Skip to content

Lesson: Installing and Configuring Snort 3 on Ubuntu

Objective

By the end of this lesson, students will:

  • Install Snort 3 on Ubuntu.
  • Understand the importance of the snort.conf configuration file.
  • Learn the basics of Snort rules and how to create a custom rule.

Prerequisites

  • Basic knowledge of Linux commands.
  • Ubuntu installed on a system or VM.
  • Internet access for downloading packages.

Part 1: Introduction to Snort (10 minutes)

What is Snort?

Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It is designed to monitor network traffic in real-time and look for malicious activity, such as attacks or exploits.

Key Terms:

  • Network Intrusion Detection System (IDS): Monitors network traffic for suspicious activity.
  • Network Intrusion Prevention System (IPS): Detects and prevents malicious traffic.
  • Snort Rule: A set of predefined conditions that trigger alerts or actions when suspicious traffic is detected.

Part 2: Installing Snort 3 on Ubuntu (15 minutes)

First, ensure your system is up to date and has the latest list of packages:

sudo apt-get update && sudo apt-get dist-upgrade -y
Make sure your system has the correct time and the correct time zone. This will be important later when we start processing. The command below will allow you to choose your time zone:

sudo dpkg-reconfigure tzdata
We will be downloading a number of source tarballs and other files, we want to store them in one folder:
mkdir ~/snort_src
cd ~/snort_src
Install the Snort 3 prerequisites:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Download and install safec for runtime bounds checks on certain legacy C-library calls:

1
2
3
4
5
6
7
cd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v02092020/libsafec-02092020.tar.gz
tar -xzvf libsafec-02092020.tar.gz
cd libsafec-02092020.0-g6d921f
./configure
make
sudo make install
Snort 3 uses Hyperscan for fast pattern matching n. Hyperscan has a number of reqiurements, including PCRE, gperools, ragel, and the Boost Libraries.

First Install PCRE

1
2
3
4
5
6
7
cd ~/snort_src/
wget wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
tar -xzvf pcre-8.45.tar.gz
cd pcre-8.45
./configure
make
sudo make install
Download and install gperfools 2.9:
1
2
3
4
5
6
7
cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
tar xzvf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1
./configure
make
sudo make install
Download and install Ragel:
1
2
3
4
5
6
7
cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install
Download (but don’t install) the Boost C++ Libraries:
1
2
3
cd ~/snort_src
wget https://boostorg.jfrog.io/artifactory/main/release/1.77.0/source/boost_1_77_0.tar.gz
tar -xvzf boost_1_77_0.tar.gz
Install Hyperscan 5.4 from source, referencing the location of the Boost source directory:
1
2
3
4
5
6
7
8
cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/refs/tags/v5.4.0.tar.gz
tar -xvzf v5.4.0.tar.gz
mkdir ~/snort_src/hyperscan-5.4.0-build
cd hyperscan-5.4.0-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_77_0/ ../hyperscan-5.4.0
make
sudo make install
Install flatbuffers
1
2
3
4
5
6
7
8
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/refs/tags/v2.0.0.tar.gz -O flatbuffers-v2.0.0.tar.gz
tar -xzvf flatbuffers-v2.0.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-2.0.0
make
sudo make install
Next, download and install Data Acquisition library (DAQ) from the Snort website. Note that Snort 3 uses a dierent DAQ than the Snort 2.9. series.
1
2
3
4
5
6
7
8
cd ~/snort_src
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.5.tar.gz -O libdaq-3.0.5.tar.gz
tar -xzvf libdaq-3.0.5.tar.gz
cd libdaq-3.0.5
./bootstrap
./configure
make
sudo make install
Update shared libraries:
sudo apt install libfl-dev
sudo ldconfig
Now we are ready to download, compile, and install Snort 3 from the snort website.Download and install, with default settings:
1
2
3
4
5
6
7
8
cd ~/snort_src
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.17.0.tar.gz -O snort3-3.1.17.0.tar.gz
tar -xzvf snort3-3.1.17.0.tar.gz
cd snort3-3.1.17.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
Snort should now be installed under /usr/local/. Finally, verify that Snort runs correctly. To do this, we pass the snort executable the -V flag (uppercase V for version)
/usr/local/bin/snort -V
You should see output similar to the following:
defender@work:/usr/local/etc/snort$ /usr/local/bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.17.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.5
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.45 2021-06-15
           Using ZLIB version 1.2.11
           Using FlatBuffers 2.0.0
           Using Hyperscan version 5.4.0 2024-09-11
           Using LZMA version 5.2.4

Part 3: Snort Configuration - snort.lua File (10 minutes)

The snort.lua file is the heart of Snort’s configuration. It tells Snort how to behave, what rules to use, and what network interfaces to monitor.

Step 1: Locate the snort.conf file

The main Snort configuration file is usually located in /etc/snort/. To open it for editing:

sudo nano /usr/local/etc/snort/snort.lua

Step 2: Key files of snort3

  • snort.lua: This file defines IP ranges that Snort will monitor. For example:
    HOME_NET = 'any'
    EXTERNAL_NET = 'any'
    
  • snort_defaults.lua: This file defines the external defaults for Snort. Rule path , server IPs and Port variables are defined here. for example:
    RULE_PATH = '../rules'
    DNS_SERVERS = HOME_NET
    FTP_SERVERS = 10.10.50.233
    FTP_PORTS = ' 21 2100 3535'
    HTTP_PORTS =
    [[
        80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128
        3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008
        8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
        8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
        50002 55555
    ]]
    

Step 3: Save and Exit

After reviewing the configuration, save and exit the file by pressing CTRL + X, then Y to confirm, and Enter.

Part 4: Snort Rules (15 minutes)

Snort rules define what network traffic should trigger alerts. They are essential for detecting specific attacks, patterns, or anomalies.

Rule Structure

A typical Snort rule has the following structure:

action protocol source_ip source_port -> dest_ip dest_port (options)
Example rule:
alert icmp any any -> any any (msg:"ICMP Packet Detected"; sid:1000001; rev:1;)

  • Action: What Snort should do (e.g., alert, log, drop).
  • Protocol: The type of traffic (e.g., tcp, udp, icmp).
  • Source/Destination: IP addresses and ports involved in the traffic.
  • Options: Additional details such as logging messages (msg) or rule identifiers (sid) or revision (rev).

Create a Custom Rule

We need to create some folders and files that Snort reqiures for rules:

1
2
3
4
5
6
sudo mkdir /usr/local/etc/rules
sudo mkdir /usr/local/etc/so_rules/
sudo mkdir /usr/local/etc/lists/
sudo touch /usr/local/etc/rules/local.rules
sudo touch /usr/local/etc/lists/default.blocklist
sudo mkdir /var/log/snort
We will create one rule in the local.rules file that you created above
sudo vi /usr/local/etc/rules/local.rules
This rule will detect ICMP traffic, and is really good for testing that Snort is working correctly and generating alerts. Paste the following line into the local.rules
alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )
Now run Snort and have it load the local.rules file (with the -R flag) to make sure it loads these rules correctly (verifying the rules are correctly formatted):
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules
The output should end with “Snort successfully validated the configuration”. You should not have any warnings or errors. If you scroll up through the output, you should see this rule loaded successfully (under the rule counts section)
sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -A alert_fast -s 65535 -k none

The flags we are using here are:

Flag Description
-c /usr/local/etc/snort/snort.lua The snort.lua configuration file.
-R /usr/local/etc/rules/local.rules The path to the rules file containing our one ICMP rule.
-i eth0 The interface to listen on.
-A alert_fast Use the alert_fast output plugin to write alerts to the console.
-s 65535 Set the snaplen so Snort doesn’t truncate and drop oversized packets.
-k none Ignore bad checksums, otherwise snort will drop packets with bad checksums

Now from another window on that computer (open a new terminal window or a second ssh session), use the ping command to generate packets that traverse the interface you are listening on ping to that interface’s IP address if you’re connecting from another computer, or just ping an external ip address if you’re on the same machine. You should see alerts print on the screen

Next let’s edit the snort.lua file. This file is the configuration file we pass to Snort at startup

sudo vi /usr/local/etc/snort/snort.lua
Next, we want to enable decoder and inspector alerts, and we want to tell the ips module where our rules file will be (PulledPork will create this for us later)Scroll down to line 170, and look for the section titled ips. Here we un-comment (remove the leading two dashes) from enable_builtin_rules=true, and enable our pulledpork rules. Note that lua uses four spaces, not tabs to indent these lines (this is required). This section should look like this (comments removed):

ips =
{
    -- use this to enable decoder and inspector alerts
    enable_builtin_rules = true,
    include = RULE_PATH .. "/local.rules",
    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    -- (see also related path vars at the top of snort_defaults.lua)

    variables = default_variables
}
test your config file (since we’ve made changes):
snort -c /usr/local/etc/snort/snort.lua
Now we can run snort as above, however we don’t explictly pass the local.rules file on the command line, as we’ve included it in the ips section in the snort.lua file:
sudo snort -c /usr/local/etc/snort/snort.lua -i eth0 -A alert_fast -s 65535 -k none

PulledPork3

PulledPork is a tool that we will use to download rulesets, which are the latest rules files that snort/talos releases to ensure that your system can detect the latest attacks.

Start by obtaining the latest version of PulledPork3:

cd ~/snort_src/
git clone https://github.com/shirkdog/pulledpork3.git
Next, copy the python file to an apropriate location:
1
2
3
4
5
6
7
cd ~/snort_src/pulledpork3
sudo mkdir /usr/local/bin/pulledpork3
sudo cp pulledpork.py /usr/local/bin/pulledpork3
sudo cp -r lib/ /usr/local/bin/pulledpork3
sudo chmod +x /usr/local/bin/pulledpork3/pulledpork.py
sudo mkdir /usr/local/etc/pulledpork3
sudo cp etc/pulledpork.conf /usr/local/etc/pulledpork3/
verify the PulledPork3 runs:

/usr/local/bin/pulledpork3/pulledpork.py -V
You should see something similar to the following (version numbers may change):
defender@work:~/snort_src/pulledpork3$ /usr/local/bin/pulledpork3/pulledpork.py -V
PulledPork v3.0.0.5

    https://github.com/shirkdog/pulledpork3
      _____ ____
     `----,\    )   PulledPork v3.0.0.5
      `--==\\  /    Lowcountry yellow mustard bbq sauce is the best bbq sauce. Fight me.
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2021 Noah Dietrich, Colin Grady, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'   Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, we need to modify our pulledpork.conf file.

sudo vi /usr/local/etc/pulledpork3/pulledpork.conf
This configuration file is broken up into sections, and there are a number of options. We’ll opt for a simple configuration. We will download the community_ruleset ruleset by setting it to true. Using a throwaway Email, register an account on snort.org to get a oinkcode.
community_ruleset = true
oinkcode = 140a6e6bbcb02d0c6ae605c1c1ca135773de0abc
PulledPork needs to know where your snort binary is located. Set the snort_path to point to the snort binary path (and make sure to un-comment this line):
snort_path = /usr/local/bin/snort
Where are your local rules saved (to include in pulledpork.rules)
local_rules = /usr/local/etc/rules/local.rules
Now run PulledPork3:
sudo /usr/local/bin/pulledpork3/pulledpork.py -c /usr/local/etc/pulledpork3/pulledpork.conf
Once PulledPork3 finishes execution, there are multiple files created for you: /usr/local/etc/rules/pulledpork.rules will contain all the rules from the downloaded ruleset, along with the rules from your local.rules file. Compiled rules, also called .so rules (referenced by some of the rules in pulledpork.rules) will be saved in /usr/local/etc/so_rules/.

We need to modify our snort.lua file to load the new pulledpork.rules files.

sudo vi /usr/local/etc/snort/snort.lua

Modify the ips include option to change it from your local rules file to the new pulledpork.rules file:

1
2
3
4
5
6
171 ips =
172 {
173     enable_builtin_rules = true,
174     include = RULE_PATH .. "/pulledpork.rules",
175     variables = default_variables
176 }
Since you’ve modified the snort.lua, you should test it. We need to add an additional parameter here, to tell Snort3 where the .so rules are located. The pulledpork.rules file contains a number of rules that reference the compiled .so rules, and if it can’t find the actual compiled files (in /usr/local/etc/so_rules) you’ll get an error.

snort -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules/

At this point snort is

Conclusion (5 minutes)

Review:

  • You have installed Snort 3 on Ubuntu.
  • You understand the significance of the snort.conf file for configuring Snort.
  • You created a custom rule to detect ICMP traffic.

Class assignment:

  • Create 3 additional Snort rules to detect specific traffic (e.g., SSH, HTTP, or DNS).
  • Research how to improve Snort performance on a large network.

Resources