How To Install Snort on Debian 12

r00t

In this tutorial, we will show you how to install Snort on Debian 12. In today’s interconnected world, network security is of paramount importance. Cyber threats continue to evolve, and having a robust intrusion detection system in place is crucial for safeguarding your network. Snort, an open-source intrusion detection system, has proven its mettle as a stalwart guardian of network integrity.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Snort on a Debian 12 (Bookworm).

Prerequisites

A server running one of the following operating systems: Debian 12 (Bookworm).
It’s recommended that you use a fresh OS install to prevent any potential issues.
SSH access to the server (or just open Terminal if you’re on a desktop).
Make sure your Debian 12 system is connected to the internet. An active connection is essential for downloading the required packages and updates during the installation.
A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install Snort on Debian 12 Bookworm

Step 1. Before we install any software, it’s important to make sure your system is up to date by running the following apt commands in the terminal:

sudo apt update
sudo apt upgrade

This command updates the package list and upgrades the installed packages to their latest versions.

Step 2. Installing Required Packages.

To successfully compile Snort, you need to install essential packages. Run the following command to install the required packages:

sudo apt install build-essential libpcap-dev libpcre3-dev libdnet-dev bison flex

These packages include essential tools, libraries, and development resources needed for compiling Snort. Installing these ensures a smooth installation process.

Step 3. Installing Snort on Debian 12.

With the dependencies in place, you can now proceed to install Snort directly from its GitHub repository. The first step is to clone the Snort repository from GitHub to your local system. Open your terminal and run the following command:

git clone https://github.com/snort3/snort3.git

This command creates a local copy of the Snort repository on your system, which you’ll use for the installation.

Before compiling Snort, you need to configure its build options, including Snort rules, preprocessors, and installation paths. Navigate to the Snort source directory you just cloned and execute the following command:

./configure

Once your configuration is in place, you’re ready to compile Snort. Use the following command to initiate the compilation:

make

After the compilation is complete, you can install Snort with this command:

sudo make install

To ensure that Snort is installed correctly and to check the version, run the following command:

snort -V

Output:

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.71.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.1.10

Step 4. Configuring Snort.

Snort’s effectiveness depends on proper configuration. In this section, we will guide you through configuring Snort for your specific needs.

Creating Snort Configuration Files

To customize Snort to your network’s requirements, you’ll need to create configuration files. These files define Snort’s behavior and detection rules. The default configuration files are located in /etc/snort/. It’s advisable to copy the default configuration files to a working directory to avoid modifying the originals directly:

sudo cp /etc/snort/snort.lua /path/to/working/directory/

Setting Up Snort Rules

Snort’s rules define what to look for in network traffic. You can create custom rules tailored to your network’s specific needs. Store these custom rules in a separate directory, ensuring they don’t get overwritten during updates.

Adjusting Preprocessors

Preprocessors are Snort components that analyze packets and detect anomalies. Adjust them according to your network’s requirements. Preprocessor configurations are also stored in the /etc/snort/ directory.

Enabling Snort to Start on Boot

For Snort to be effective, it should start automatically with your system. Enable Snort to start on boot using this command:

sudo systemctl enable snort

After configuring Snort, it’s crucial to test its functionality and ensure that it’s accurately detecting network intrusions. To test Snort’s functionality, start Snort in test mode with the following command:

snort -T -c /path/to/your/snort/configuration/file

This command checks your Snort configuration for errors and ensures that it’s ready for operation.

Congratulations! You have successfully installed Snort. Thanks for using this tutorial to install the latest version of Snort on Debian 12 Bookworm. For additional help or useful information, we recommend you check the official Snort website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!