RSS Feed


Snort NIDS


1. Network Intrusion Detection System (NIDS)

2. Packet Sniffer

3. Packet Logger – logs using TCPDump format


1. Download and install Snort NIDS


b. Confirm MD5SUM: ‘md5sum snort-’ Compare to snort-

c. Import GPG key used to sign the current release of Snort

d. gpg –verify snort- snort-


1. gcc – C compiler

2. make – creates binaries

3. libpcre – Provides access to Perl Compatible RegExes

4. mysql-devel* – provides access to MySQL

5. libpcap* – provides the TCPDump, packet capture library

e. Extract and install (compile) Snort NIDS

e1. tar -xzvf snort- – creates top-level directory

e2. ./configure –with-mysql –enable-dynamicplugin – checks for prerequisites, including: mysql-devel, libpcre, gcc, make, etc.

e3. make – creates binaries

e4. su (as ‘root’) and execute ‘make install’ – places binaries in /usr/local/ accessible location

Usage – Packet Sniffer:

1. snort -v -i eth0 – reveals layers 3 & 4 of the OSI model

2. snort -vde -i eth0 – reveals layers 2-7

3. snort -vde -i eth0 tcp port 23

Usage – Packet Logger:

1. snort -v -i eth0 -l ./ tcp port 23 – logs binary file in current directory with Unix Epoch suffix

2. snort -b -i eth0 – attempts to log in: /var/log/snort

3. snort -b -L test.snort.log -i eth0 – creates: /var/log/snort/test.snort.log.UnixEpochDate

Note: Snort drops less packets when run in binary logging mode than in verbose, dump-to-screen, mode

Snort NIDS Setup

1. Setup MySQL DB environment

a. create database snort;

b. grant insert,select on root.* to snort@localhost;

c. set password for snort@localhost=password(‘abc123’);

d. grant create,insert,select,delete,update on snort.* to snort@localhost;

e. grant create,insert,select,delete,update on snort.* to snort;

2. Import MySQL DB schema

a. mysql -u root -p < /home/linuxcbt/temp/Snort/snort- snort

3. Setup Snort NIDS /etc/snort environment

a. mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort-* /etc/snort

Note: Snort’s primary configuration file for NIDS mode: /etc/snort/snort.conf

4. Download the latest Snort rules file and extract to: /etc/snort/rules

Note: Snort rules are available as follows:

1. Registered users: with delay

2. Subscriber: no delay – NOT FREE

3. Unregistered users: release version (very old) of rules

4. Various third-party sites: i.e. Bleeding Snort, etc.

a. cd /etc/snort && tar -xzvf snortrules*

5. Configure: /etc/snort/snort.conf to use MySQL and rules

a. MySQL – output

b. Rules – path to the rules

6. Start Snort in NIDS mode

a. snort -i eth0 -c /etc/snort/snort.conf -D

7. Setup BASE web analysis application

a. wget

b. tar -xzvf adodb480.tgz

Note: adodb480.tgz – provides DB-connectivity for BASE to MySQL

c. Download BASE from

d. Configure: base_conf.php file

d1. $BASE_urlpath = ‘/base’;

d2. $Dblib_path = “/var/www/html/adodb”;

d3. $Dbtype = ‘mysql’;

d4. alert_dbname = ‘snort’;

d5. alert_host = ‘localhost’;

d6. alert_password = ‘abc123’;

Note: Ensure that your Apache instance has PHP support

Note: Ensure that ‘php-mysql*’ package is installed

8. Connect to BASE via web browser

Note: Consider protecting ‘/base’ application using HTDIGEST or basic auth


About Ali abdo

Ali 32 years old from Egypt working as system engineer riding motorcycle to Support and develop Egyptian tourism, spread motorcycling.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: