Home >> Linux >> Protect your network with Snort

Protect your network with Snort

Follow @LinuxUserMag

Snort is an intrusion detection system (IDS). It works by monitoring network activity and raising an alert in the case of suspicious activity. What constitutes suspicious activity is definable by rules, and it comes with a massive selection. It can protect a single machine from attacks or even an entire network. This guide will show you how to set up and use Snort and also take you through some typical security scenarios in which Snort will prove useful.

As you get to know Snort, you might consider setting up a testing environment using virtual machines. A simple approach would be to use a virtual machine that has its network adaptor configured to be visible on your network (the setting is called ‘bridged adaptor’ in VirtualBox, for example). The techniques outlined here are not dangerous, but they can be considerably easier to get working within a controllable environment.

network sniff
Snort runs on a single machine, but can monitor an entire network



The Snort manual

A second network card (optional)

Step by Step

Step 01

Install Snort

Install Snort with ‘sudo apt-get install snort’. If you need the very latest version, visit the website and fetch, build and install it.

Step 02

Set Up a ‘quiet’ network environment

When first setting up Snort, it helps to have as little activity on the network as possible. Disconnect other computers or even set up a VM with a bridged adaptor which you can operate upon from the host machine.

Step 03

Test Snort installation

Nearly all Snort operations need to be carried out by the root user. On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts Snort into packet sniffer mode.

Step 04

Create network activity

Presuming that the network you are on is reasonably quiet, you can generate some network activity by pinging the server. Open another terminal and type ‘ping [IP address of server]’, and cancel after a couple of successful pings. Now, go back to the terminal with Snort running.

Step 05

Interpreting the data

In this example, the ping activity is reported in entries that end with lines ‘ECHO’ and ‘ECHO REPLY’. You may have to scroll back in the terminal to see these entries. Notice that the entries contain the time that the activity occurred and the source and destination of the traffic.

Step 06

Exiting Snort

Exit Snort by hitting Ctrl+C. When you exit Snort, it prints a statistical summary of the traffic that it observed. In this example, there should have been some ICMP traffic from the ping operation.

network sniffer
Exiting Snort

Step 07

More detail

Here’s a more extensive command line: ‘snort -vde’. This produces more output due to the d (display packet data) and e (application layer). For example, if you fetch POP email without SSL selected, you’ll be able to see the username and password scroll past.

Step 08

log packet data

Make a directory called ‘snort_logs’. Now run ‘snort -d -l ./snort_logs’ and Snort will log all recorded traffic into the log directory with a separate file for each interface. We’ll skip the verbose flag (-v), as all of the screen output eats into Snort’s throughput.

Step 09

Back up Snort configuration file

Snort comes with a default configuration file which we will back up. Type ‘locate snort.conf’ to find the file and then make a copy of it. ‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for Ubuntu, for example.

Step 10

Initial configuration

Open the config file in a text editor. For now, make sure that the variable ‘HOME_NET’ accurately describes your network. For example, if your computers have IP addresses that begin at, set it to

Step 11

Create launch script

Make a startup script to save time. Create an empty file with ‘nano start_snort’, then add the line ‘snort -de -l [full path to script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now type “chmod +x start_ snort”. This will launch snort in IDS mode, with reasonable defaults.

Follow @LinuxUserMag

Leave a Reply

Your email address will not be published. Required fields are marked *