Building a Network IDS/IPS in Ubuntu Server Using Snort

Nowadays, cyber attack has been increasing rapidly. All refferences had told us about the magnification. Thus, by protecting conventionally only is not enough, it needs more sophisticated actions for detecting the attack. One of the action is by implementing Network IDS/IPS within the infrastructure.

At this article, we will share one of the most usage network IDS/IPS. It is Snort. Snort is the most widely-used Network IDS/IPS that detects and prevent attacks by searching protocol, content analysis, and another pre-processors. Snort provides a bulk of features, such as buffer overflow, stealth port scans, and CGI attacks. Snort works to detect malicious activity, denial of service attacks, and port scans by monitoring network traffic. Generally, It’s divided into five major parts such as Packet decoder, Preprocessor, Detection engine, Logging and Alerting system, and Output modules.

Install Required Dependencies

Beforehand installing Snort, we have to install several packets which is required like:

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

Also, in order to facilitate operation on a variety of hardware and software interfaces without requiring changes to Snort, we need install Data Acquisition Library or DAQ.

tar -zxvf daq-2.0.6.tar.gz

Next, we change to daq-2.0.6 directory and compile it for installing daq like below:

$ sudo su
# ./configure && make && make install

Install Snort

After we installed the prerequisite packages, now we can install snort either downloads manually or install through the ubuntu packages. Nevertheless, I choose to install it by downloading manually from the source page.

wget https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz

After the download has been completed, extract the file like below:

tar -xvzf snort-2.9.12.tar.gz

Then go to the Directory snort-2.9.12 and compile the package for installing Snort like below:

sudo ./configure --disable-open-appid --enable-sourcefire && make && make install

According to the Rapid7’s Post , next we need to update the shared libraries, in order to prevent getting an error when we run Snort with command like below:

ldconfig

Then, instead of having two copies of the same files/directories of Snort, we create a symlink to the folder on one location so both paths refer to the same batch of files and we only have to update one set with command like below:

ln -s /usr/local/bin/snort /usr/sbin/snort

Finally, we can verify the installation and configuration with the following command:

snort -V


Configure Snort

Beforehand, we need to create a user and group “snort”, who will run and create files required by a snort.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
After we created the user, next we create some directories which will contain snort configuration and other important related files like below:
mkdir /etc/snort
 mkdir /etc/snort/preproc_rules
 mkdir /etc/snort/rules
 mkdir /var/log/snort
 mkdir /usr/local/lib/snort_dynamicrules
 touch /etc/snort/rules/white_list.rules
 touch /etc/snort/rules/black_list.rules
 touch /etc/snort/rules/local.rules

Next we set proper permission for the following directories like below:

chmod -R 5775 /etc/snort/
chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/

Next, we have to copy the configuration files from snort source directory we have extracted before like below:

cd snort-2.9.12/etc
cp
-avr *.conf* *.map *.dtd /etc/snort

We also need to copy the dynamic preprocessors files with following command:

cd snort-2.9.12/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Thus, our Snort has been ready, the only way should we do in the next is configure the configuration files by defining the rules we need for inspecting our network traffic. For the first time, we can comment out the configuration within the file snort.conf, then we can adjust manually for each rules.

sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

Then we adjust the configuration snort.conf like below:

#Configure the network address interface which will want to intercept :

ipvar HOME_NET 192.168.100.0/24

#Define the path rules which will be reffered to:

var RULE_PATH /etc/snort/rules 
 var SO_RULE_PATH /etc/snort/so_rules 
 var PREPROC_RULE_PATH /etc/snort/preproc_rules 
 var WHITE_LIST_PATH /etc/snort/rules 
 var BLACK_LIST_PATH /etc/snort/rules 
 include $RULE_PATH/local.rules

Finally, nect we validate the configuration file with the following command:

snort -T -i eth0 -c /etc/snort/snort.conf

Next step is how to setup the snort in order starting up automatically when the server is booting up. So, we create a startup script to run Snort at boot time which is “snort.service” like below:

nano /lib/systemd/system/snort.service

write in the file with the following script:

[Unit]
   Description=Snort NIDS Daemon
   After=syslog.target network.target
 [Service]
   Type=simple
   ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i ens33
 [Install]
  WantedBy=multi-user.target

then we can activate the script to run at boot time with the following command:

systemctl enable snort
systemctl start snort

Let’s see the status of the snort with the following command:

systemctl status snort


Thus we have built the Network IDS/IPS, at the next we will show you how to make rules that detect and prevent attacks on the web server DVWA.

Refferences:

  • https://blog.rapid7.com/2017/01/11/how-to-install-snort-nids-on-ubuntu-linux/
  • https://cyberpersons.com/2016/07/18/install-snort-ubuntu/
  • https://stackoverflow.com/questions/43399822/snort-symlink-explanation
  • https://www.hackingarticles.in/configure-snort-in-ubuntu-easy-way/

Leave a Reply

Your email address will not be published. Required fields are marked *