Originally Published: Tuesday, 16 October 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 2/4 - [Printable]

Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort

Shashank Pandey returns to Linux.com with part two of his popular series on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his last article, in today's Pandey cast a sharp eye over working with snort. And remember in some primitive parts of the world you have to pay for information like this! Can you imagine?

  << Page 2 of 4  >>

Compiling and Installing Snort

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch.

Having downloaded Snort, untar the archive with the following command.

root @lord]# tar -zxvf snort-1.7.tar.gz

This should untar Snort into a directory named snort-1.7. The next thing to do is installing the libpcap(dependency). Untar the libpcap archive you downloaded, using the tar command with the similar switches as above. Enter the libpacp directory and carry out the following steps.

root @lord]# ./configure root @lord]# make

because we don't need any binaries for now, there is no need for a 'make install'. In factm even if you do install a binaries, no problem.

Now, we'll compile Snort. Change to the directory that Snort is in and issue the following commands.

root @lord]# ./configure --with-libpcap-includes=/path/to/libpcap/ {* in my case it was : root@lord ./configure --with-libpcap-includes=/home/dood/libpcap }

root @lord]# make root @lord]# make install

Ok, cute. Snort should now be installed on your machine!

Create a directory for Snort to store logs

root @lord]#mkdir /var/log/snort

As always, do this :

root @lord]# whereis snort

to confirm where snort is installed!

The Basics of snort Archtecture

The Snort architecture consists of three basic components which can be somewhat described as:

  1. A Packet Decoder basically prepares the captured protocol packets into a form such as the data can be assimilated by the detection engine. The packet decoder can log Ethernet, SLIP and PPP packets.
  2. Detection Engine: analyzes and process packets fed to it by the 'decoder' based on the Snort rules. Plugin modules can be incorporated in the detection engine to increase the functionality of Snort.
  3. Logger/Alerter: Logging allows you to log the information collected by the packet decoder in human readable format. By default logs are stored in : /var/log/Snort directory.

Alerting mechanism send alerts to syslog, a normal file, Unix sockets or a database. Optionally, you may turn off alerting completely during testing or penetration studies.

By default, all the alerts are stored in: /var/log/Snort/alerts file.

  << Page 2 of 4  >>