Thursday, September 24, 2015

Installing Snort Intrusion Detection System in Linux

In the last articles, I explained:

What is a Firewall?
What is Intrusion Detection System?
How to configure Firewalls in Linux?

I also explained few attacks like:

What is ARP Spoofing?
How to detect ARP Spoofing attack in your system?

In this article, I will explain how to install an Intrusion Detection System in your system.
I am using a Linux system here. The advantage of Linux is, it is open source and it gives lots of opportunities for experiments.

An Intrusion Detection System inspects all inbound and outbound traffic in your system and detects suspected attacks. In this article, I will show how to install Snort Intrusion Detection System in your Linux machine.

So, let's start.

1. Install LAMP Server :

LAMP suite is Linux-Apache-Mysql-PHP. We would need to install this for our Snort IDS. To do that, first install tasksel and then lamp server.

# sudo apt-get install tasksel
# sudo tasksel install lamp-server

You will be prompted for mysql root password during the installation process. Give a password and remember it. You will again need it later.

2. Create Snort Database :

Follow the steps mentioned below to create snort database :

# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.5.44-0ubuntu0.12.04.1 (Ubuntu)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snort;
Query OK, 1 row affected (0.05 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
mysql> quit

3. Install Snort :

Now, install snort by typing:

# sudo apt-get -y install snort-mysql

During installation, provide IP address for your local network. Select to configure snort database manually to connect with the previously created database.

4. Configure Snort :

Update the database with snort table structure.

# pushd /usr/share/doc/snort-mysql
# /usr/share/doc/snort-mysql$ sudo zcat create_mysql.gz | mysql -u snort -p snort
# popd

Modify the snort configuration file to include mysql specific information.

# sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=<password> dbname=snort host=localhost/" /etc/snort/snort.conf

Remove pending configuration file:

# sudo rm -rf /etc/snort/db-pending-config

For Debian or Ubuntu, you might have to check /etc/snort/database.conf for proper value of database, user, password and host.

You might also have to change 'ipvar HOME_NET any' to your home subnet like:

ipvar HOME_NET in /etc/snort/snort.conf

5. Start Snort service :

# sudo /etc/init.d/snort start
# sudo /etc/init.d/snort status
# tail /var/log/syslog

Snort should successfully start.
If it fails, however, try to execute the following command and detect the actual reason of error:

# sudo /usr/sbin/snort -c /etc/snort/snort.conf -i eth0

You may have to select proper interface for your system instead of eth0.

6. Install ACID :

We need to install web front end to monitor snort's output. ACID solves the purpose.
Follow the following steps to install ACID.

# sudo apt-get -y install acidbase

During installation, select mysql database and mysql administrator password.

7. Configure ACID :

We need to configure ACID now.

# sudo sed -i "s#allow\ from\\ from\\" /etc/acidbase/apache.conf

You would need to give your IP instead of
This step will allow access to acidbase from your desktop.

Restart Apache server for the changes to take effect.

# sudo /etc/init.d/apache2 restart

8. Final Touch :

Finally, you would need to access acidbase web front-end and configure it.
Open your browser and type:


Select the button which says, “Create BASE AG” and return to main page.

9. Some Testing :

You can now do some basic testing.
Open your terminal and type:

# sudo nmap -p1-65535 -sV -sS -O

Now, refresh the acidbase. You should see the results of the port scan in your acidbase front-end.

Well, you may want to install and configure Oinkmaster to automate the rule update process and receive updated rules for Snort. Visit the Snort Website to do that.

So, that was all about installation of Snort Intrusion Detection System in your Linux machine.
These are some simple steps to perform, but good enough for your system to stay protected!

So, stay safe, stay protected!

No comments:

Post a Comment