Snort can be downloaded in rpm format from a variety of sites. It has a long list of dependencies unless you get a version 1.8.2 or newer, which only requires libpcap. On my system, I had to install with the --no-deps flag because it didn't recognize that libpcap.so.0 was already installed.

Installation provides the Snort binary in /usr/sbin and the configuration files in /etc/snort.

Configuration

The configuration consists of two major files, /etc/snort/snort.conf and /etc/snort/classification.config, and a large number of rulesets files named /etc/snort/*.rules. The rule files are included by snort.conf, as is the classification.config file.

You would begin by configuring snort.conf by providing information about system variables. The format is:

var VAR_NAME value

Here are the changes you need to make:

1. Change the HOME_NET to something that represents your local network address and subnet mask:
   var HOME_NET 192.68.1/24

2. Change external net to be anything else:
   var EXTERNAL_NET !$HOME_NET

3. Change DNS_SERVERS to reflect you configuration:
   var DNS_SERVERS [192.68.1.10/32,192.68.1.250/32]

4. Uncomment the line:
   

      #preprocessor portscan-ignorehosts: $DNS_SERVERS. 
         

5. In the Output-Plugin section find the line for classification.config and change the path to:
   

    
      include /etc/snort/classification.config
      

6. In the rules sections, change the rule include paths to reflect the actual path, which should be /etc/snort/. Remove the comment indicator on any other rulesets you want to include.

The comments in the file will lead you through the majority of the configuration.

The classification.config file is a list of problem classifications in the form:

config classification:shortname,description,priority

where the priority is a numeric value. For now, you shouldn't have to worry about this.

The rules in the ruleset files have the form:

Running Snort

Snort has a lengthy list of options that control its operation, but you might start with the command:

snort -l /var/log/snort -c /etc/snort/snort.conf -o -b -A fast -z est

Option		Meaning
-l /var/log/snort		Where to write the output; /var/log/snort is the default.
-c /etc/snort/snort.conf		Where to find the configuration file.
-o		Set the order of the rule application to Pass -> Alert -> Log.
-b		Log packets in tcpdump format.
-A fast		Set the alert mode to fast which limits the amount of information provided.
-z est		Use stateful inspection which makes it harder to spoof Snort.

Snort Reports

Snort can report a huge amount of information, but it does so in a very organized fashion. If you look in /var/log/snort you will see several files and directories. It nicely writes a directory for every new IP address that is involved in communication with your system for any reason. For example, you might see a directory named 192.68.1.14. In these directories, you will see files that are named as:

protocol:sourceport-destport

For example, if host 192.68.1.10 connected using TCP from port 16785 to your telnet port, you would see:

TCP:16785-23

This makes it much easier to identify hosts or particular activity.

The reports provide much of the packet sniffer information and a short comment from Snort. For example,

[**] RPC portmap request rstatd [**]
11/21-12:22:25.700000 153.90.199.47:752 -> 153.90.199.29:111
UDP TTL:30 TOS:0x0 ID:55866 IpLen:20 DgmLen:84
Len: 64
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   

/var/log/snort also contains a file named alert that has potential problems as idenfied by Snort. For example,

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 192.68.1.18    (THRESHOLD 4
connections exceeded in 0 seconds) [**]
11/21-11:53:29.000562
   

[**] [1:1325:1] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected] [Priority: 1]
11/21-12:00:00.820000 153.90.199.77:48648 -> 153.90.199.78:22
TCP TTL:64 TOS:0x0 ID:38171 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x578717D9  Ack: 0x5A0E1D22  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 53183252 51411677
[Xref => http://www.securityfocus.com/bid/2347]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?na
   

Updating Rulesets

There are groups that update the rulesets for Snort on a regular basis. These rulesets can be downloaded from:

• http://www.snort.org/snort-files.htm#Rules
• http://dev.whitehats.com/ids/vision.conf

The latter site updates their rulesets hourly to reflect the latest information.

You can download and install a script to automatically update your rules via a cron job from

http://www.linuxsecurity.com/programs/snort-update