Mode

To capture and display network packets in real-time:

$ sudo snort -v

-v: Verbose mode (shows packet headers).

2. Packet Logger Mode

To log packets to a directory: $ sudo snort -dev -l /var/log/snort

• -d: Logs application data.
• -e: Displays link-layer headers.
• -l: Specifies the log directory.

Captured logs can be viewed using: ls /var/log/snort

3. Intrusion Detection Mode

Run Snort with a configuration file and rule set:

$ sudo snort -c /etc/snort/snort.conf

• -c: Specifies the configuration file.

Creating Snort Rules

Snort uses rules to detect suspicious activities. Rules are written in the following format: action protocol source_ip source_port -> destination_ip destination_port (options)

Example Rule

Detect ICMP (ping) traffic: alert icmp any any -> any any (msg:"ICMP traffic detected"; sid:1000001; rev:1;)

Steps to Add Rules

1. Open the rules file: $ sudo nano /etc/snort/rules/local.rules Add the custom rule: alert tcp any any -> any 80 (msg:"HTTP traffic detected"; sid:1000002; rev:1;) any any: Matches any IP and port.->: Indicates traffic direction. msg: Description of the alert. sid: Unique rule identifier.

Save and exit.

Test the Rule

Restart Snort: $ sudo snort -c /etc/snort/snort.conf

Generate traffic to trigger the rule (e.g., visiting a website using HTTP). Check the logs in /var/log/snort.

Monitoring Snort Alerts

Alerts are stored in the directory configured in snort.conf. To view the alerts: $ cat /var/log/snort/alert

Troubleshooting Common Issues

1. Error: Missing Dependencies Ensure all libraries (e.g., libpcap-dev) are installed. $ sudo apt install libpcap-dev
2. Permission Denied Run Snort with sudo.
3. Configuration Errors Check the Snort configuration file for syntax errors: $ snort -T -c /etc/snort/snort.conf