Open Source

Detect intruders on your network with Snort

Snort is a Network Intrusion Detection System (NIDS), which can view and analyze packets on a network to determine whether or not a system is being attacked by remote. Most Linux distributions come with Snort, so it's simply a matter of installing Snort via urpmi, apt-get, or yum. Snort can write its collected information to a variety of different sources for later analysis, be it flat files or a database such as PostgreSQL or MySQL. As well, Snort can be used as a simple packet logger, sniffer, or a full-blown NIDS.

Once Snort is installed, it can be used right away. Simply executing:

# snort -v

will put Snort into packet sniffing mode; traffic will be scrolled on the screen showing what packets Snort is seeing. To exit, hit CTRL-C and you will see a brief analysis of what Snort detected. To see even more information — like you might with tcpdump — use the -vd option instead.

To have Snort log data, simply tell it where to log the information. In the next example, Snort will log information to the /usr/local/log/snort directory, so make sure it exists first.

# snort -l /usr/local/log/snort -d

Snort will log packets in a binary file, such as /usr/local/log/snort/snort.log.1199665001. To view the log, use the -r option with Snort in order to replay the captured data.

# snort -r /usr/local/log/snort/snort.log.1199665001

Using Snort as an NDIS takes a little more work; you must configure Snort appropriately, using the configuration file /etc/snort/snort.conf. Be warned, this configuration file can be quite hefty! Some of the rules available on the Snort Web site may be packaged with Snort, depending on the Linux distribution.

The Snort rules can be downloaded from The community rules are available for anyone to use and are most likely to be bundled with any prepackaged vendor-supplied copies of Snort. You can also subscribe to receive updated rules from Sourcefire on a regular basis.

Once you have downloaded a rules package, such as the Community-Rules-CURRENT.tar.gz file, unpack it on the system with Snort installed in the directory where the Snort configuration is:

# cd /etc/snort
# tar xvzf Community-Rules-CURRENT.tar.gz

The new rules will now be in the rules/ directory.

To enable them, edit snort.conf and add:

var RULE_PATH rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules

Include whichever rules you like. Snort can now be started to load the configuration file /etc/snort/snort.conf, which will, in turn, load the downloaded rules:

# snort -c /etc/snort/snort.conf

Snort will then print information about its initialization to the screen and then start logging packets that match the defined rules. The rules will determine what Snort will log and what it will ignore, so unlike running Snort as a sniffer, the generated logs will be much smaller as only packets "of consequence" will be logged. These logs will be stored, by default, in /var/log/snort/ and can be analyzed by Snort using the -r option as noted previously.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks

Free Newsletters, In your Inbox