In today’s digital landscape, cybersecurity is of paramount importance for businesses. With the increasing prevalence of cyber threats, organizations need robust intrusion detection systems to protect their networks from potential attacks. Snort, an open-source Intrusion Detection and Prevention System (IDS/IPS), is a reliable choice to defend against DDoS attacks, malware infections, compromised systems, and network policy violations. In this comprehensive guide, we will walk you through the step-by-step process of installing and configuring Snort 3 on Ubuntu 22.04, empowering you to enhance the security of your network.

1. Introduction to Snort

Snort is an Open Source Intrusion Detection and Prevention System (IDS/IPS) that detects and defends against a wide range of network-based attacks. It analyzes network traffic in real-time, identifying malicious activity based on predefined rules, and generates alerts to notify users. With features like real-time traffic monitoring, packet logging, protocol analysis, and OS fingerprinting, Snort proves to be a versatile and effective security solution for any network environment.

2. Prerequisites

Before diving into the installation process, ensure that you have the following prerequisites in place:

• A server running Ubuntu 22.04
• A root password configured on the server

3. Installing Required Dependencies

To begin the installation process, you need to install several dependencies on your Ubuntu 22.04 server. Open a terminal and enter the following command to install all the necessary dependencies:

apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y

4. Installing Snort DAQ

Next, you need to install the Data Acquisition (DAQ) library, which is a prerequisite for Snort. By default, the DAQ library is not available in the Ubuntu default repository, so you will have to compile it from source. Follow the steps below to install Snort DAQ:

• Download the Snort DAQ source code from Git by running the following command:

git clone https://github.com/snort3/libdaq.git

• Once the download is complete, navigate to the downloaded directory and configure it using the following commands:

cd libdaq
./bootstrap
./configure

• Compile and install Snort DAQ by running the following commands:

make
make install

5. Installing Gperftools

Gperftools is a set of performance analysis tools that Snort uses. To install Gperftools, follow the steps below:

• Download the latest version of Gperftools by running the following command:

cd
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz

• Once the download is complete, extract the downloaded file using the following command:

tar xzf gperftools-2.9.1.tar.gz

• Navigate to the extracted directory and compile Gperftools by running the following commands:

cd gperftools-2.9.1/
./configure
make
make install

6. Installing Snort

Now it’s time to install Snort itself. Follow the steps below:

• Download the latest version of Snort by running the following command:

cd
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.43.0.tar.gz

• Extract the downloaded file using the following command:

tar -xvzf 3.1.43.0.tar.gz

• Navigate to the extracted directory and configure Snort by running the following commands:

cd snort 3-3.1.43.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
make
make install
ldconfig

• Verify the Snort version by running the following command:

snort -V

7. Configuring Snort

Before you can start using Snort, you need to configure it. Follow the steps below:

• Set your network interface to promiscuous mode so that Snort can analyze all network traffic by running the following command:

ip linkset dev eth0 promisc on

• Verify that the interface is set to promiscuous mode by running the following command:

ip add sh eth0

• Disable Interface Offloading to ensure accurate packet analysis. Check if this feature is enabled by running the following command:

ethtool -k eth0 | grep receive-offload

• Disable Interface Offloading by running the following command:

ethtool -K eth0 gro off lro off

8. Creating a Systemd Service File for Snort NIC

To start Snort automatically on boot, you can create a systemd service file for Snort NIC. Follow the steps below:

• Open the systemd service file for Snort NIC using the following command:

nano /etc/systemd/system/snort3-nic.service

• Add the following lines to the file:

[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
ExecStart=/usr/sbin/ethtool -K eth0 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

• Save and close the file.
• Reload the systemd daemon to apply the changes by running the following command:

systemctl daemon-reload

• Start and enable the Snort NIC service by running the following commands:

systemctl start snort3-nic.service
systemctl enable snort3-nic.service

• Check the status of the Snort NIC service by running the following command:

systemctl status snort3-nic.service

9. Installing Snort Rules

Snort relies on rules to detect and respond to network-based attacks. Follow the steps below to install Snort rules:

• Create a directory to store all the rules by running the following command:

mkdir /usr/local/etc/rules

• Download the community rules using the following command:

wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz-C /usr/local/etc/rules/

• Edit the Snort main configuration file using the following command:

nano /usr/local/etc/snort/snort.lua

• Define your network by modifying the HOME_NET variable. For example:

HOME_NET = '192.168.0.0/16'
EXTERNAL_NET = '!$HOME_NET'

• Define the Snort rules path by modifying the rules variable. For example:

rules = [[ include/usr/local/etc/rules/snort3-community-rules/snort3-community.rules ]]

• Save and close the file.

10. Installing Snort OpenAppID

Snort OpenAppID is a plugin that allows Snort to detect various applications, such as Facebook, Netflix, Twitter, and Reddit, within network traffic. Follow the steps below to install Snort OpenAppID:

• Download Snort OpenAppID using the following command:

wget https://www.snort.org/downloads/openappid/26425 -O OpenAppId-26425.tgz

• Extract the downloaded file using the following command:

tar -xzvf OpenAppId-26425.tgz

• Copy the OpenAppID binary file to the system directory using the following command:

cp -R odp /usr/local/lib/

• Edit the Snort configuration file and specify the location of OpenAppID by running the following command:

nano /usr/local/etc/snort/snort.lua

• Modify the appid variable as follows:

appid = {
app_detector_dir = '/usr/local/lib',
log_stats = true,
}

• Save and close the file.
• Create a Snort log directory using the following command:

mkdir /var/log/snort

• Verify the Snort configuration by running the following command:

snort -c /usr/local/etc/snort/snort.lua

11. Creating Snort Custom Rules

In addition to the pre-defined rules, you can create your own custom rules in Snort. Let’s create a custom rule for detecting incoming ICMP requests:

• Open the local rules file using the following command:

nano /usr/local/etc/rules/local.rules

• Add the following line to the file:

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

• Verify the rules by running the following command:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

12. Creating a Systemd Service File for Snort

To manage Snort as a service using systemd, you can create a systemd service file. Follow the steps below:

• Create the systemd service file using the following command:

nano /etc/systemd/system/snort3.service

• Add the following configurations to the file:

Save and close the file.

• Reload the systemd daemon with the following command:

systemctl daemon-reload

• Start and enable the Snort service by running the following commands:

systemctl enable hw --now snort3

• Check the status of the Snort service by running the following command:

systemctl status snort3

13. Conclusion

Congratulations! You have successfully installed and configured Snort 3, a powerful Intrusion Detection System, on your Ubuntu 22.04 server. With Snort in place, you can now proactively monitor your network for potential threats and mitigate them effectively. Remember to regularly update your Snort rules and customize them to suit your specific security needs. By employing Snort as part of your cybersecurity arsenal, you can enhance the protection of your network and ensure the integrity and confidentiality of your data.

Shape.host, a leading Cloud VPS provider, offers scalable and secure hosting solutions to businesses of all sizes. With our reliable and high-performance infrastructure, you can deploy Snort and other essential security tools with ease. Safeguard your network and achieve peace of mind by choosing Shape.host as your trusted hosting partner. Visit us at Shape.host to explore our services and take your cybersecurity to the next level.