Installing and Using Snort Intrusion Detection System to Protect Servers and Networks

Chưa phân loại

After setting up any server among the first usual steps linked to security are the firewall, updates and upgrades, ssh keys, hardware devices. But most sysadmins don’t scan their own servers to discover weak points as explained with OpenVas or Nessus, nor do they setup honeypots or an Intrusion Detection System (IDS) which is explained below.

There are several IDS in the market and the best are free, Snort is the most popular, I only know Snort and OSSEC and I prefer OSSEC over Snort because it eats less resources but I think Snort is still the universal one. Additional options are: Suricata , Bro IDS, Security Onion.

The most official research on IDS effectivity is pretty old, from 1998, the same year in which Snort was initially developed, and was carried out by DARPA, it concluded such systems were useless before  modern attacks. After 2 decades, IT evolved at geometric progression, security did too and everything is almost up to date, adopting IDS is helpful for every sysadmin.

Snort IDS

Snort IDS works in 3 different modes, as sniffer, as packet logger and network intrusion detection system.  The last one is the most versatile for which this article is focused.

Installing Snort

apt-get install libpcap-dev bison flex

Then we run:

apt-get install snort

In my case the software is already installed, but it wasn’t by default, that’s how it was installed on Kali (Debian).

Getting started with Snort’s sniffer mode

The sniffer mode reads the network’s traffic and displays the translation for a human viewer.
In order to test it type:

# snort -v

This option should not be used normally, displaying the traffic requires too much resources, and it is applied only to show the command’s output.

In the terminal we can see headers of traffic detected by Snort between the pc, the router and internet. Snort also reports the lack of policies to react to the detected traffic.
If we want Snort to show the data too type:

# snort -vd

To show the layer 2 headers run:

# snort -v -d -e

Just like the “v” parameter, “e” represents a waste of resources too, it’s usage should be avoided for production.

Getting started with Snort’s Packet Logger mode

In order to save Snort’s reports we need to specify to Snort a log directory, if we want Snort to show only headers and log the traffic on the disk type:

# mkdir snortlogs
# snort -d -l snortlogs

The log will be saved inside snortlogs directory.

If you want to read the log files type:

# snort -d -v -r logfilename.log.xxxxxxx

Getting started with Snort’s Network Intrusion Detection System (NIDS) mode

With the following command Snort reads the rules specified in the file /etc/snort/snort.conf to filter the traffic properly, avoiding reading the whole traffic and focusing on specific incidents
referred in the snort.conf through customizable rules.

The parameter “-A console” instructs snort to alert in the terminal.

# snort -d -l snortlog -h -A console -c snort.conf

Thank you for reading this introductory text to Snort’s usage.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Upgrade Ubuntu From Command Line

Ubuntu is a popular Linux distribution for home usage as well as enterprise users.  Many users of Ubuntu rely on the Graphical...

How to install Qmmp 1.1.9 – Winamp Like Music Player on Linux

Qmmp 1.1.9 recently released, is a audio media player that was written with the help of the Qt library hence making it...
Chưa phân loại

How to Install MyPaint 1.2.1 on Ubuntu, Linux Mint

MyPaint 1.2.1 latest release, is a fast and easy open-source graphics application for digital painters. It lets you focus...
Chưa phân loại