Understanding and Installing Snort

by Chris Hurley - 9/3/00

Snort is a passive Intrusion Detection System (IDS) that is freely available to personal users. Snort is available at www.snort.org for pretty much every operating system. This article will discuss installation under Linux, specifically Slackware 7.1. Snort is an extremely powerful tool. The end user has the ability to customize the alert ruleset to the individual system where Snort is installed.

After downloading snort.1.6.3.tar.gz simply execute the following commands:

$ gunzip snort.1.6.3.tar.gz
$ tar -xvf snort.1.6.3.tar

This will create the snort.1.6.3 directory, cd into this directory. Snort requires that libpcap be installed on your system. If libpcap is not installed, you can download it from the Snort website. If you don't know if libpcap is installed, execute the following command:

$ find / -name pcap.h -print
If pcap.h is not found, you must install libpcap before continuing.

After verifying or installing libpcap, su to root. Ensure that you are in the Snort directory by typing pwd. For all of its advantages, Snort is not very good at finding where you have libpcap installed. I have consistently had to point Snort toward libpcap. To do this, execute the following:

# ./configure --with-libpcap-includes=/where/pcap.h/is/located # make # make install

Snort is now installed on your system. Using Snort is easy, but you MUST be root. Type snort -dev at the prompt to see all of the packet traffic coming across your NIC. If you are on a high traffic network, this will scroll so fast that you will really not be able to read or understand anything.

You can create your own ruleset or use the ruleset creator that is located at snort.org. This way you are able to customize snort to log only the activity that you want logged. Snort can also be placed into a background daemon mode by issuing the command:

# snort -
D -ev -l ./log -h 192.168.1.0/24 Where log is the directory where you want the log files to be stored and 192.x.x.x is your network' s IP.

The Usage file that is included in the download outlines the multitude of switches and configuration options that are available to the user. One further note. If you just want to log the traffic on one specific machine, the command is:

# snort -dev -l ./log -h 192.168.1.52/32

Snort is a very powerful and easily customizable tool that will help you determine if and when an attack is attempted on your network. The rule creator that is on the snort website will help even a novice quickly begin securing their system. Advanced users will find that rulesets can be created quickly and are very effective.