I spoke about IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) a few days ago in a question posted by a user. So I thought I would dive a little deeper into the subject with a specific application that I have personally used – Snort. Snort is a very powerful IDS that in later versions can act like an IPS. Snort is free to download and use in the personal enviornment as was as in the business environment. In fact Snort is used by many Enterprises as a very effective option for their business because not only is it free but it is one of the most powerful IDS’s out there is you know what you are doing when you configure it. Snort can be created as a program that you run when you want on a personal computer or it can be setup to run when your OS starts and protect all computers on your network from attacks.
If you want to use Snort to protect your entire network it will need to be placed in line with your internet connection. So as an example lets say that you have a business internet account with your local cable company and you want to protect it with a computer runing Snort. The computer running Snort needs to be placed between the cable modem and the router, this way Snort is able to monitor every peice of traffic that comes into your network and is in the best place to discover possible attacks.
Installation:
We are going to be installing Snort on a computer running Ubuntu 9.04 which at the time of this article is the newest version of Ubunutu. Ubuntu is also a free OS that is availble to download, making this IDS a totally free appliance for you, except the cost of the computer. There are two ways to install Snort onto a Ubuntu Distrobution and the easiest is to do it through a command line. If your computer is up to date you can simply type:
sudo apt-get install snort
This will then download and install the newest version of snort on your computer through command line. As soon as it is done you will be ready to use snort. But if you run into an error or cannot install Snort through command line you can always go to the Snort website and download the newest version, but make sure that you are downloading the tar.gz file and follow their installation guide to completly setup Snort.
Once installed you can run snort as just a sniffer and have all packets captured logged but that will create an enormous log file that you would then have to view. Snort works so well because of its use of rules to know which traffic to log and which traffic to ignore. Rules ae going to be beyond the scope of this article but I plan on writing an article in the neear furture on creating rules for Snort.
How Snort runs depends on the flags that you specify when you launch Snort from command line.
| Flag | Function |
| -v | View packet headers at the console. |
| -d | View application data with IP headers. |
| -D | Run Snort as a daemon. |
| -e | Show data-link layer headers. |
| -l | Run in packet logger mode. |
| -h | Log information relative to the home network. |
| -b | Log information to a single binary file in the logging directory. |
| -r | Read packets contained in a log file. |
| N | Disable packet logging. |
| -c | Specifies which file will be used to provide a ruleset for intrusion detection. |
| -i | Specifies which port you would like Snort to look at when running. |
As you can see from above we have a few differne options when it comes to flags used with Snort. Lets start with just viewing IP packet headers by using the command sudo snort -v. Be sure to use the sudo command before snort so that is runs in administrative mode, this is needed to open the appropiate port. Now since we did not specify a port for snort to look at it is going to use the eth0 port by default, well I am not using the eth0 port right now as i write this article I am using the wlan0 port which is my wireless card. We will need to us the -i flag to tell Snort to use my wireless card to check for traffic, sudo snort -v -i wlan0. Now Snort will run and display on the screen every packet header that comes accross my wlan0 or wireless card, as you can see this is very useful if you want to monitor all traffic across your network but very impractical if you want to protect your network. To end the appliaction once it has started you can simply hit CTRL+C to end the program and bring you back to a command prompt.
We have quickly discussed installing Snort and then running some basic Snort commands to get some output from the program onto our screen. Stay tuned for the next article on configuring Snort rules and running Snort as true IDS with alerting.
Thank you! Very helpful article for a new Snort user
Thanks for this helpful infromation and I’ve scrape it with scrapebook(firefox addon) for studying. I am new to ubuntu, can you recommend me books about ubuntu? Thanks.
There are quite a few good books out there for Ubuntu. Any of the for Dummies books are good:
Ubuntu Linux For Dummies
Linux For Dummies, 9th Edition
And depending on whether you want to run it as a server you can check out this book:
Ubuntu 9.10 Server Guide
I’m always excited to visit this blog in the evenings.Please keep on churning out the content. It’s very entertaining.
Thanks for writing about this. There’s a mass of good tech info on the internet. You’ve got a lot of that info here on your site. I’m impressed – I try to keep a couple blogs fairly live, but it’s a struggle sometimes. You’ve done a great job with this one. How do you do it?
Have you ever considered adding more videos to your blog posts to keep the readers more entertained? I mean I just read through the entire article of yours and it was quite good but since I’m more of a visual learner.
Interesting information. May I add this blog to my linkexchange directory ?
I really liked reading your post!. Quallity content. With such a valuable blog i believe you deserve to be ranking even higher in the search engines
. Check out the link in my name. That links to a tool that really helped me rank high in google. This way even more people can enjoy your posts and nothing beats a big audiance 
I’ve been reading the infroamtion on your site for quite some time now, just wanted to do a quick post and say thank you for all of the useful information you have been providing your readers all this time.
Hey very nice blog!!
This is a very cool article, I could not have agreed more.
Not bad. May I add your blog to my link exchange directory?
You have a point. Very insightful. A nice different perspective
i was starting to suppose i may well end up being the only human being who cared about this, at least currently i realize i’m not nuts
i will make sure to pay a visit to some several other blogposts soon after i get a tad of caffeine in me, it is rough to read without having my coffee, I was unbelivably late last evening enjoying zynga poker and after getting my fill with a few ales i ended up melting away all my zynga poker chips cheers 
Your blog is so informative … keep up the good work!!!!
I’m delighted! You seem very informed about this topic and it shows. Looking forward to future posts. Cheers!
good article, i will add my feeds.
would it be possible to translate your website into spanish because i have difficulties of speaking to english, and as there are not many pictures on your website i would like to read more of what you are writting.
Unlike many posts on the internet, this was fun to read and gave me some valuable input. I will have to put a backlink on my website. Regards. J
I just couldnt leave your website prior to saying that I definitely enjoyed the high quality information you provide for your visitors. Will be back generally to check up on new stuff in you article!
found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later ..
I agree with this post, just sometimes I read so fast everything and I miss things that after read them again, I can understand it better..
Your post is really superior, most of the time when I go to information sites they’re total crap and the articles are authored purely for look for engine traffic. But in your case it is really good, simple and simple.
I’ve bookmarked this because I found it notable. I would be extremely interested to hear more info on this. Great!
I like your site. Thanks for sharing!
Remarkable, thanks for posting!
Hi..I am reading your page for a few days now is there any way to subscribe by email
I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post.
Good Comments. I agree with your point.
I am not a person who is easily satisfied but I have to say your piece blew me away. So much ideas and relevant information that you put into it made me see your opinion. Thanks for sharing your sensible inputs.
Hi just thought i would tell you something.. This is twice now i’ve landed on your blog in the last 3 days searching for completely unrelated things. Spooky or what?