~# apt-get install snort Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libprelude2 oinkmaster snort-common snort-common-libraries snort-rules-default Suggested packages: snort-doc The following NEW packages will be installed: libprelude2 oinkmaster snort snort-common snort-common-libraries snort-rules-default 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 2,688 kB of archives. After this operation, 11.4 MB of additional disk space will be used. Do you want to continue [Y/n]? y
set your home network in CIDR notation on the ncurses screen and hit OK.
Hint: A machine with 2 IP addresses that does not route traffic or protect some multihost network -- ie a lonely dedicated server would use as HOME_NET something like: 192.0.2.222/32 , 192.0.2.223/32
When installed snort will start using the most obvious interface logging alerts at /var/log/snort/alert
and the tcpdumps corresponding on those alerts at
Basic settings like the home network or the network interface monitored by snort should be changed on
/etc/snort/snort.debian.config and then applied with
~# dpkg-reconfigure snort
If some of your daemons are listening on non-standard ports change them on /etc/snort.conf.
Let's test Snort :
ares:~#nmap -p 1000-1011 192.0.2.222 Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-20 08:50 UTC Interesting ports on archimedes.ipduh.com (192.0.2.222): PORT STATE SERVICE 1000/tcp closed cadlock 1001/tcp closed unknown 1002/tcp closed windows-icfw 1003/tcp closed unknown 1004/tcp closed unknown 1005/tcp closed unknown 1006/tcp closed unknown 1007/tcp closed unknown 1008/tcp closed ufsd 1009/tcp closed unknown 1010/tcp closed unknown 1011/tcp closed unknown Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds ares:~#On the host running Snort :
# tail -f /var/log/snort/alert [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 05/20-08:52:29.521561 192.0.2.11 -> 192.0.2.222 ICMP TTL:31 TOS:0x0 ID:33835 IpLen:20 DgmLen:28 Type:8 Code:0 ID:60029 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS162] [**] [122:1:0] (portscan) TCP Portscan [**] [Priority: 3] 05/20-08:52:29.846827 192.0.2.11 -> 192.0.2.222 PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:161 DFOK , Snort works.
To look at the tcpdumps use tcpdump with the r flag. For example:
# tcpdump -n -r /var/log/snort/tcpdump.log.1337458006 | grep 08:52:29 reading from file tcpdump.log.1337458006, link-type EN10MB (Ethernet) 08:52:29.521561 IP 192.0.2.11 -> 192.0.2.222: ICMP echo request, id 60029, seq 0, length 8 08:52:29.846827 IP 192.0.2.11 -> 192.0.2.222: ip-proto-255 141 08:52:29.846828 IP 192.0.2.11 -> 192.0.2.222: ip-proto-255 15 08:52:29.846829 IP 192.0.2.11 -> 192.0.2.222: ip-proto-255 14To look at the contents of the packets use:
# tcpdump -X -r ./var/log/snort/tcpdump.log.1337458006and if you do not need the timestamps use:
# tcpdump -t -X -r ./var/log/snort/tcpdump.log.1337458006
To lookup UNIX epoch timestamps you could use
Do not worry about log rotation. The debian package takes care of that.
To produce a statistics report from an alert file you could use snort-stat like
# snort-stat < /var/log/snort/alertSuch a report is mailed daily to root or another user set at
While reading /etc/snort.conf you will most probably find out that a lot of rules coming with snort do not apply to you.
You could look at the alerts for a while and find and remove the rules that pollute your alerts.
If you register at snort.org you could get the Snort Vulnerability Research Team Certified Rules free of charge 30-days after their initial release to paid subscribers.
You could use mysql or postgresql to log alerts and tcpdumps and there are packets that provide a web interface to the alerts database. The one I am familiar with sucks so I am not going to provide a setup HOWTO or even mention its name. At snort.org/docs you will find a comparison of popular Snort GUIs and more useful information.
Snort Basic Setup