How to Install Snort on Ubuntu and Snort Configuration

Published on: August 28, 2022

26 min read

SNORT® Intrusion Prevention System, the world's leading open source IPS, has officially released Snort 3 in January 2021. Snort 3 is a comprehensive upgrade that includes enhancements and new features resulting in enhanced performance, faster processing, improved scalability for your network, and more than 200 plugins for users to create a customized network configuration.

To protect your mission-critical Ubuntu server or network behind it from various types of cyber attacks, you can easily convert your Linux server into a powerful next-generation firewall. To accomplish this, you must follow the next steps:

Install and configure the UFW firewall on your Ubuntu server for packet filtering
Install and configure Zenarmor next-generation firewall engine for web filtering and application control
Install and configure Snort for network intrusion detection and prevention

In this tutorial, we will explain how to install and configure Snort 3 on your Ubuntu 22.04 Linux server. You may install Snort on Ubuntu server by following the next 3 main steps:

To configure Snort IPS on your Ubuntu server to protect your network, follow the next main steps:

What is the Difference Between Snort 2 and Snort 3?

Snort 3 makes several enhancements to simplify rule-writing and increase the uniformity of rule syntax while also enhancing detection robustness and granularity.

There are several advantages to upgrading to Snort 3 from Snort 2. Among the most important new features and enhancements in Snort 3 are:

Support for multiple threads for packet processing, which frees up more RAM for packet processing.
New rule syntax and rule parser.
Access to almost two hundred plugins
Use of a configuration and attribute table that is shared.
Enhanced shared object rules, including the capacity to add rules for zero-day vulnerabilities
Rewritten TCP handling.
New rule comments and remarks that are included inside the regulation itself.
New performance display

The major differences between Snort 2 and Snort 3 are listed in the followin table.

Feature	Snort 2	Snort 3
Packet threads	One per process	Any number per process
Config memory	use N processes * M GB	M GB total, more for packets
Config reload	N processes, slower	One thread that can be pinned to separate cores
Plugins	Limited to preprocs and outputs	Full plugin system with more than 200 plugins
DAQ	2.X, run to completion	3.X, vector input, multiple outstanding packets
DAQ Modules	Only legacy modules	Stacked modules, IOCTLs, file, socket and text modules
PCAP readback speed	X Mbits/sec for Max-Detect	2X with AC, 4X with hyperscan
IP Layers	Two max	Arbitrary and configurable limits
IP reputation	Complex with shared memory	Simplified process memory
Stream TCP	Complex implementation	New and improved implementation
Service detection	AppID only, port configs required	Autodetection, most port configs optional
HTTP inspector	Partly stateful	Fully stateful
Port scan detection	High, medium, and low thresholds only	Fully configurable detection thresholds
Config parsing	Report one error and quit	Report all errors
Command line	Some overlapping with config file	Set to override any config file from the command line
Default config	Complex, needs tuning	Simplified, effective
Policy examples	None	Tweaks to fit all standard Talos policies
Policy bindings	One level	Nested
Rule syntax	Inconsistent and requires line escapes	Uniform system with arbitrary whitespace
Rule parsing	Buggy with limited warnings	Robust with numerous optional warnings
Rule comments	comments only	#, #begin/#end marks, C-style and rem options
Alert file rules	No	Yes
Alert service rules	No	Yes
Fast-pattern buffers	Six available	14 available
SO rule features	Restricted functionality	True superset of text rules
Simple SO rules	No	Yes
Dump built-in stubs	No (SO stubs only)	Yes
Runtime tracing	No (debug tracing and misc logs only)	Yes
Documentation	LaTeX-based PDF, READMEs	ASCII docs, text, HTML, and PDFs
Source code	470,000 lines of C, with an average of 400 lines per file	389,000 lines of C++, with an average of 200 lines per file
Distribution	Snort.org tarballs, with updates coming every six months	GitHub repo, with updates coming every two weeks

Table 1. Snort 2 vs Snort 3

info

Snort 3 is significantly different from the Snort 2.9.9.x series. The configuration and rule files between the two versions are distinct and incompatible. Using the bundled snort2lua command, Snort 2 configuration and rule files may be converted to the Snort 3 format.

How to Install Snort 3 on Ubuntu 22.04?

Snort installation is quite easy and straightforward since the Snort package is accessible in the repositories of the majority of Linux distributions. The package may be installed from both the source and software repositories.

As of the time of this writing, the default Universe repository of Ubuntu 22.04 has Snort 2.9. To view the available Snort package in the Ubuntu repositories, run the next command:

apt-cache policy snort

You see similar output given below:

snort:
Installed: (none)

Candidate: 2.9.15.1-6build1

Version table:

2.9.15.1-6build1 500

500 http://tr.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

Installing and configuring Snort 3 on Ubuntu 22.04 requires building it from the source. You can follow the steps given below to install and configure Snort 3 on your Ubuntu 22.04 server as a system service.

Update the Ubuntu Server
Install Dependencies
Download and Install Snort from Source Code

Get Started with Zenarmor Today For Free

1. Update the Ubuntu Server

To ensure your Ubuntu 22.04 server is up-to-date and has the latest list of packages, run the following command:

sudo apt-get update && sudo apt-get dist-upgrade -y

2. Install Dependencies

Prior to the build, a number of build tools and dependencies must be installed on Ubuntu 22.04 for a successful build and installation of Snort 3.

Run the following command, to install the package dependencies for Snort 3 installation on an Ubuntu 22.04 server:

sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y

We will download a lot of source tarballs and other files, and we want to keep them in a single folder. Create a directory and change your location by running the following commands:
```
mkdir ~/snort_src && cd ~/snort_src
```
Snort DAQ (Data Acquisition library) is not included in the usual Ubuntu repositories. Thus, it must be compiled and installed from the source. Download and install the latest Snort DAQ by running the following commands:
```
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make
sudo make install
```
To download and install Google's thread-caching malloc, Tcmalloc, a memory allocator tuned for high concurrency conditions that will give a faster performance at the expense of increased memory consumption (this is a recommended but optional dependence), run the next commands:
```
cd ../
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
tar xzf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1/
./configure
make
sudo make install
```

3. Download and Install Snort from Source Code

Now that all prerequisites have been met, we can download and install Snort 3 on Ubuntu 22.04. You can follow the steps given below for downloading and setting up the Snort 3.1.39.0, the most recent version at the time of writing.

To download the most recent version of the Snort tarball from the releases page, run the next commands:

cd..
wget https://github.com/snort3/snort3/archive/refs/heads/master.zip
unzip master.zip
cd snort3-master
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

tip

If you are interested in enabling extra compile-time capabilities, such as the ability to handle large (over 2 GB) PCAP files or the new command line shell, run ./configure cmake.sh --help to list all optional features, then attach them to the ./configure cmake.sh command shown above.

You will see similar output given below:

------------------------------------------------------
snort version 3.1.39.0
Install options:
prefix: /usr/local
includes: /usr/local/include/snort
plugins: /usr/local/lib/snort
Compiler options:
CC: /usr/bin/cc
CXX: /usr/bin/c++
CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG
EXE_LDFLAGS:
MODULE_LDFLAGS:
Feature options:
DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)
libatomic: System-provided
Hyperscan: OFF
ICONV: ON
Libunwind: ON
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
  -------------------------------------------------------
  -- Configuring done
  -- Generating done
  -- Build files have been written to: /home/alp/snort_src/snort3-master/build

To navigate to the build directory and install Snort 3 on Ubuntu 22.04 before compiling, run the following commands:
```
cd build
make
sudo make install
```
This takes approximately half an hour, depending on your hardware. Snort is now installed under /usr/local/.
After the installation is completed, update shared libraries by running the next command. Otherwise, you get an error when you try to run Snort:
```
sudo ldconfig
```

To verify that Snort runs correctly, we pass the snort executable the -V flag:

snort -V

You should see output similar to the following:

,,_ -*> Snort++ <*-
o" )~ Version 3.1.39.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.9
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.2 15 Mar 2022
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version 8.39 2016-06-14
Using ZLIB version 1.2.11
Using LZMA version 5.2.5

To test your Snort installation with the default configuration file, run the next command:

snort -c /usr/local/etc/snort/snort.lua

You should see output similar to the following:

--------------------------------------------------
o")~ Snort++ 3.1.39.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ips
network
binder
wizard
appid
file_id
stream_udp
http2_inspect
http_inspect
ftp_data
search_engine
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
netflow
iec104
cip
telnet
ssl
sip
rpc_decode
modbus
host_tracker
stream_user
stream_ip
process
back_orifice
classifications
dnp3
active
trace
ftp_client
decode
alerts
stream
daq
references
arp_spoof
output
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
  --------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 203 0 203 /usr/local/etc/snort/snort.lua
  --------------------------------------------------
rule counts
total rules loaded: 203
text rules: 203
option chains: 203
chain headers: 1
  --------------------------------------------------
service rule counts to-srv to-cli
file_id: 203 203
total: 203 203
  --------------------------------------------------
fast pattern groups
to_server: 1
to_client: 1
  --------------------------------------------------
search engine
instances: 2
patterns: 406
pattern chars: 2436
num states: 1724
num match states: 364
memory scale: KB
total memory: 66.7676
pattern memory: 18.2363
match list memory: 26.5938
transition memory: 21.6875
  --------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
  o")~ Snort exiting

Snort has several options to get more help. To view the Snort help options, run the next command:
```
snort --help
```
To view the Snort command line option quick help, run the following command:
```
snort -?
```
info
Linux distributions based on Debian, such as Ubuntu 22.04, come pre-installed with the "apt" package manager. Essentially, it is a command-line-based utility used to perform app-related tasks such as installation, update, and uninstallation. Run the next commands to install Snort on Ubuntu 22.04 using apt manager:
sudo apt update sudo apt install snort -y

How to Configure Snort 3 on Ubuntu 22.04

There are three configuration options for Snort: Sniffer mode, Packet logger mode, and Network IDS mode. We will set up Snort for Network IDS Mode in this section.

You can easily configure Snort 3 IPS software on your Ubuntu 22.04 server by following the 5 steps given in this section:

Configuring Network Interfaces
Configuring Snort Community and Local Rule Sets
Installing Snort OpenAppID
Configuring Snort Logging
Running Snort as a Service

1. Configuring Network Interfaces

Modern network cards employ offloading (LRO, for instance) to perform network packet reassembly in hardware, rather than software. In the majority of cases, this is desirable since it decreases system stress. For a NIDS, we must deactivate LRO and GRO, since they cause the truncation of longer packets. We must establish a systemD service in order to modify these values.

Determine the name(s) of the interface(s) on which Snort will listen by running the next command:

ip address show

This will list your network interfaces on the Ubuntu server similar to below and we will select the WAN interface ens18 to run Snort on, in our example:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 9e:d6:2e:8e:2c:2c brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.0.29/24 metric 100 brd 192.168.0.255 scope global dynamic ens18
valid_lft 595176sec preferred_lft 595176sec
inet6 fe80::9cd6:2eff:fe8e:2c2c/64 scope link
valid_lft forever preferred_lft forever
  3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 3a:49:6f:b5:60:20 brd ff:ff:ff:ff:ff:ff
altname enp0s19
inet 10.10.10.21/24 metric 100 brd 10.10.10.255 scope global dynamic ens19
valid_lft 4776sec preferred_lft 4776sec
inet6 fe80::3849:6fff:feb5:6020/64 scope link
valid_lft forever preferred_lft forever

Set the interface on which Snort is listening for network traffic to promiscuous mode so that it may view all network traffic transmitted to it and not just traffic coming from the Ubuntu server by running the next command:
```
sudo ip link set dev ens18 promisc on
```
To verify that the network interface is running in promiscuous mode, run the following command:
```
ip address show ens18
```
You should see the PROMISC pattern in the first line.
```
2: ens18: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
```
Check the status of large-receive-offload (LRO) and generic-receive-offload (GRO) for those interfaces once you know the name of the network interface on which Snort will listen for traffic by running the following command (replacing ens18 with your interface name):
```
ethtool -k ens18 | grep receive-offload
```
You may see the following output:
```
generic-receive-offload: on
large-receive-offload: off [fixed]
```
We need to ensure that both are set to off (or off [fixed]) if we see the output similar to the above. To disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes, run the following command (replacing ens18 with your interface name):
```
sudo ethtool -K ens18 gro off lro off
```

Create and enable a systemd service unit to apply the modifications so that they survive after a system reboot by running the commands below:

sudo su
cat > /etc/systemd/system/snort3-nic.service << 'EOL'
> [Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens18 promisc on
ExecStart=/usr/sbin/ethtool -K ens18 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
EOL

To reload systemd configuration settings, run the next command:
```
systemctl daemon-reload
```
Start and enable the service on boot, run the following command:
```
systemctl enable --now snort3-nic.service
```

To view the status of our newly created service run the following command:

service snort3-nic status
? snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2022-08-22 12:19:02 UTC; 1min 39s ago
Process: 41076 ExecStart=/usr/sbin/ip link set dev ens18 promisc on (code=exited, status=0/SUCCESS)
Process: 41077 ExecStart=/usr/sbin/ethtool -K ens18 gro off lro off (code=exited, status=0/SUCCESS)
Main PID: 41077 (code=exited, status=0/SUCCESS)
CPU: 4ms
Aug 22 12:19:02 snort systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Aug 22 12:19:02 snort systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.

2. Configuring Snort Community and Local Rule Sets

Rulesets are the primary conduit for the Snort intrusion detection and prevention engine. Three kinds of Snort Rules exist:

Community Rules
Registered Rules
Subscriber Rules

In this tutorial, the Community Snort rules and local will be installed.

Create some folders and files that Snort requires for rules by running the following commands:

sudo mkdir /usr/local/etc/rules
sudo mkdir /usr/local/etc/so_rules/
sudo mkdir /usr/local/etc/lists/
sudo touch /usr/local/etc/rules/local.rules
sudo touch /usr/local/etc/lists/default.blocklist
sudo mkdir /var/log/snort

To add a rule which detects ICMP traffic and is excellent for validating if Snort is functioning properly and producing alarms, paste the following line into the local.rules file:
```
alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )
```
Start Snort and have it load the local.rules file (using the -R parameter) to ensure that these rules are loaded successfully by running the following command:
```
snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules
```
The output should end with the following line:
```
Snort successfully validated the configuration (with 0 warnings).
```
Scrolling through the results should reveal that this rule loaded correctly (under the rule counts section).
Run Snort in detection mode on an interface (replace eth0 with the name of your interface) and log all alarms to the console by entering the next command:
```
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens18 -A alert_fast -s 65535 -k none
```
An explanation of the flags in the previous command is given below:
- -c: /usr/local/etc/snort/snort.lua The snort.lua configuration file.
- -R: /usr/local/etc/rules/local.rules The path to the rules file containing our one ICMP rule.
- -i ens18: The interface to listen on.
- -A alert_fast: Use the alert_fast output plugin to write alerts to the console.
- -s 65535: Set the snaplen so Snort doesn't truncate and drop oversized packets.
- -k none: Ignore bad checksums, otherwise, snort will drop packets with bad checksums
Snort will load the configuration, then display the following lines:
```
Commencing packet processing
++ [0] ens18
```
This indicates that Snort is presently checking all traffic on this interface, ens18, to the loaded rule. When traffic matches a rule, Snort will generate a console alert. Now, from another computer, ping to that interface's IP address of your Ubuntu server. Warnings should appear on the screen similar to the below:
```
08/22-12:45:11.714259 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.0.29 -> 192.168.0.34
08/22-12:45:13.455554 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.0.34 -> 192.168.0.29
08/22-12:45:13.455606 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.0.29 -> 192.168.0.34
08/22-12:45:14.470965 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.0.34 -> 192.168.0.29
08/22-12:45:14.471009 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.0.29 -> 192.168.0.34
```
To stop Snort press Ctrl-C. This is a useful rule for testing Snort, but it may be too loud for production use, so you may comment it out with the hash symbol if you choose.
To enable decoder and inspector alerts (malicious traffic identified by Snort, not the rules owing to the rules' more complicated structure), and to notify the ips module where our rules file will be (due to the rules' more complex format), edit the snort.lua file:
```
sudo vi /usr/local/etc/snort/snort.lua
```

Look for the ips section on line 182, which is labeled ips and uncomment enable_builtin_rules=true (remove the preceding two dashes) and enable our local rules:

ips =
{
-- use this to enable decoder and inspector alerts
enable_builtin_rules = true,
include = RULE_PATH .. "/local.rules",
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables
}

To verify the configuration of the Snort file, run the next command.
```
snort -c /usr/local/etc/snort/snort.lua
```
Run the Snort using the next command:
```
sudo snort -c /usr/local/etc/snort/snort.lua -i ens18 -A alert_fast -s 65535 -k none
```
When you ping the Ubuntu Snort interface from another computer, the alarms should be rewritten to the console.

To download and install the Snort Community rules, run the following command

sudo su
cd /usr/local/etc/rules && wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
tar xzf snort3-community-rules.tar.gz

To view the files, run the following command:

ls -l snort3-community-rules

You should see similar to the below:

-rw-r--r-- 1 1210 root 7834 Aug 17 20:32 AUTHORS
-rw-r--r-- 1 1210 root 15127 Aug 17 20:32 LICENSE
-rw-r--r-- 1 1210 root 492722 Aug 17 20:32 sid-msg.map
-rw-r--r-- 1 1210 root 1797899 Aug 17 20:32 snort3-community.rules
-rw-r--r-- 1 1210 root 21084 Aug 17 20:32 VRT-License.txt

Edit the snort configuration file /usr/local/etc/snort/snort.lua with your favorite editor, like vi or nano.
```
vi /usr/local/etc/snort/snort.lua
```
Set the HOME_NET and EXTERNAL_NET environment variables. HOME_NET must be set to the networks that will be protected by Snort, such as the WAN IP address of your Ubuntu server, or the LAN network(subnets) behind the Ubuntu server. We will set this to the IP address of the Snort 3 ens18 interface, 192.168.0.29/32 in our example. The EXTERNAL_NET is any network except our HOME_NET.

Go to ips block at line 182 and update the file as given below:

ips =
{
-- use this to enable decoder and inspector alerts
enable_builtin_rules = true,
include = RULE_PATH .. "/local.rules",
include= RULE_PATH .. "/snort3-community-rules/snort3-community.rules"
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables
}

Save and exit the configuration file.
Validate the configuration changes by running the following command:
```
snort -c /usr/local/etc/snort/snort.lua
```
tip
Additionally, you may register on the Snort website. Registering enables you to obtain the Registered user rules using their Oink code. To obtain and install the Registered Snort rules you may follow the steps given below:
1. Subscribe to the Snort website via https://snort.org/users/sign_up.
2. Login to your Sort account and obtain the Oink code by navigating to the Oink code menu.
  
  Figure 1. Obtaining Snort Oinkcode
3. Click the Downloads link on the top navigation bar.
  
  Figure 2. Downloading Registered Snort V3.0 rule
4. Scroll down to the Rules and copy the link address of the latest Registered Snort V3.0 rule set, such as snortrules-snapshot-31350.tar.gz.
5. To download the latest ruleset you may either run the next command(do not forget to replace the oinkcode pattern with your own code) or click on the latest Registered Snort V3.0 rule set in the download page then copy the file to your server:
  wget https://www.snort.org/downloads/registered/snortrules-snapshot-31350.tar.gz?oinkcode=oinkcode -O snortrules-snapshot-31350.tar.gz
6. To extract the registered rules run the following command:
  sudo tar -xvf ~/snortrules-snapshot-31350.tar.gz -C /usr/local/etc/rules/
7. View the registered rules by running the following command:
  ls /usr/local/etc/rules/so_rules/
  You should see the similar output below:
  browser-chrome.rules file-executable.rules file-office.rules malware-cnc.rules os-windows.rules protocol-other.rules rulestates-balanced-ips.states server-iis.rules server-webapp.rules browser-ie.rules file-flash.rules file-other.rules malware-other.rules policy-other.rules protocol-scada.rules rulestates-connectivity-ips.states server-mail.rules src browser-other.rules file-image.rules file-pdf.rules netbios.rules policy-social.rules protocol-snmp.rules rulestates-max-detect-ips.states server-mysql.rules browser-webkit.rules file-java.rules includes.rules os-linux.rules precompiled protocol-tftp.rules rulestates-no-rules-active.states server-oracle.rules exploit-kit.rules file-multimedia.rules indicator-shellcode.rules os-other.rules protocol-dns.rules protocol-voip.rules rulestates-security-ips.states server-other.rules
8. The rule sets for registered users provide a substantial quantity of predefined detection rules that are helpful. If you have already tested Snort with the community rules, you may enable additional registered rules and then validate the configuration changes.

3. Installing Snort OpenAppID

OpenAppId is an application-centric detection language and processing module for Snort that allows users to build, distribute, and execute application and service detection. OpenAppID identifies application layer (layer 7) traffic and allows you to construct rules that act on application-layer traffic (for example, to prohibit Facebook or a certain Virtual Private Network (VPN) type) and report traffic statistics for each identified kind of traffic. OpenAppID is an optional feature offered by Snort; you should activate it if you wish to detect or block certain kinds of traffic (FTP, Twitter, etc.) or gather statistics on the amount of data per type of traffic detected by your Snort server.

The Application Detector Package is a collection of detectors compiled by the Snort team in collaboration with the community and available for download and installation. You can activate the OpenAppID detectors (identifying traffic), then enable the OpenAppID metrics recording by following the steps given below:

Download and extract the OpenAppID detector package by running the next command:
```
cd ~/snort_src/
wget https://snort.org/downloads/openappid/26425 -O OpenAppID-26425.tgz
tar -xzvf OpenAppID-26425.tgz
sudo cp -R odp /usr/local/lib/
```
warning
If you can't download the OpenAppID file from the URL given above, go to https://snort.org/downloads page and copy the link address of the snort-openappid.tar.gz under the OpenAppID heading.
Edit our Snort configuration file to point to this odp directory.
```
sudo nano /usr/local/etc/snort/snort.lua
```

Locate the appid section and configure it as follows:

appid =
{
-- appid requires this to use appids in rules
app_detector_dir = '/usr/local/lib',
log_stats = true,
}

Validate the configuration changes by running the following command:
```
snort -c /usr/local/etc/snort/snort.lua
```

Modify Snort local.rules file with a new rule which will detect Facebook traffic by adding the next line:

alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook"; sid:10000002; metadata:policy security-ips alert; )

Check the syntax of the local.rules file by running the following command:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Run Snort by executing the command below(by replacing ens18 with your interface name):

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens18 -A alert_fast -s 65535 -k none

Try to connect the Facebook site from your Ubuntu server. You should see the following alerts on the console:

08/23-10:56:06.262915 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48824 -> 157.240.234.35:443
08/23-10:56:06.263574 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48824 -> 157.240.234.35:443
08/23-10:56:06.265113 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48824 -> 157.240.234.35:443
08/23-10:56:06.261005 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.234.35:443 -> 192.168.0.29:48824
08/23-10:56:06.265411 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.234.35:443 -> 192.168.0.29:48824
08/23-10:56:06.266529 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48824 -> 157.240.234.35:443

Press Ctrl+C to stop the Snort. You will see packet statistics similar to those given below:

Packet Statistics
  --------------------------------------------------
daq
received: 1034
analyzed: 966
dropped: 36
outstanding: 68
allow: 881
whitelist: 85
rx_bytes: 293090
  --------------------------------------------------
codec
total: 966 (100.000%)
arp: 8 ( 0.828%)
eth: 966 (100.000%)
icmp4: 398 ( 41.201%)
icmp6: 4 ( 0.414%)
igmp: 4 ( 0.414%)
ipv4: 954 ( 98.758%)
ipv6: 4 ( 0.414%)
ipv6_hop_opts: 2 ( 0.207%)
tcp: 540 ( 55.901%)
udp: 12 ( 1.242%)
  --------------------------------------------------
Module Statistics
  -------------------------------------------------
appid
packets: 958
processed_packets: 958
total_sessions: 15
service_cache_adds: 6
bytes_in_use: 912
items_in_use: 6
  --------------------------------------------------
Appid Statistics
  --------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
dns: 4 4 0 0 0 0
facebook: 0 0 0 2 0 0
http: 1 0 0 0 0 0
putty: 0 1 0 0 0 0
ssh: 1 0 0 0 0 0
wget: 0 1 0 0 0 0
https: 2 0 0 0 0 0
ssl_client: 0 2 0 0 0 0
ubuntu: 0 0 0 1 0 0
icmp: 1 0 0 0 0 0
icmp_for_ipv6: 2 0 0 0 1 0
igmp: 2 0 0 0 0 0
unknown: 1 0 0 0 0 0
  --------------------------------------------------
Summary Statistics
  --------------------------------------------------
process
signals: 1
  --------------------------------------------------
timing
runtime: 00:03:23
seconds: 203.166562
pkts/sec: 5
o")~ Snort exiting

4. Configuring Snort Logging

All output of events and packets is done by Loggers. To write Snort 3 events to log files, alert settings must be configured. There are several possibilities for logging in with Snort.

alert_csv: output event in csv format
alert_ex: output gid:sid:rev for alerts
alert_fast: output event with brief text format
alert_full: output event with full packet dump
alert_json: output event in json format
alert_sfsocket: output event over socket
alert_syslog: output event to syslog
alert_unixsock: output event over unix socket
log_codecs: log protocols in packet by layer
log_hext: output payload suitable for daq hext
log_pcap: log packet in pcap format
Unified2: output event and packet in uni?ed2 format file

To export event data to a file in short format (as stated in the command line above by option -A alert_type), go to the outputs section of the snort.lua configuration file.

---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
alert_fast = {file = true,
packet = false,
limit = 10,
}
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }

Save and exit the configuration file. The setting causes Snort to write logs to alert_fast.txt file. Check syntax by running the next command.
```
snort -c /usr/local/etc/snort/snort.lua
```
Rerun the Snort without the option, -A alert_fast. But specify the log directory with an option-l /var/log/snort.

Try to connect to the Facebook site from your Ubuntu server. You should see the following alerts in the /var/log/snort/alert_fast.txt file:

tail -f /var/log/snort/alert_fast.txt
08/23-11:59:04.444640 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.0.34 -> 192.168.0.29
08/23-11:59:04.444640 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 192.168.0.34 -> 192.168.0.29
08/23-11:59:04.444686 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.0.29 -> 192.168.0.34
08/23-11:59:05.473735 [**] [1:382:11] "PROTOCOL-ICMP PING Windows" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 192.168.0.34 -> 192.168.0.29
08/23-11:59:05.473735 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.0.34 -> 192.168.0.29
08/23-11:59:05.473735 [**] [1:384:8] "PROTOCOL-ICMP PING" [**] [Classification: Misc activity] [Priority: 3] [AppID: ICMP] {ICMP} 192.168.0.34 -> 192.168.0.29
08/23-11:59:05.473782 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.0.29 -> 192.168.0.34
08/23-11:59:05.618221 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.234.35:443 -> 192.168.0.29:48826
08/23-11:59:05.618238 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48826 -> 157.240.234.35:443
08/23-11:59:05.618221 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.234.35:443 -> 192.168.0.29:48826
08/23-11:59:05.618646 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.0.29:48826 -> 157.240.234.35:443
08/23-11:59:05.618612 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.234.35:443 -> 192.168.0.29:48826

5. Running Snort as a Service

It is feasible to run Snort in the background as a daemon with the -D command line option, but it is also possible to establish a systemd service unit for Snort. To run Snort as a systemd service on your Ubuntu 22.04 server, you can follow the steps given below:

It is recommended to run Snort as a non-privileged system user if it is to be executed as a service. Create a system user account without a login for Snort:
```
useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort
```
Grant the 'snort' user rights to the log directory by running the next commands:
```
sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /var/log/snort
```
To create the Snort systemD service file, run the following command:
```
[Unit]
Description=Snort3 NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -u snort -g snort -i ens18 -m 0x1b --create-pidfile
ExecStop=/bin/kill -9 $MAINPID
[Install]
WantedBy=multi-user.target
```
Here is a summary of all the flags we use with Snort:
- /usr/local/bin/snort: This is the path to the snort binary. We don't use sudo here since the script will be started with elevated (root) privileges.
- -c /usr/local/etc/snort/snort.lua: The snort.lua configuration file.
- -s 65535: Set the snaplen so Snort doesn't truncate and drop oversized packets.
- -k none: Ignore bad checksums, otherwise, snort will drop packets with bad checksums, and they won't be evaluated.
- -l /var/log/snort: The path to the folder where Snort will store all the log files it outputs.
- -D: Run as a Daemon.
- -u snort: After startup (and after doing anything that requires elevated privileges), switch to run as the "snort" user.
- -g snort: After startup, run as the "snort" group.
- -i eth0: The interface to listen on.
- -m 0x1b: Umask of 033 for file permissions.
- --create-pidfile: Create a PID file in the log directory
Enable the Snort systemD service and start it by running the next commands:
```
sudo systemctl enable snort3
sudo service snort3 start
```

To view the Snort service status run the nexy command:

sudo service snort3 status

Your output should be similar to the following,

? snort3.service - Snort3 NIDS Daemon
Loaded: loaded (/lib/systemd/system/snort3.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-08-23 12:19:52 UTC; 4s ago
Main PID: 1793 (snort)
Tasks: 2 (limit: 9286)
Memory: 232.7M
CPU: 1.432s
CGroup: /system.slice/snort3.service
??1793 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -u snort -g snort -i ens18 -m 0x1b --create-pidfile
Aug 23 12:19:53 snort snort[1793]: total memory: 2.64854
Aug 23 12:19:53 snort snort[1793]: pattern memory: 0.420437
Aug 23 12:19:53 snort snort[1793]: match list memory: 0.940338
Aug 23 12:19:53 snort snort[1793]: transition memory: 1.25066
Aug 23 12:19:53 snort snort[1793]: fast pattern only: 4963
Aug 23 12:19:53 snort snort[1793]: --------------------------------------------------
Aug 23 12:19:53 snort snort[1793]: pcap DAQ configured to passive.
Aug 23 12:19:53 snort snort[1793]: Commencing packet processing
Aug 23 12:19:53 snort snort[1793]: ++ [0] ens18
Aug 23 12:19:53 snort snort[1793]: Writing PID "1793" to file "/var/log/snort/snort.pid"

Examine the whole output of the service using the following command, If there are issues:
```
sudo journalctl -u snort3.service
```

How to Troubleshoot Common Installation Issues?

Snort errors are generated when the integrated system identifies configuration contents or rules that are invalid. The Snort displays a message indicating that the policy failed to apply if you submit settings with defects on the Snort configuration or Snort rules. The error message contains information from Snort to assist in the resolution of the issue. The SID and message string are listed in the message for Snort rule errors. The policy failure is classified as a significant event by the system.

Troubleshooting the integrated Snort system is an iterative process that identifies one error at a time. The policy settings are not applied by the system when an error is detected, and the failure is reported. Before the policy settings can be effectively implemented, it is necessary to resolve the error. The configurations must be reapplied after the error has been resolved. The policy settings are effectively reapplied by the system if no additional errors are detected in the configuration contents or the rules. Nevertheless, the system will recursively execute this procedure for each additional error that is identified.

How to Optimize Snort Performance on Multi-Core Systems?

Efficient resource utilization and enhanced network security monitoring are achieved by optimizing Snort's performance on multi-core systems. Best practices and procedures for Snort performance optimization on multi-core systems are as follows.

Reduce overhead by optimizing Snort rules and preprocessors. You should arrange rules in order of the likelihood of threats and the significance of traffic. Do not forget to conduct routine updates and optimizations of rulesets.
Run multiple Snort instances, each of which is bound to a specific CPU core. You may monitor various network segments or traffic types by running multiple instances of Snort, each of which is bound to a distinct CPU core. For this purpose, you may run the next commands.
```
sudo snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort/core0 --daq afpacket --daq-var bindcpu=0
sudo snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort/core1 --daq afpacket --daq-var bindcpu=1
```
Optimize memory usage by modifying the stream5 and frag3 preprocessors
Distribute traffic across cores by utilizing NICs that support RSS (Receive Side Scaling).
Enable jumbo frames if the network infrastructure supports it.
Guarantee that the firmware and NIC drivers are current.
Reduce overhead by either disabling unnecessary logging or employing binary logging formats.
Employ Snort's built-in statistics to monitor its performance.
Monitor resource utilization using tools such as top, htop, perf, and iftop.
Enhance packet capture by employing AFPacket or PF_RING DAQ modules. Snort utilizes libpcap by default, which may restrict its throughput. However, by applying AFPacket or PF_RING, you may enhance multi-core scalability and increase packet capture rates.
Implement hardware load balancing. To ensure that traffic is distributed evenly across Snort instances, implement load-balancing solutions such as PF_RING ZC, AF_PACKET fanout, or hardware-based NIC load balancing. For example, you may run the following command for load balancing.
```
sudo snort -i eth0:eth1 --daq afpacket --daq-var fanout_type=hash 
```
To enhance cache efficiency and reduce context switching, manually assign Snort instances and network interface IRQs to specific CPU cores. For CPU affinity, you may run the next command.
```
taskset -c 0 snort -c /etc/snort/snort.conf -i eth0
```
For IRQ balancing, you may run the next commands.
```
# Check IRQ assignments
cat /proc/interrupts

# Assign IRQ to CPU core 0
echo 1 > /proc/irq/<IRQ_number>/smp_affinity
```

How to Write Custom Snort Rules?

You may easily write custom Snort rules by following the next steps.

Create a file, such as custom.rules, for your custom rules.
Add your file to Snort's configuration file (snort.conf) with the following line.
```
include $RULE_PATH/custom.rules
```
Verify your rules by running the following command.
```
sudo snort -T -c /etc/snort/snort.conf
```
Apply the new rules by restarting Snort.
```
sudo systemctl restart snort
```

Examples for Custom Snort Rules

Some examples of custom Snort rules are given below.

Detect HTTP GET Requests Containing "admin" Keyword: You may use the following Snort rule for detecting HTTP GET requests containing "admin" keyword.
```
alert tcp any any -> any 80 (msg:"HTTP Request for admin page"; content:"GET"; http_method; content:"admin"; nocase; sid:1000002; rev:1;)
```
Detect ICMP Ping Request: You may use the following Snort rule for detecting ICMP ping requests.
```
alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1000001; rev:1;)
```

Detect SQL Injection Attempt: You may use the following Snort rule for detecting SQL Injection Attempt.

alert tcp any any -> any 80 (msg:"Possible SQL Injection Attempt"; flow:to_server,established; content:"' OR 1=1"; nocase; sid:1000003; rev:1;)

Detect Suspicious DNS Query: If it detects a UDP connection on port 53 (DNS) with a DNS query for the domain "harmful.com," this rule will generate an alert. The "depth" option is employed by the rule to limit its examination to the initial six bytes of the DNS query, which are the standard DNS header fields.
```
alert udp any any -> any 53 (msg: "Suspicious DNS Query detected"; content:"|00 01 00 00 00 01|"; depth:6; content: "harmful.com"; nocase; sid:1000004; rev:1;)
```
Detect Basic HTTP GET Request to a Specific Domain: This rule will generate an alert if it detects a GET request to the domain "harmful.com" on port 80 (HTTP) with a TCP connection.
```
alert tcp any any -> any 80 (msg: "Possible HTTP GET request"; content: "GET"; http_method; content: "harmful.com"; http_host; sid:1000001; rev:1;)
```
Detect SSH Brute Force Attack: Snort can be employed to identify brute force attacks by examining logon attempts and identifying patterns that suggest a brute force attack. This rule detects unsuccessful SSH authentication attempts on port 22. Snort will generate an alert with the ID 1000002 if the traffic includes the string "sshd:" followed by "Failed password."
```
alert tcp any any -> any 22 (msg:"Possible SSH Brute Force Attack"; flow:to_server,established; content:"sshd:"; nocase; content:"Failed password"; nocase; sid:1000002;)
```
Detect Suspicious User-Agent String: If it detects a TCP connection with a user-agent string that includes "curl," this rule will generate an alert. This pattern is frequently employed by attackers to initiate attacks or conduct reconnaissance.
```
alert tcp any any -> any any (msg:"Suspicious User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; nocase; content:"curl|2f|"; nocase; sid:1000002; rev:1;)
```
Detect Known Malware Signature in Network Traffic: This rule will generate an alert if it detects a TCP connection with a payload containing a particular sequence of bytes (in this instance, the string "ZOOM"). This sequence is a recognized signature of the Zeus botnet malware, which is employed for financial fraud and other malicious activities.
```
alert tcp any any -> any any (msg:"Possible Zeus Botnet C&C Traffic"; flow:established,to_server; content:"|5a 4f 4f 4d 00 00|"; depth:6; sid:1000005; rev:1;)
```

What Are the Best Practices for Writing Effective Snort Rules?

A combination of technical knowledge and best practices is necessary to write effective Snort rules that ensure accuracy, performance, and maintainability. The following are the most effective methods for creating Snort rules that are both well-organized and efficient.

Familiarize yourself with Snort's rule syntax prior to composing any rule.
Assign a distinct Snort ID (SID) to each rule. This guarantees that the standards are readily identifiable and that conflicts are prevented during modifications. For custom regulations, utilize SIDs within the reserved range (e.g., 1000000+).
Instead of hardcoding IP addresses, utilize predefined variables such as $HOME_NET and $EXTERNAL_NET. This facilitates the maintenance of norms and increases their adaptability. If necessary, establish custom variables in your configuration file for specific networks or ports.

Incorporate remarks into your rules to elucidate their purpose, logic, and any unique considerations. For instance, the following command can be used.

snort alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SSL heartbeat attack (Heartbleed)"; content:"18 03"; depth:2; sid:1000003; rev:1;) # Identifies the Heartbleed exploit

Fine-tune rules to minimize false positives (alerts for benign traffic) and false negatives (missed malevolent traffic).
Ensure that your policies are consistently revised to account for emerging vulnerabilities and threats. In order to receive the most recent revisions, subscribe to Snort's commercial or community rule sets.
Refrain from establishing principles that are excessively broad in scope, as this may result in an excessive number of false positives or negatives. Define the conditions for triggering the rule with as much precision as feasible.
Utilize the content keyword to match specific payload data. Combine content with modifiers such as fast_pattern (to optimize pattern matching) and nocase (case-insensitive).
Utilize precise content matching and supplementary modifiers such as depth, offset, and distance to reduce the number of matches.
It is advisable to refrain from employing generic patterns that may correspond to unrelated traffic.
Utilize the msg keyword to convey plain and descriptive messages in notifications. This facilitates the rapid comprehension of the rule's objective by analysts. For instance, snort alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"HTTP GET request detected"; content:"GET"; sid:1000002; rev:1;)
To specify the direction and state of traffic, employ the flow keywords (e.g., flow:to_server,established;). This reduces the number of false positives by guaranteeing that the rules are only applied to pertinent traffic flows.
Categorize rules according to their intended use (e.g., reconnaissance, malware detection, web attacks). Ensure that the rules file is organized to facilitate management.
Utilize utilities such as snort -c -T to verify the syntax and functionality of your rules.
Ensure that the rules function as anticipated by validating them in a test environment.
To enhance the accuracy of the detection process, incorporate supplementary keywords such as threshold, detection_filter, and classtype.
Detect multi-stage assaults by combining multiple principles. For instance, employ a combination of exploitation detection and reconnaissance detection rules.
In order to prevent your rules from causing excessive CPU or memory usage in production environments, it is important to regularly monitor their performance.

How to Integrate Snort with SIEM Tools?

By integrating Snort with a Security Information and Event Management (SIEM) tool, you can improve your security operations by establishing a centralized platform for the monitoring and analysis of security events. You may integrate Snort with a SIEM tool by following the next steps.

Configuring Snort to Send Alerts to a SIEM: Snort must be configured to send alerts to a syslog server in order to integrate with a SIEM utility. This can be accomplished by incorporating the subsequent line into your snort.conf file.
```
output alert_syslog: LOG_AUTH LOG_ALERT
```
This line instructs Snort to transmit notifications to the syslog server by utilizing the LOG_ALERT priority and the LOG_AUTH facility.
Configuring a Syslog Server: The subsequent step is to establish a syslog server to receive and retain Snort alerts. It is possible to employ a third-party syslog server or a SIEM application that supports syslog.
Configuring the SIEM Tool: Following the configuration of the syslog server, the SIEM tool must be configured to receive and process Snort alerts. This typically entails configuring the SIEM tool to monitor incoming syslog messages and establishing rules and filters to process and classify the alerts.
Snort Alert Analysis in the SIEM Tool: The Snort alerts can be analyzed in the SIEM console once the SIEM tool has been configured. The SIEM tool should display a dashboard that includes a summary of the alerts, as well as information on the type of attack detected, the source and destination IP addresses, and the ports.
Responding to Security Events: Ultimately, it is necessary to respond to security events that have been detected by the SIEM tool and Snort. This may entail the immediate implementation of security measures to prevent future attacks, the investigation of the core cause of the attack, or the immediate action of blocking the perpetrator.

Why do you Need Snort?

Snort is essential since it enables your organization to successfully identify and prevent cyber attacks, delivers comprehensive insight into network traffic, and is a cost-effective, adaptable, and scalable solution for safeguarding your infrastructure. Regardless of whether you are a small corporation, a large organization, or an individual, Snort serves as an essential instrument for keeping a robust security posture in the current volatile threat environment.

Snort's capacity to revise rules and adapt to novel attack patterns guarantees its efficacy against evolving threats. Additionally, Snort is extensively used in cybersecurity teaching and research. It assists students in acquiring knowledge about network security and intrusion detection. Researchers analyze attack trends and develop novel detection strategies using Snort as well.

Moreover, organizations bound by regulatory standards (e.g., PCI DSS, HIPAA, GDPR) may use Snort to fulfill compliance obligations by monitoring network activity, identifying illegal access or data breaches, and producing logs and alarms for auditing reasons.

Lastly, Snort offers comprehensive insight into network traffic, allowing administrators to examine packet headers and payloads, recognize irregularities in network activity, and detect unwanted protocols or applications.

How Do I Check My Snort Version?

To check the installed Snort version, run the next command on your Snort IPS system CLI:

snort -V

You should see the output similar to the given below:

,,_ -*> Snort++ <*-
o" )~ Version 3.1.39.0
'''' By Martin Roesch & The Snort Team

http://snort.org/contact#team
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.9
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.2 15 Mar 2022
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version 8.39 2016-06-14
Using ZLIB version 1.2.11
Using LZMA version 5.2.5

How do I change my IP address on Snort?

To change your IP address on Snort, follow the steps below:

Edit the configuration file /usr/local/etc/snort/snort.lua.
Set the declaration for HOME_NET variable to the network you want to protect against cyber attacks.

info

Instead of leaving the default value of an any for the HOME NET declaration, replace it with your local network's IP address range.

Employing a CIDR format expression to cover the complete range of relevant addresses (especially when using Network Address Translation in settings controlled by gateways or routers) is the easiest method.

For a typical residential network, the expression is 192.168.0.1/24. or 192.168.1.1/24.

In a typical big office network using network address translation, the expression is 10.0.0.0/8.

In some contexts (particularly household environments connecting to the Internet via cable modem without the need of a gateway or router), the Internet service provider (ISP) may suggest the proper IP address range to use.

Save and exit.
Verify the configuration changes by running the next command.
```
snort -c /usr/local/etc/snort/snort.lua
```

Is Snort multithreaded?

Yes. As of Snort 3, released on January 19, 2021, Snort is multithreaded. Multiple packet processing threads can be operated concurrently in Snort 3.

Snort 3 provides the-- max-packet-threads or -z option for using multiple packet processing threads. This parameter specifies the number of threads used by Snort to handle network traffic, with a maximum of 8 threads.

Snort launches N packet processing threads, where N is the number of threads specified after the --max-packet-threads or -z option.

For example, to use 4 threads for processing pcap files ending with *.pcap from a given location 'pcaps', run the following commands on your Snort CLI:

snort -c snort.lua --pcap-dir ./pcaps --pcap-filter '*.pcap' -l /var/log/snort plugin-path /extra -k none -z --4

Note that when utilizing multiple threads while logging to files, each thread will produce its own set of log files based on the logging configuration specified in the snort.lua file.

If the --id-subdir option is given, each thread will create a directory beneath the provided log directory or the default log directory /var/log/snort named after the thread's ID.

Is Snort Active or Passive?

Snort is a passive IDS by default. Snort monitors or "sniffs" network traffic and records and may alert the administrator if a packet matches a certain rule or contains a specified string. However, the active response feature makes the Snort an active IDS.

Snort plays a more active role in network security by providing active responses to terminate malicious connections. When active responses are enabled, Snort will send TCP RST or ICMP unreachable when a session is terminated.

The active response is enabled by setting one of the IPS action plugins listed below:

react = : The IPS action responds permits transmitting an HTML page and subsequently resetting a session.
reject = : By injecting TCP resets (TCP connections) or ICMP unreachable packets, a hostile network session may be terminated.
rewrite = : The IPS action rewrite permits the replacement of packet contents, depending on the "replace" rule option.

Is Snort host-based?

No. Snort is a network-based intrusion detection and prevention system, commonly known as a network intrusion detection and prevention system (NIDS). Snort include a packet sniffer to gather network traffic for analysis. As a NIDS, Snort intercept cyber attacks as they occur. The snort engine is typically rule-based and can be modified by adding your own rules.

How Many Protocols Does Snort Support?

Three (3). Currently, Snort monitors three IP protocols for suspicious behavior:

TCP
UDP
ICMP

There may be other protocols in the future, such as ARP, IGRP, GRE, OSPF, RIP, and IPX.

What Happens When Snort Rejects a Packet?

Snort shutdowns hostile network sessions by injecting TCP resets (TCP connections) or

ICMP unreachable packets and logging the event when it rejects a packet by performing an active response.

What is the Difference Between Snort 2 and Snort 3?​

How to Install Snort 3 on Ubuntu 22.04?​

1. Update the Ubuntu Server​

2. Install Dependencies​

3. Download and Install Snort from Source Code​

How to Configure Snort 3 on Ubuntu 22.04​

1. Configuring Network Interfaces​

2. Configuring Snort Community and Local Rule Sets​

3. Installing Snort OpenAppID​

4. Configuring Snort Logging​

5. Running Snort as a Service​

How to Troubleshoot Common Installation Issues?​

How to Optimize Snort Performance on Multi-Core Systems?​

How to Write Custom Snort Rules?​

Examples for Custom Snort Rules​

What Are the Best Practices for Writing Effective Snort Rules?​

How to Integrate Snort with SIEM Tools?​

Why do you Need Snort?​

How Do I Check My Snort Version?​

How do I change my IP address on Snort?​

Is Snort multithreaded?​

Is Snort Active or Passive?​

Is Snort host-based?​

How Many Protocols Does Snort Support?​

What Happens When Snort Rejects a Packet?​