Snort Basics

Introduction to Snort

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Setup

I will be using a Proxmox container running Debian 11 for this guide, though I have set up Snort using Windows 10 before - there's just more steps to it.

Topology

This is a very simplified layout of my proxmox homelab that I'll be using for this chapter and the next. If you'd like to follow along then I'm using a Debian 11 container for the IDS and SIEM, then the rest are different OS's. You can create VLANs but for the sake of simplicity I won't be showing that here.

For Proxmox users: Use the Turnkey-Core template otherwise this will NOT work.

Installation

We can use this script to install Snort3 onto our Debian Container

#!/bin/bash
# Small script to install Snort on Debian 11. Run as sudo

# Optional Packages are not included
sudo apt install -y gcc build-essential libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool pkg-config

# Installing LibDAQ

mkdir ~/snort_src
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure --prefix=/usr/local/lib/daq_s3
sudo make install
cat /etc/ld.so.conf.d/libdaq3.conf /usr/local/lib/daq_s3/lib/
sudo ldconfig

# Building Snort
cd ~/snort_src
git clone https://github.com/snort3/snort3.git
export my_path='/opt/snort'
export PKG_CONFIG='/opt/snort'
mkdir -p $my_path
cd snort3
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) 
make install

# Check if install is correct
echo "If you see a piggy, hit Ctrl+C"
$mypath/snort/bin/snort -V
$mypath/snort/bin/snort --daq-listbas

Configuring Rules

Using Oinkcode and PulledPork to get the latest rules

Adding rules to snort.conf

PreviousSnort NextSecurity Information and Event Management (SIEM)

Last updated 1 year ago

Introduction to Snort

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Setup

I will be using a Proxmox container running Debian 11 for this guide, though I have set up Snort using Windows 10 before - there's just more steps to it.

Topology

For Proxmox users: Use the Turnkey-Core template otherwise this will NOT work.

Installation

We can use this script to install Snort3 onto our Debian Container

#!/bin/bash
# Small script to install Snort on Debian 11. Run as sudo

# Optional Packages are not included
sudo apt install -y gcc build-essential libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool pkg-config

# Installing LibDAQ

mkdir ~/snort_src
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure --prefix=/usr/local/lib/daq_s3
sudo make install
cat /etc/ld.so.conf.d/libdaq3.conf /usr/local/lib/daq_s3/lib/
sudo ldconfig

# Building Snort
cd ~/snort_src
git clone https://github.com/snort3/snort3.git
export my_path='/opt/snort'
export PKG_CONFIG='/opt/snort'
mkdir -p $my_path
cd snort3
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) 
make install

# Check if install is correct
echo "If you see a piggy, hit Ctrl+C"
$mypath/snort/bin/snort -V
$mypath/snort/bin/snort --daq-listbas