From ArchWiki
Revision as of 20:51, 26 October 2010 by Thestinger (talk | contribs) (moved content here from Router, needs a LOT of work)
Jump to: navigation, search

Snort is a lightweight Intrusion Detection System (IDS).


According to the site's homepage title, Snort is "the de facto standard for intrusion detection/prevention".

# pacman -S snort

Snort configuration

The main configuration file is Template:Filename.

Read it carefully, as usual it's very well documented.

var HOME_NET           # Change to the subnet of your LAN.
var SMTP_SERVERS    $HOME_NET             # Comment these if you're not running any servers on the LAN.
var HTTP_PORTS      80
var ORACLE_PORTS    1521
var AIM_SERVERS     [,,,,,
var RULE_PATH       /etc/snort/rules
var HTTP_PORTS      80:5000               # For HTTPd's running on port 80 and 5000. Change appropriately
                                          # to the ports you are using on your LAN.
config detection:   search-method lowmem  # If you're using a machine "with very limited resources".

At the bottom of the file, there's a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.

groupadd snort
mkdir -p /var/log/snort
useradd -g snort -d /var/log/snort snort
chown -R snort:snort /var/log/snort
Note: Under review -- I'm not sure about this yet.

Edit Template:Filename:

SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h -A full

Replace with the CIDR of your LAN.

Now Snort will run as user snort in group snort. Should improve security. The other options make it log to /var/log/snort in ASCII mode. Run snort -h to see other available options.

I've been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I didn't know what to do with all the logs anyway.

Update the rules: Oinkmaster

If you want to be able to download Snort's latest rules, you'll need a subscription. This costs money. If you're happy enough with 5 days old rules, you just need to register for free. If you don't, the only updates you'll get are the new rules distributed with a new Snort release. Go ahead and register at Snort. If you really don't want to register, you can use the rules from They're bleeding edge, meaning they haven't been tested thoroughly.

A user has created a PKGBUILD for oinkmaster.

Oinkmaster setup

Edit Template:Filename and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

When you log into your new account, create an "Oink code". Another thing to change is

use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules

The rest of the config file is fine.

Oinkmaster usage -o /etc/snort/rules

Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.