These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Snort Install

Classnotes | UNIX03 | RecentChanges | Preferences

Difference (from prior major revision) (no other diffs)

Changed: 23c23,50
:http://www.geekcomix.com/classnotes/misc/ids-2.png
:http://www.geekcomix.com/classnotes/misc/ids-2.png

Installing the Snort Ruleset




After snort is installed, you'll want to download the latest rules file. Currently there are two different rulesets that people use. A ruleset developed by Jim Forster can be downloaded from
*http://www.snort.org/snort-files.htm#Rules

Another ruleset, developed as part of Max Vision's ArachNIDS? work, is available from
*http://dev.whitehats.com/ids/vision.conf and updated hourly.

The Max Vision ruleset is particularly nice because it follows the Common Vulnerabilities and Exposures (CVE) database, allowing people to refer to a particular vulnerability using a consistent name. From the CVE Frequently Asked Questions:

:"CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools with this "common enumeration." "

If you've installed the snort RPM, the /usr/sbin/snort-update script written by Dave Dittrich can be used to download the latest Max Vision ruleset from cron:

00 00 * * * root /usr/sbin/snort-update -q

It can also be downloaded from
*http://www.linuxsecurity.com/programs/snort-update

This assumes the wget package is installed, the local box can download the file at http://dev.whitehats.com/ids/vision.conf, and it can successfully deliver mail to an administrator.

The snort-update script will place the vision.conf file in /etc/snort/vision.conf.new and an email notification will be sent to the local root account with the differences from the previous version, if any. You must then rename the vision.conf.new to vision.conf.

You might also consider using the snort.org ruleset in addition to the Max Vision ruleset. This can be achieved by downloading the snort.org ruleset. Information on combining these rulesets together is included below.

The backdoor-lib, misc-lib, overflow-lib and other similar files are included with the source code, but are pretty dated and not typically used.

Snort can be obtained from the Snort homepage: http://www.snort.org

There are also RPMs available for RPM-based distributions (often included with your RPM distribution in an extra CD) and Debian packages available.

Intrusion Detection Device Placement

The device may be placed outside an organization's firewall between the firewall and the external untrusted network. This allows snort to detect not only the attacks that may make it through the firewall, but also those that are blocked by the firewall.

The presence of switches, routers and firewalls will all have an effect on the correct placement of the box. A decision must be made as to which network segment will catch the traffic you actually want to monitor. Placement of the NIDS on the local side of the firewall will allow the NIDS to monitor traffic that the firewall has already determined to be permissable, but not necessarily benign. This will, of course, not catch traffic that the firewall has already blocked, potentially masquerading port scans, probes and other types of attack.

Single Interface

The easiest configuration is a box with a single interface. The same interface that listens to the network traffic is the same one from which administration is done.

This will be the typical configuration for home network users and administrators monitoring internal networks.

Dual Interface

In a dual-interface configuration, one interface is used to listen to network traffic in promiscuous mode while the other is used for remote administration. This type of configuration is used in environments where it is not possible to administrate the box from the same interface that is listening to the network traffic.

In this configuration, the external interface should be well-protected and the box designed explictly for this purpose. The box should not be offering any network services except for ssh on the internal interface only.

Installing the Snort Ruleset

After snort is installed, you'll want to download the latest rules file. Currently there are two different rulesets that people use. A ruleset developed by Jim Forster can be downloaded from

Another ruleset, developed as part of Max Vision's ArachNIDS? work, is available from

The Max Vision ruleset is particularly nice because it follows the Common Vulnerabilities and Exposures (CVE) database, allowing people to refer to a particular vulnerability using a consistent name. From the CVE Frequently Asked Questions:

"CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools with this "common enumeration." "

If you've installed the snort RPM, the /usr/sbin/snort-update script written by Dave Dittrich can be used to download the latest Max Vision ruleset from cron:

   00 00 * * * root /usr/sbin/snort-update -q

It can also be downloaded from

This assumes the wget package is installed, the local box can download the file at http://dev.whitehats.com/ids/vision.conf, and it can successfully deliver mail to an administrator.

The snort-update script will place the vision.conf file in /etc/snort/vision.conf.new and an email notification will be sent to the local root account with the differences from the previous version, if any. You must then rename the vision.conf.new to vision.conf.

You might also consider using the snort.org ruleset in addition to the Max Vision ruleset. This can be achieved by downloading the snort.org ruleset. Information on combining these rulesets together is included below.

The backdoor-lib, misc-lib, overflow-lib and other similar files are included with the source code, but are pretty dated and not typically used.



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 24, 2003 3:01 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.