Snort Installation on Ubuntu

Snort is free intrusion detection system (ids) for unix, linux, and windows. Snort is very light, means it will not asked your cpu to work to hard. Snort is actually simple to install and to use in it basic installation, it is advanced configuration of course, need more research and practice. Here i will give example of Snort installation on Ubuntu. This guide is for snort 2.9. on Ubuntu 10.04.

Original installation documentation can be found on snort web page.

1. Install dependencies
Snort require these application installed to work well:
sudo apt-get install nmap
sudo apt-get install nbtscan
sudo apt-get install apache2
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install php5-gd
sudo apt-get install libpcap0.8-dev
sudo apt-get install libpcre3-dev
sudo apt-get install g++
sudo apt-get install bison
sudo apt-get install flex
sudo apt-get install libpcap-ruby
sudo apt-get install mysql-server
sudo apt-get install libmysqlclient16-dev

2. Update Ubuntu
apt-get update
apt-get upgrade

3. Install Jpgraph and Snortreport
Jpgraph is required to display graph later on our web monitoring
sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo mkdir /var/www/jpgraph
sudo tar zxvf jpgraph-1.27.1.tar.gz
sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/

Snortreport
download snortreport on http://www.symmetrixtech.com/
sudo tar zxvf snortreport-1.3.2.tar.gz -C /var/www/
sudo vi /var/www/snortreport-1.3.2/srconf.php
change $pass = “YOURPASS”; to your own password

4. Install Snort

install data aquisition api
download daq-0.6.1.tar.gz on http://www.snort.org/downloads/1098
sudo tar zxvf daq-0.6.1.tar.gz
cd daq-0.6.1
sudo ./configure
sudo make
sudo make install
sudo ldconfig

download and install libdnet
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12/
sudo ./configure
sudo make
sudo make install
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

download and install snort
on snort guide installation i found some problems when i follow the guides, here i just do the original steps.

sudo tar zxvf snort-2.9.1.tar.gz
cd snort-2.9.1
sudo ./configure
sudo make
sudo make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort

create mysql database and user

echo “create database snort;” | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql echo "grant create, insert, select, delete, update on snort.* to snort@localhost \ identified by 'YOURPASSWORD'" | mysql -u root -p Download latest snort rules https://www.snort.org/snort-rules Extract on your prefered folder, without prefix it will be installed where you extract tar.gz file. in my example it is located on /home/administrator

sudo tar zxvf snortrules-snapshot-2910.tar.gz
sudo mkdir /home/administrator/snortrules (here u can spesify your own folder)
sudo cp /home/administrator/Ubuntu-10-4/i386/2.9.1.0/* \
/home/administrator/snortrules

Configure Snort

updatedb
locate snort.conf
(here i find where snort.conf located. in my example it is located on /home/administrator/etc/)

cp /home/administrator/etc/snort.conf /home/administrator/etc/snort.conf.old
vi /home/administrator/etc/snort.conf

change this line

dynamicdetection directory /usr/local/lib/snort_dynamicrules
to
dynamicdetection directory /home/administrator/snortrules
or according to your own dir

and below this line
#output unified2: filename merged.log, limit 128, nostamp, \
mpls_event_types, vlan_event_types
add this line
output unified2: filename snort.u2, limit 128

Download and Install Barnyard

Download here http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
sudo tar zxvf barnyard2-1.8.tar.gz
cd barnyard2-1.8
sudo ./configure –with-mysql
sudo make
sudo make install
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

modify barnyard2.conf

sudo vi /usr/local/snort/etc/barnyard2.conf

change these lines
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
#config hostname: thor
#config interface: eth0
#output database: log, mysql, user=root password=test dbname=db host=localh

to your own folder location, u can find it using locate
here is my example

config reference_file: /home/administrator/etc/reference.config
config classification_file: /home/administrator/etc/classification.config
config gen_file: /home/administrator/etc/gen-msg.map
config sid_file: /home/administrator/etc/sid-msg.map
config hostname: localhost
config interface: eth1 (it’s according to your own interface)
output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort \
host=localhost

testing snort

/usr/local/bin/snort -u snort -g snort -c /home/administrator/etc/snort.conf -i eth1

Thats was the main installation of snort.
Please play attention to directory location used in this example, because it is just example from what i did. you should use own directory location to make it work. command like updatedb and locate will help you to find file location you need.

6 thoughts on “Snort Installation on Ubuntu

  1. Do you run it on ubuntu desktop 10.04 or the ubuntu server 10.04?
    On my ubuntu desktop this procedure will not work on the part of barnyard2-1.9 sudo ./configure –with-mysql it is impossible to find the mysql libraries neither if you specify the PATH of the mysql libraries.

  2. Thank so much for your tutorial!!!
    I have been looking around and your tutorial is the only one I could follow.
    I work in a Debian system.

    The only weak point in my opinion is your explanation of the creation of the database. I give you the points I followed from http://lists.debian.org/debian-user/2006/04/msg02858.html

    # mysql -u root -p (then enter your password “mypassword” to get the prompt)

    Create the snort database:

    mysql> create database snort;

    Create the snort user and privileges:

    mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE
    on snort.* to snort@localhost;

    Set the snort user password for the database:

    mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘mypassword’);

    mysql> exit

    Now we have to import the schema that comes with the snort program:

    # cd /usr/local/src/snort-x.x.x/schemas/

    # mysql -u root -p use snort;
    mysql> show tables;

    You should see the list of new tables you just imported.

    mysql> exit

  3. hi!

    can you explain better this command “sudo cp /home/administrator/Ubuntu-10-4/i386/2.9.1.0/* \
    /home/administrator/snortrules”

    I am trying confire in desktop ubuntu and I dont know what you want refer with “/home/administrator/Ubuntu-10-4/i386/2.9.1.0/”

    tks 🙂

  4. Very efficiently written story. It will be beneficial to everyone who employess it, as well as me. Keep up the good work for sure i will check out more posts.

Leave a Reply

Your email address will not be published. Required fields are marked *