Installing and Using Snort Intrusion Detection System to Protect Servers and Networks

28/12/2020
Chưa phân loại

After setting up any server among the first usual steps linked to security are the firewall, updates and upgrades, ssh keys, hardware devices. But most sysadmins don’t scan their own servers to discover weak points as explained with OpenVas or Nessus, nor do they setup honeypots or an Intrusion Detection System (IDS) which is explained below.

There are several IDS in the market and the best are free, Snort is the most popular, I only know Snort and OSSEC and I prefer OSSEC over Snort because it eats less resources but I think Snort is still the universal one. Additional options are: Suricata , Bro IDS, Security Onion.

The most official research on IDS effectivity is pretty old, from 1998, the same year in which Snort was initially developed, and was carried out by DARPA, it concluded such systems were useless before  modern attacks. After 2 decades, IT evolved at geometric progression, security did too and everything is almost up to date, adopting IDS is helpful for every sysadmin.

Snort IDS

Snort IDS works in 3 different modes, as sniffer, as packet logger and network intrusion detection system.  The last one is the most versatile for which this article is focused.

Installing Snort

apt-get install libpcap-dev bison flex

Then we run:

apt-get install snort

In my case the software is already installed, but it wasn’t by default, that’s how it was installed on Kali (Debian).


Getting started with Snort’s sniffer mode

The sniffer mode reads the network’s traffic and displays the translation for a human viewer.
In order to test it type:

# snort -v

This option should not be used normally, displaying the traffic requires too much resources, and it is applied only to show the command’s output.


In the terminal we can see headers of traffic detected by Snort between the pc, the router and internet. Snort also reports the lack of policies to react to the detected traffic.
If we want Snort to show the data too type:

# snort -vd

To show the layer 2 headers run:

# snort -v -d -e

Just like the “v” parameter, “e” represents a waste of resources too, it’s usage should be avoided for production.


Getting started with Snort’s Packet Logger mode

In order to save Snort’s reports we need to specify to Snort a log directory, if we want Snort to show only headers and log the traffic on the disk type:

# mkdir snortlogs
# snort -d -l snortlogs

The log will be saved inside snortlogs directory.

If you want to read the log files type:

# snort -d -v -r logfilename.log.xxxxxxx


Getting started with Snort’s Network Intrusion Detection System (NIDS) mode

With the following command Snort reads the rules specified in the file /etc/snort/snort.conf to filter the traffic properly, avoiding reading the whole traffic and focusing on specific incidents
referred in the snort.conf through customizable rules.

The parameter “-A console” instructs snort to alert in the terminal.

# snort -d -l snortlog -h 10.0.0.0/24 -A console -c snort.conf

Thank you for reading this introductory text to Snort’s usage.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

How to Setup Docker Machine with VMware Workstation

Docker Machine is a tool to manage multiple Docker hosts/machines remotely from a single computer. You can also create...
29/12/2020

Logrotate Ubuntu Tutorial

How to use Logrotate on Ubuntu Logrotate is a a system utility tool that is used to manage log files on Ubuntu. When a...
28/12/2020

How to install Qt 5.9.1 (Qt Creator 4.3.1 included) on Ubuntu 17.04

Qt 5.9.1 the most recent release, is a cross-platform application framework that is widely used for developing apps with...
28/12/2020
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn fake ip bằng phần mềm SStap
10/06/2025

VPS treo game là gì? Thuê VPS treo game giá rẻ, không lo giật lag
02/06/2025

 BitBrowser – Best Anti-Detect Browser!
26/05/2025

Dịch Vụ Xây Dựng Hệ Thống Peering Với Internet Exchange (IXP)
04/04/2025

Dịch Vụ Triển Khai VPN Site-to-Site & Remote Access
04/04/2025