SNORT - Intrusion Detection and Prevention Systems

IDS stands for Intrusion Detection System and IPS stands for Intrusion Prevention System. IDS and IPS work on the same principle. They analyze packets that are coming from the outside network based on some set of rules from the known cyberattacks database. IDS/IPS both analyze the signature of the packets from the know cyberattack database. 

The difference between IDS/IPS is that IDS only detects the incoming attack and alerts the administrator to take action against the attack while the IPS not only detects but also stops the packet from being delivered based on sets of rules. 

Both IDS/IPS are kind of similar in the process as an antivirus which compares the signature of the application with the list of all malicious signatures that are stored in it. Most often IDS is deployed behind the firewall on the edge of the network whereas IPS will generally be placed at an edge of the network such as immediately inside an Internet Firewall. IPS requires more computational power for performing network prevention and detection. 

One most used IDS/IPS is SNORT. Snort is an open-source network intrusion detection system and intrusion prevention system.


Firstly, we need to make sure the OpenSSH server is installed on ubuntu which is by default installed but in case it is not installed you can install it using the command apt-get install openssh-server.
  • Snort is available in the ubuntu package. To install, use the command, apt-get install snort*.
SNORT installation command
  • Meanwhile, you will get a pop-up asking on which interface you want to configure the SNORT. This will set up the network with its CIDR. 
Set up Interface
Your interface name will be different. Run ifconfig or ip a to check the name of the interface.
With these two simple steps, SNORT will be installed. Some files will be created in /etc/snort/ which is used to set up the SNORT application as IDS.

SNORT files location

Configuring SNORT as IDS:

  • Open the configuration file which is located at /etc/snort/snort.conf as a super user. You can use any text editor to open the file. 
  • Set the HOME_NET variable which is nothing but your network's IP. 
Change the HOME_NET value
  • After setting the HOME_NET variable, there are some sets of rules that are predefined for different services like SSH, FTP, Nmap, etc. 
  • A glimpse of the rules is shown below which are located in /etc/snort/rules/. As the first rule, we see it says to alert the user if any packet comes to the HOME_NET variable on port 21.
FTP rules set
  • Now to make this rule active we need to start SNORT using the following command sudo snort -T -c /etc/snort/snort.conf -I ens33 (your interface).
Command to activate
  • To start the SNORT application, we need to run the following command sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33.
Command to initiate
  • After this, whenever a request which could be an attack according to the rules. It will display the alert on the terminal.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment