Installing Snort

a) For Linux (Ubuntu/Debian)

• Update the package list:

sudo apt-get update

• Install Snort:

sudo apt-get install snort

b) For CentOS/RHEL

• Install Snort via EPEL:

sudo yum install snort

c) For macOS

• Install using Homebrew:

brew install snort

d) For Windows

• Download the Windows version from the Snort website: Snort Downloads.

• Follow the installation instructions.

 Basic Configuration of Snort

1.Edit Snort Configuration File: The main configuration file is located at /etc/snort/snort.conf (Linux).

• You may need to specify your network interface, home network settings, and other parameters.

Example:

var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET !$HOME_NET

2.Set up Rule Paths: In the snort.conf file, specify the path to the rule sets.

include $RULE_PATH/local.rules

3.Download and Update Snort Rules: Snort requires rule sets to detect specific threats. These can be downloaded from Snort.org or updated via the command:

Snort Rules

Snort uses a set of rules to detect and respond to network activity. Rules are defined in the .rules files and consist of conditions to identify malicious activity.

Basic rule format:

-alert tcp any any -> any 80 (msg:”Possible SQL Injection”; content:”union select”; sid:1000001;)

-alert: Action to take (e.g., alert, log, drop).

-tcp: Protocol being monitored.

-any any: Source and destination IP addresses/ports.

-content: The string or pattern to look for.

-sid: The unique Snort ID for the rule.

Viewing Snort Alerts

Snort generates alerts in the format specified by the -A option. For example, if you run Snort with the -A console option, alerts will display in the terminal.

To view logged alerts from Snort, check the default alert log file:

/var/log/snort/alert