Today, we’re here to find out how to install snort on Linux Mint and detect the irregularities within the system. So keep reading if you want to know more.
Intrusion detection systems identify anomalies on a particular host or network. They are the second line of defense in a networked system. In this article, we will discuss the installation of snort, an open-source and lightweight intrusion detection system.
The snort software detects suspicious threads and anomalies and reports them to the user as an alert message. It is configured via a set of rules to detect malware and alerts when something against the rules happens within the network. Additionally, the software is sometimes called the debugger for network traffic systems.
Introduction to the snort software
Snort is a
libpcap-based packet sniffer/logger and is also used as an intrusion detection system. It is a network-based intrusion detection system and works based on signature-based intrusion detection.
It comprises rule-based logging and content-based searching/matching and can detect attacks such as buffer overflow, stealth port scan, CGI attack, SMB probes, etc. The alerts can also be sent as a system log, a separate alert file, or to another computer via samba.
How to Install Snort on Linux Mint
There are various approaches for the installation of a snort system on Linux. We will discuss the following three methods:
- Apt repository
- Through GUI
- Installation from source
Installation through the apt repository
The installation of snort using the apt repository is quite simple. First, open the Terminal from the system menu > Terminal. Then update the apt repository list first. Install the prerequisite software by using the following command:
$sudo apt install -y gcc libprcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool
Type the following command for the installation of snort:
$ sudo apt install snort
You may receive a message during the installation to confirm the address range of the network interface. Just press “Enter” to confirm. The snort will then be installed on your system.
Installation using a graphical user interface (GUI)
First, open the software application manager and type snort in the search bar. You will see a list of different software matching your search query. Choose the snort software. Press the install button to start the installation of the snort software. You might be asked for a sudo password as the software requires sudo privileges for installation.
The software will begin installing and complete after a few minutes.
Manual installation via source
Now, we will discuss the manual installation by first downloading the package. Download the latest snort version from the snort website and extract it to the current directory. On your Terminal, type the following command to move to the source directory:
Then, download the snort software from its website using this command:
# wget -O snort-184.108.40.206.tar.gz http://www.snort.org/donwloads/116
Extract the snort files in the current directory via the following command:
# tar xvzf snort-220.127.116.11.tar.gz
Now, you can install the snort software. First, make sure you have the dev packages of
# apt-cache policy libpcap0.8-dev
Now, move to the snort folder by inputting this command:
# cd snort-18.104.22.168
Now, type the following commands to install the software:
# ./configure # make # make install
Verifying the installation
After installing the snort software, we need to verify the installation. You can verify that the installation is successful by using the following command on your Terminal:
$ snort -version
Configuring the software
To use the snort software, we need to create the configuration file, rule file, and log directory. First, create three directories as follows:
# mkdir /etc/snort # mkdir /etc/snort/rules # mkdir /var/log/snort
Now create the snort.conf file and the
icmp.rules file as follows:
# cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rukes alert icmp any any -> any any (msg."ICMP Packet";sid:466;rev3;)
In the above command, we have set the rule that an alert is generated whenever an ICMP ping packet is sent to the host.
Running the snort software
You can run the snort software via the following command typed on the Terminal:
# snort -c /etc/snort/snort.conf -1/var/log/snort/
You can also run the snort software as a daemon in your system via the following command:
# snort -D -c /etc/snort/snort.conf -1/var/log/snort
With the rules in the previous section specified, when you ping the host, you will see an alert generated.
Structure of an alert
The basic structure of an alert is as follows:
<Rule Actions><Protocol><Source IP Address><Source Port><Direction Operator><Destination IP Address><Destination port> (rule options)
We first specify the action taken for the rule, the particular protocol for which the rule is applied, the source internet protocol (IP) address, source port, destination IP address, and destination. For each alert, the following information is printed: the message, source IP, destination IP, type of packet, and header information.
Removing snort from your system
If perhaps you want to uninstall or remove the snort software from your system. The uninstallation process is very simple. Run the following command to remove the software from your system:
$ sudo apt remove snort
And just like that, snort should be uninstalled in your system.
In this guide, we have talked about the steps to install and remove snort package. It is an open-source intrusion detection system and serves as the second line of defense in any networking system. We even discussed two approaches for installation (i.e., using the apt repository and the graphical user interface).
If you have any questions regarding snort, do not hesitate to leave a question in the comment section below.
If this guide helped you, please share it.