Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
In this article, let us review how to install snort from source, write rules, and perform basic testing.
Sudo apt-get install cmake make gcc g flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev If your system uses Python 2.7, then you will also need to install the “python-ipaddress” package. Today you'll learn the Kali Linux live USB installation procedure and how boot Kali Linux from USB. By the end of this post, you'll have a USB drive with Kali Linux pre-installed that you can boot from any computer. You'll also learn the steps on how to boot your Windows or Mac computer from a USB.
1. Download and Extract Snort
Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.
Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)
2. Install Snort
Install Bison Kali Linux Update
Before installing snort, make sure you have dev packages of libpcap and libpcre.
Follow the steps below to install snort.
3. Verify the Snort Installation
Verify the installation as shown below.
4. Create the required files and directory
You have to create the configuration file, rule file and the log directory.
Create the following directories:
Create the following snort.conf and icmp.rules files:
The above basic rule does alerting when there is an ICMP packet (ping).
Following is the structure of the alert:
| Structure | Example |
|---|---|
| Rule Actions | alert |
| Protocol | icmp |
| Source IP Address | any |
| Source Port | any |
| Direction Operator | -> |
| Destination IP Address | any |
| Destination Port | any |
| (rule options) | (msg:”ICMP Packet”; sid:477; rev:3;) |
5. Execute snort
Execute snort from command line, as mentioned below.
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.
Alert Explanation
A couple of lines are added for each alert, which includes the following:
- Message is printed in the first line.
- Source IP
- Destination IP
- Type of packet, and header information.
If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.
Execute snort as Daemon
Install Bison Kali Linux Free
Add -D option to run snort as a daemon.
Additional Snort information
- Default config file will be available at snort-2.8.6.1/etc/snort.conf
- Default rules can be downloaded from: http://www.snort.org/snort-rules
Install Kali Linux On Laptop
If you enjoyed this article, you might also like..
Next post: RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams
Previous post: How to Register RHEL/OEL Linux to Oracle Support (ULN) using up2date