snort basic setup debian

This is a basic Snort HOWTO for debian based systems. I have tested this procedure on debian 6.* and ubuntu 10.04.

~# apt-get install snort
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libprelude2 oinkmaster snort-common snort-common-libraries snort-rules-default
Suggested packages:
  snort-doc
The following NEW packages will be installed:
  libprelude2 oinkmaster snort snort-common snort-common-libraries snort-rules-default
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,688 kB of archives.
After this operation, 11.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? y


set your home network in CIDR notation on the ncurses screen and hit OK.

Hint: A machine with 2 IP addresses that does not route traffic or protect some multihost network -- ie a lonely dedicated server would use as HOME_NET something like: 192.0.2.222/32 , 192.0.2.223/32

When installed snort will start using the most obvious interface logging alerts at /var/log/snort/alert
and the tcpdumps corresponding on those alerts at
/var/log/snort/tcpdump.log.epoch

Basic settings like the home network or the network interface monitored by snort should be changed on
/etc/snort/snort.debian.config and then applied with
~# dpkg-reconfigure snort


If some of your daemons are listening on non-standard ports change them on /etc/snort.conf.

Let's test Snort :
ares:~#nmap -p 1000-1011 192.0.2.222 

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-20 08:50 UTC
Interesting ports on archimedes.ipduh.com (192.0.2.222):
PORT     STATE  SERVICE
1000/tcp closed cadlock
1001/tcp closed unknown
1002/tcp closed windows-icfw
1003/tcp closed unknown
1004/tcp closed unknown
1005/tcp closed unknown
1006/tcp closed unknown
1007/tcp closed unknown
1008/tcp closed ufsd
1009/tcp closed unknown
1010/tcp closed unknown
1011/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
ares:~#
On the host running Snort :
# tail -f /var/log/snort/alert
[**] [1:469:3] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/20-08:52:29.521561 192.0.2.11 -> 192.0.2.222
ICMP TTL:31 TOS:0x0 ID:33835 IpLen:20 DgmLen:28
Type:8  Code:0  ID:60029   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 
05/20-08:52:29.846827 192.0.2.11 -> 192.0.2.222
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:161 DF

OK , Snort works.

To look at the tcpdumps use tcpdump with the r flag. For example:
# tcpdump -n -r /var/log/snort/tcpdump.log.1337458006 | grep 08:52:29
reading from file tcpdump.log.1337458006, link-type EN10MB (Ethernet)
08:52:29.521561 IP 192.0.2.11 -> 192.0.2.222: ICMP echo request, id 60029, seq 0, length 8
08:52:29.846827 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 141
08:52:29.846828 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 15
08:52:29.846829 IP 192.0.2.11 -> 192.0.2.222:  ip-proto-255 14
To look at the contents of the packets use:
# tcpdump -X -r ./var/log/snort/tcpdump.log.1337458006
and if you do not need the timestamps use:
# tcpdump -t -X -r ./var/log/snort/tcpdump.log.1337458006


To lookup UNIX epoch timestamps you could use
http://ipduh.com/epoch/?1337458006

Do not worry about log rotation. The debian package takes care of that.

To produce a statistics report from an alert file you could use snort-stat like
# snort-stat < /var/log/snort/alert
Such a report is mailed daily to root or another user set at
/etc/snort/snort.debian.config

While reading /etc/snort.conf you will most probably find out that a lot of rules coming with snort do not apply to you.

You could look at the alerts for a while and find and remove the rules that pollute your alerts.

If you register at snort.org you could get the Snort Vulnerability Research Team Certified Rules free of charge 30-days after their initial release to paid subscribers.

You could use mysql or postgresql to log alerts and tcpdumps and there are packets that provide a web interface to the alerts database. The one I am familiar with sucks so I am not going to provide a setup HOWTO or even mention its name. At snort.org/docs you will find a comparison of popular Snort GUIs and more useful information.



Snort Basic Setup