Snort Intrusion Detection System Setup

Snort is one of the most widely deployed open-source intrusion detection and prevention systems in the world. As a network-based IDS/IPS, Snort analyzes network traffic in real-time to identify suspicious activity, enforce network policies, and log traffic for post-incident analysis. This guide covers installing Snort 3 on Linux, configuring network variables, managing detection rules, setting up preprocessing, configuring output plugins, and using PulledPork for automated rule management and maintenance.

Table of Contents

• System Requirements
• Installation
• Snort 3 Architecture
• Network Variables Configuration
• Rule Management Basics
• PulledPork Rule Manager
• Preprocessors and Inspection
• Output Plugins
• Inline Mode Configuration
• Rule Tuning and Optimization
• Monitoring and Maintenance
• Conclusion

System Requirements

Snort 3 requires modern hardware and libraries for optimal performance. Ensure your system meets these specifications:

• Intel or AMD multi-core processor (4+ cores recommended)
• Minimum 2 GB RAM (4 GB+ for production)
• 20 GB disk space for binaries, rules, and logs
• Linux kernel 4.0 or newer
• GCC compiler and development libraries
• PCAP library for packet capture

Check system prerequisites:

uname -r
nproc
free -h
df -h /
gcc --version

Installation

Install Snort 3 from source for maximum control and latest features. The build process involves compiling dependencies and Snort itself.

Install required development packages:

For Ubuntu/Debian:

sudo apt-get update
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev pkg-config cmake

For CentOS/RHEL:

sudo yum groupinstall -y 'Development Tools'
sudo yum install -y pcap-devel pcre-devel libdnet-devel openssl-devel zlib-devel

Download Snort 3 source code:

cd /tmp
wget https://github.com/snort3/snort3/archive/3.1.73.0.tar.gz
tar xzf 3.1.73.0.tar.gz
cd snort3-3.1.73.0

Compile Snort 3:

./configure_cmake.sh --prefix=/opt/snort
cd build
make -j$(nproc)
sudo make install

Add Snort to the system PATH:

sudo bash -c 'echo "export PATH=/opt/snort/bin:$PATH" >> /etc/profile.d/snort.sh'
source /etc/profile.d/snort.sh

Verify the installation:

snort --version
which snort
snort -V

Create directories for rules and logs:

sudo mkdir -p /etc/snort
sudo mkdir -p /var/log/snort
sudo mkdir -p /var/lib/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /var/lib/snort

Snort 3 Architecture

Snort 3 uses a modular architecture with pluggable components. The main components are:

• Inspector plugins (inspect network protocols)
• IPS Action plugins (decide how to handle alerts)
• Logger plugins (output alerts and events)
• Data Handler plugins (manage inspection state)

View available inspectors:

snort --list-modules | grep inspector

View available loggers:

snort --list-modules | grep logger

View module help:

snort --help-module http_inspect

Network Variables Configuration

Network variables define trusted networks, monitored ports, and other policy elements. Create the main configuration file:

sudo nano /etc/snort/snort.lua

Define network variables in the configuration:

-- Snort 3 Configuration File

-- Network variables
HOME_NET = 'home'
EXTERNAL_NET = '!home'

TRUSTED_RULES_LIST_PATH = '/etc/snort'

-- Ports
HTTP_PORTS = '80 8080 8888'
SHELLCODE_PORTS = '!80'
ORACLE_PORTS = '1521'
SSH_PORTS = '22'
FTP_PORTS = '21'
SIP_PORTS = '5060 5061'
DNSD_PORTS = '53'
MODBUS_PORTS = '502'
DNP3_PORTS = '20000'

-- Policy selection
ips =
{
    mode = IPS_MODE,
    type = INSPECTION_TYPE,
}

Create a network variables file for easier management:

sudo nano /etc/snort/vars.lua

Add comprehensive variables:

-- Snort 3 Network Variables

-- Define your network
HOME_NET = { '192.168.0.0/16', '10.0.0.0/8', '172.16.0.0/12' }
EXTERNAL_NET = 'any'

-- HTTP ports
HTTP_PORTS = { 80, 8080, 8888, 8000, 3128, 3132, 8081, 6588 }
HTTPS_PORTS = { 443, 465, 563, 8443 }

-- Mail ports
MAIL_PORTS = { 25, 109, 110, 143, 600, 993, 995 }

-- P2P ports
P2P_PORTS = { 1214, 3689, 4662, 6346, 6666, 6667, 6668, 6669 }

-- RPC services
RPC_PORTS = { 111, 32770, 32771, 32772, 32773, 32774, 32815 }

Include the variables file in the main configuration:

include = 'vars.lua'

Rule Management Basics

Snort rules are the core detection logic. A basic rule consists of:

1. Action (alert, drop, pass, log)
2. Protocol (tcp, udp, icmp, ip)
3. Direction (from/to)
4. Source and destination addresses
5. Ports
6. Rule options (msg, flow, content, etc.)

Create a custom rules file:

sudo nano /etc/snort/custom.rules

Example rules:

# Detect SSH brute force attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SSH Brute Force Attempt"; flow:to_server,established; content:"SSH"; http_client_body; threshold:type both, track by_src, count 10, seconds 60; sid:1000001; rev:1;)

# Detect port scanning
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Port Scan"; flags:F; threshold:type both, track by_src, count 5, seconds 60; sid:1000002; rev:1;)

# Detect SQL injection attempts
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection Attempt"; uricontent:"union"; http_uri; sid:1000003; rev:1;)

# Detect common malware user agents
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious User-Agent"; content:"curl"; http_user_agent; sid:1000004; rev:1;)

# Detect Nikto scanning
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Nikto Scanner Detected"; content:"nikto"; http_user_agent; case-insensitive; sid:1000005; rev:1;)

Include custom rules in the main configuration:

ips = {
    enable_builtin_rules = true,
}

include = 'custom.rules'

Test the rules for syntax:

snort -c /etc/snort/snort.lua -T

PulledPork Rule Manager

PulledPork is a rule management tool that automates downloading, merging, and organizing Snort rules from various sources. Install PulledPork:

cd /tmp
wget https://github.com/pulledpork/pulledpork/archive/v0.7.3.tar.gz
tar xzf v0.7.3.tar.gz
cd pulledpork-0.7.3
sudo install -m 755 pulledpork.pl /usr/local/bin/
sudo mkdir -p /etc/pulledpork
sudo cp pulledpork.conf /etc/pulledpork/

Configure PulledPork:

sudo nano /etc/pulledpork/pulledpork.conf

Critical settings:

# Output directory
output_directory=/etc/snort/rules

# Rule source URL (requires registration for commercial rules)
rule_url=https://rules.snort.org/snortrules-snapshot-33120.tar.gz|<your-oinkcode>

# ET Pro rules (if available)
et_pro_url=https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

# Local rules
local_rules=/etc/snort/custom.rules

# Sid map file for rule versioning
sid_map_fqdn=https://www.snort.org/sid-msg-map

# Alert classification
classification_file=/etc/snort/classification.config

# Reference configuration
reference_config_file=/etc/snort/reference.config

# Verbose output
verbose=1

For ET Open rules (free alternative to Snort VRT):

# Download ET Open rules manually
mkdir -p /tmp/et-rules
cd /tmp/et-rules
wget https://rules.emergingthreats.net/open/snort/emerging.rules.tar.gz
tar xzf emerging.rules.tar.gz

Run PulledPork to update rules:

sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l

Check rule statistics after update:

snort -c /etc/snort/snort.lua --dump-dynamic-rules

Schedule automatic rule updates:

sudo crontab -e

Add this line for daily updates at 3 AM:

0 3 * * * /usr/local/bin/pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l > /var/log/snort/pulledpork.log 2>&1 && systemctl restart snort

Preprocessors and Inspection

Preprocessors analyze protocol-specific behavior before rule matching. In Snort 3, these are called inspectors and are configured differently.

Configure HTTP inspection:

-- HTTP Inspector Configuration
http_inspect = {
    request_depth = 0,  -- 0 means unlimited
    response_depth = 0,
    unzip_max_size = 0,
    unzip_mem_limit = 0,
    script_detection = true,
    uri_include_all = false,
}

Configure TCP stream reassembly:

stream_tcp = {
    show_rebuilt_packets = false,
    enable_alerts = true,
    max_tcp_sessions = 200000,
    cache_nominal_timeout = 3600,
    cache_pruning_timeout = 30,
    cache_timeout = 3600,
    track_only_established_sessions = false,
}

Configure DNS inspection:

dns = {
    ports = { 53 },
    enable_alerts = true,
    enable_normalizations = { 'dns' },
}

Configure FTP inspection:

ftp_server = {
    ports = { 21, 2100, 3535, 5600, 5631, 9503 },
}

ftp_client = {
}

Configure SSL/TLS inspection:

ssl = {
    ports = { 443, 465, 563, 585, 614, 636, 989, 990, 992, 993, 995, 8443 },
    allow_invalid_certs = false,
}

Output Plugins

Output plugins format and deliver alerts and events to various destinations. Configure multiple outputs:

-- Alert output
alert_csv = {
    fields = 'timestamp, action, class, priority, protocol, src_addr, src_port, dst_addr, dst_port, message',
    file = true,
}

-- Unified2 output for distributed systems
unified2 = {
    memory_cap = 100,
    packet_log_limit = 0,
}

-- JSON output for SIEM integration
alert_json = {
    file = true,
}

Configure file logging:

alert_fast = {
    filename = '/var/log/snort/alert',
}

log_tcpdump = {
    filename = '/var/log/snort/snort.pcap',
}

Configure syslog output:

alert_syslog = {
    level = 'info',
    facility = 'LOG_LOCAL0',
}

Send alerts to a remote syslog server:

sudo nano /etc/rsyslog.d/snort.conf

Add configuration:

:programname, isequal, "snort" @@192.168.1.100:514

Restart rsyslog:

sudo systemctl restart rsyslog

Inline Mode Configuration

Inline mode (IPS mode) allows Snort to actively block malicious traffic. Configure inline mode:

-- IPS mode
ips = {
    mode = IPS_MODE,
    type = INSPECTION_TYPE,
}

Configure iptables for NFQUEUE to route traffic through Snort:

sudo iptables -I FORWARD -j NFQUEUE --queue-num 0

Create IPS rules that drop traffic:

sudo nano /etc/snort/ips.rules

Example IPS rules:

# Drop SMB exploitation attempts
drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"IPS: SMB Exploitation Attempt"; sid:2000001; rev:1;)

# Drop malformed packets
drop tcp any any -> any any (msg:"IPS: Malformed TCP"; flags:!F,!S,!R,!P,!A,!U; sid:2000002; rev:1;)

# Drop known botnet C&C traffic
drop tcp any any -> $HOME_NET any (msg:"IPS: Botnet C&C Connection"; content:"bot"; http_client_body; sid:2000003; rev:1;)

Start Snort in inline mode:

sudo snort -c /etc/snort/snort.lua -Q

Rule Tuning and Optimization

Tune rules to reduce false positives while maintaining security effectiveness. Generate statistics from rule firing:

snort -c /etc/snort/snort.lua -r /var/log/snort/snort.pcap -q

Disable rules that consistently generate false positives:

sudo nano /etc/snort/threshold.config

Add rule suppression:

# Suppress specific rule
suppress gen_id 1, sig_id 1000001

# Suppress rule with source-based tracking
suppress gen_id 1, sig_id 1000002, track by_src, ip 192.168.1.5

Create a rule policy for different environments:

sudo nano /etc/snort/local.rules

Comment out or modify rules:

# Disabled due to false positives in our environment
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Rule causing false positives"; sid:1000001; rev:1;)

Test configuration changes without restarting:

snort -c /etc/snort/snort.lua -T

Monitoring and Maintenance

Monitor Snort's operation and maintain system health:

sudo systemctl status snort
sudo systemctl start snort
sudo systemctl stop snort
sudo systemctl restart snort

Monitor Snort logs:

sudo tail -f /var/log/snort/alert
sudo tail -f /var/log/snort/snort.log

Check Snort resource usage:

ps aux | grep snort
top -p $(pgrep snort | tr '\n' ',')

Analyze alerts with command-line tools:

# Count alerts by source IP
grep "saddr.*:" /var/log/snort/alert | cut -d' ' -f3 | sort | uniq -c | sort -rn

# Count alerts by destination port
grep "dport.*:" /var/log/snort/alert | cut -d' ' -f5 | sort | uniq -c | sort -rn

Rotate logs:

sudo nano /etc/logrotate.d/snort

Configuration:

/var/log/snort/*.log {
    daily
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 snort snort
    postrotate
        systemctl reload snort > /dev/null 2>&1 || true
    endscript
}

Conclusion

Snort 3 provides powerful intrusion detection and prevention capabilities for protecting critical infrastructure and networks. By following this guide, you've installed Snort 3, configured network variables and detection rules, implemented PulledPork for automated rule management, set up inspectors and preprocessors for protocol analysis, configured output plugins for various destinations, and deployed IPS mode for active threat prevention. Regular rule updates, performance monitoring, and false positive tuning ensure accurate threat detection. Whether deployed as a standalone IDS for network visibility or as an IPS for active defense, Snort scales from small networks to large enterprise environments with proper configuration and maintenance.