How to Install and Set Up Snort IDS on Linux to Secure Your Network

If you’re looking for a way to detect intrusions and secure your network, Snort is a solid, open-source solution. Snort is a powerful intrusion detection system (IDS) that monitors network traffic in real time and helps block suspicious activity. Here’s a step-by-step guide on how to install and configure Snort on a Linux machine.

Why Use Snort?

• Open Source: Free to use with a large, active community.
• Real-Time Monitoring: Instantly detects suspicious traffic.
• Customizable: You can create your own rules to tailor it to your needs.

Let’s get started.

1. System Preparation

Before installing Snort, make sure your Linux system is up to date. These steps work for Ubuntu/Debian-based systems. If you’re using CentOS, let me know and I’ll tweak the commands.

sudo apt update
sudo apt upgrade -y

You’ll also need some dependencies:

sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

2. Install Snort

You can install Snort from your distro’s repositories, but to get the latest features, download it from the official Snort website.

Download and Extract

cd /tmp
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar -xvf snort-2.9.20.tar.gz
cd snort-2.9.20

Build and Install

./configure --enable-sourcefire
make
sudo make install

Add Snort to your system path:

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

3. Basic Configuration

Create User and Directories

It’s best to run Snort as its own user:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort

Download Snort Rules

Register for a free account on Snort.org and download the latest community rules.

cd /etc/snort
sudo wget https://www.snort.org/downloads/community/community-rules.tar.gz
sudo tar -xvf community-rules.tar.gz

4. Configure snort.conf

Edit /etc/snort/snort.conf:

sudo nano /etc/snort/snort.conf

• Set the HOME_NET variable to your network range, e.g.:
  var HOME_NET 192.168.1.0/24
• Include your rules files:
  include $RULE_PATH/local.rules
include $RULE_PATH/community.rules

5. Testing Snort

Run Snort in test mode to check your config:

sudo snort -T -c /etc/snort/snort.conf

If you see “Snort successfully validated the configuration,” you’re good to go.

6. Running Snort

To start Snort in IDS mode:

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

• -A console prints alerts to the console.
• -q is for quiet mode (less output).
• -c specifies the config file.
• -i specifies your network interface (replace eth0 with your interface).

You can also run Snort as a service or use tools like PulledPork to keep your rules up to date.

Final Tips

• Regularly update your rules for the latest threat detection.
• Check your /var/log/snort directory for alerts and logs.
• Customize local.rules to suit your environment.

Snort is powerful, but it’s only as good as your rules and your network awareness. Tune it for your environment and keep learning.

Want more guides like this? Leave a comment or reach out!

Mark Vincent

Tech enthusiast and content creator passionate about making technology simple for everyone. I share practical tips, guides, and reviews on the latest in computers, software, and gadgets. Let’s explore the digital world together!