# Snort Basics

## Introduction to Snort

> Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
>
> Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

## Setup

I will be using a Proxmox container running Debian 11 for this guide, though I have set up Snort using Windows 10 before - there's just more steps to it.

#### Topology

<figure><img src="https://1797977785-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjrIJ5xrJuOVgeeYdKNB5%2Fuploads%2FqY1SZFC2I8qYa51RBjl9%2Fimage.png?alt=media&#x26;token=da2c71c3-a1c6-4e6e-bcbc-5a2772952bed" alt=""><figcaption></figcaption></figure>

This is a very simplified layout of my proxmox homelab that I'll be using for this chapter and the next. If you'd like to follow along then I'm using a **Debian 11** container for the IDS and SIEM, then the rest are different OS's. You can create VLANs but for the sake of simplicity I won't be showing that here.

{% hint style="info" %}
For Proxmox users: Use the Turnkey-Core template otherwise this will NOT work.
{% endhint %}

{% embed url="<https://youtu.be/79KiCBNbsbg>" %}

## Installation

{% embed url="<https://docs.snort.org/start/installation>" %}

We can use this script to install Snort3 onto our Debian Container

```bash
#!/bin/bash
# Small script to install Snort on Debian 11. Run as sudo

# Optional Packages are not included
sudo apt install -y gcc build-essential libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool pkg-config

# Installing LibDAQ

mkdir ~/snort_src
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure --prefix=/usr/local/lib/daq_s3
sudo make install
cat /etc/ld.so.conf.d/libdaq3.conf /usr/local/lib/daq_s3/lib/
sudo ldconfig

# Building Snort
cd ~/snort_src
git clone https://github.com/snort3/snort3.git
export my_path='/opt/snort'
export PKG_CONFIG='/opt/snort'
mkdir -p $my_path
cd snort3
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) 
make install

# Check if install is correct
echo "If you see a piggy, hit Ctrl+C"
$mypath/snort/bin/snort -V
$mypath/snort/bin/snort --daq-listbas
```

## Configuring Rules

### Using Oinkcode and PulledPork to get the latest rules

### Adding rules to snort.conf