Snort is a free lightweight network intrusion detection system for both UNIX and Windows. In this article, let us review how to install snort from source, write rules, and perform basic testing. Download and Extract Snort Download the latest snort free version from. Extract the snort source code to the /usr/src directory as shown below.

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

# cd /usr/src # wget -O snort-2.8.6.1.tar.gz # tar xvzf snort-2.8.6.1.tar.gz Note: We also discussed earlier about (Linux host based intrusion detection system) and (Intrusion prevention framework) 2. Install Snort Before installing snort, make sure you have dev packages of libpcap and libpcre. # apt-cache policy libpcap0.8-dev libpcap0.8-dev: Installed: 1.0.0-2ubuntu1 Candidate: 1.0.0-2ubuntu1 # apt-cache policy libpcre3-dev libpcre3-dev: Installed: 7.8-3 Candidate: 7.8-3 Follow the steps below to install snort. # cd snort-2.8.6.1 #./configure # make # make install 3. Verify the Snort Installation Verify the installation as shown below. # snort --version,,_ -*>Snort! Any any (msg:'ICMP Packet'; sid:477; rev:3;) The above basic rule does alerting when there is an ICMP packet (ping).

There are many sources of guidance on installing and configuring Snort, but few address installing and configuring the program on Windows except for the Winsnort project (Winsnort.com) linked from the Documents page on the Snort website. Installing Snort on Windows can be very straightforward when everything goes. Download 32-bit x86. Finale 2010 Free Download Torrent. Notepad++ Installer 32-bit x86: Take this one if you have no idea which one you should take. Notepad++ zip package 32-bit x86: Don't want to use.

Following is the structure of the alert: (rule options) Table: Rule structure and example Structure Example Rule Actions alert Protocol icmp Source IP Address any Source Port any Direction Operator ->Destination IP Address any Destination Port any (rule options) (msg:”ICMP Packet”; sid:477; rev:3;) 5. Execute snort Execute snort from command line, as mentioned below. # snort -c /etc/snort/snort.conf -l /var/log/snort/ Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule. # head /var/log/snort/alert [**] [1:477:3] ICMP Packet [**] [Priority: 0] 07/27-20:45 >l/l len: 0 l/l type: 0x200 0:0:0:0:0:0 pkt type:0x4 proto: 0x800 len:0x64 209.85.231.102 ->209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:24905 Seq:1 ECHO Alert Explanation A couple of lines are added for each alert, which includes the following: • Message is printed in the first line. • Source IP • Destination IP • Type of packet, and header information. If you have a different interface for the network connection, then use -dev -i option.