How To Install Snort on Manjaro

Enhancing your network security is essential in today’s increasingly connected world, and Snort is one of the most powerful tools available for intrusion detection and prevention. As a lightweight yet robust network intrusion detection system (NIDS), Snort offers Manjaro users an excellent way to monitor and secure their networks against potential threats. This comprehensive guide will walk you through the entire process of installing, configuring, and optimizing Snort on your Manjaro Linux system.

Table of Contents

Understanding Snort Basics

Snort is an open-source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Created by Martin Roesch in 1998, it has evolved into one of the most widely used security tools across various platforms, including Linux distributions like Manjaro.

What Makes Snort Powerful?

Snort functions in three primary modes:

Sniffer Mode: Simply captures and displays packets on the console
Logger Mode: Records packets to disk for later analysis
Intrusion Detection/Prevention Mode: Analyzes network traffic against a ruleset and performs specified actions

The key strength of Snort lies in its rule-based detection engine, which can identify and respond to various network threats including malware, port scans, and other suspicious activities. Unlike commercial solutions, Snort offers flexibility and customization without compromising on effectiveness.

Prerequisites for Installation

Before we proceed with installing Snort on your Manjaro system, several prerequisites must be met to ensure a smooth installation process.

System Requirements

Your Manjaro system should have:

At least 2 GB of RAM (4 GB recommended for better performance)
At least 1 GB of free disk space
Admin privileges (sudo access)
Internet connection to download packages

Essential Dependencies

Snort requires several libraries and packages to function correctly on Manjaro. You’ll need to install:

sudo pacman -S --needed base-devel git gcc flex bison zlib libpcap pcre libdnet tcpdump openssl

These packages provide the necessary development tools and libraries that Snort depends on. Specifically, libpcap is crucial for packet capture capabilities, while libdnet handles low-level network interactions.

Preparing Your Environment

It’s a good practice to update your Manjaro system before installation:

sudo pacman -Syu

This ensures all your system packages are up to date, minimizing potential compatibility issues during the Snort installation process.

Installation Methods for Manjaro

When it comes to installing Snort on Manjaro, you have two primary options: using AUR with Pamac or manually installing from source. Each method has its advantages, and we’ll explore both in detail.

Using AUR and Pamac

Manjaro, being an Arch-based distribution, benefits from access to the Arch User Repository (AUR), which contains a package for Snort. This is typically the easier installation method.

First, ensure you have the base development tools installed:
```
sudo pacman -S --needed base-devel git
```
Use Pamac to build and install Snort:
```
pamac build snort
```

When prompted, confirm that you want to build Snort from the AUR by pressing ‘Y’. The system will download the necessary files and begin the compilation process. You might be asked if you want to edit the build files—for a standard installation, you can answer ‘N’.

You’ll need to provide your password when prompted. The installation might take several minutes depending on your system’s performance as Pamac downloads, compiles, and installs Snort and its dependencies.

Once complete, verify the installation with:

snort --version

This should display the installed version of Snort, confirming a successful installation.

Manual Installation from Source

For users who prefer more control or need the latest version, manual installation from source is an option:

First, create a directory for the source files:
```
mkdir ~/snort_src && cd ~/snort_src
```

Clone the Snort repository from GitHub:

git clone https://github.com/snort3/snort3.git

Navigate to the directory and prepare the build environment:
```
cd snort3
./configure_cmake.sh --prefix=/usr/local/snort
```

You can adjust the installation path as needed by changing the --prefix value.

Compile and install Snort:

cd build
make -j $(nproc)
sudo make install

The -j $(nproc) option speeds up compilation by using all available CPU cores.

Verify your installation:
```
/usr/local/snort/bin/snort -V
```

This method gives you access to the latest features and updates, though it requires more manual steps than using AUR.

Troubleshooting Common Installation Issues

Despite careful preparation, you might encounter issues during the Snort installation process. Let’s address some common problems and their solutions.

“dnet header not found” Error

This is a common error when installing Snort on Manjaro. If you encounter this message:

ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place

The most straightforward solution is to ensure libdnet is properly installed:

sudo pacman -S libdnet

If the error persists despite having libdnet installed, you might need to remove any conflicting versions:

sudo rm -rf /usr/local/include/dnet.h
sudo rm -rf /usr/local/lib/libdnet.*

Then reinstall libdnet and try the installation again.

Dependency Issues

Sometimes, the installation fails due to missing or incompatible dependencies. If you encounter cryptic error messages during compilation, try installing these additional packages:

sudo pacman -S zlib-devel libpcap-devel pcre-devel openssl-devel luajit-devel

Permission Problems

If you encounter permission errors when running Snort, ensure that you’ve set up the proper user and group permissions. This is addressed in the configuration section below.

Basic Configuration Setup

After successfully installing Snort, proper configuration is essential for effective operation. Let’s set up the basic configuration to get Snort running correctly on your Manjaro system.

Creating a Dedicated User

For security reasons, it’s best to run Snort under a dedicated, non-privileged user account:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Setting Up Directory Structure

Snort requires a specific directory structure for its configuration files, rules, and logs:

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

Set the proper permissions for these directories:

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Configuring snort.conf

The main configuration file for Snort is snort.conf. If you installed via AUR, it should be located at /etc/snort/snort.conf. If you installed from source, you might need to copy it from the source directory:

sudo cp ~/snort_src/snort3/etc/*.conf* /etc/snort/

Edit the configuration file to set up your network specifications:

sudo nano /etc/snort/snort.conf

The most important settings to modify are:

HOME_NET: Define your internal network. Change the line ipvar HOME_NET any to reflect your network, for example: ipvar HOME_NET 192.168.1.0/24
EXTERNAL_NET: Define networks considered external. Typically set to !$HOME_NET (everything not in your HOME_NET)
RULE_PATH: Set the path to your rules directory

Save the file after making these changes.

Creating Initial Rule Files

Create empty files for the basic rule sets:

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

Installing and Updating Snort Rules

Snort’s effectiveness depends largely on its rules, which define what patterns to look for in network traffic. Let’s explore how to install and manage these rules on your Manjaro system.

Understanding Snort Rules

Snort rules are text-based patterns that the Snort engine uses to analyze network traffic. Each rule consists of a rule header and rule options. The header contains the action to perform, protocol to examine, source and destination addresses and ports. The options section contains alert messages and information about which parts of the packet should be inspected.

Rule Categories

Snort offers three main categories of rules:

Community Rules: Free rules available to everyone
Registered Rules: Available after free registration
Subscriber Rules: Premium rules available to paying customers

Getting Community Rules

For basic protection, you can start with the community ruleset:

cd ~/snort_src
wget https://www.snort.org/downloads/community/community-rules.tar.gz
sudo tar -xvf community-rules.tar.gz -C /etc/snort/rules/

Using PulledPork for Rule Management

PulledPork is a useful tool for managing and updating Snort rules. To install it on Manjaro:

git clone https://github.com/shirkdog/pulledpork.git
cd pulledpork
sudo cp pulledpork.pl /usr/local/bin/
sudo chmod +x /usr/local/bin/pulledpork.pl

Configure PulledPork by creating a configuration file:

sudo cp etc/pulledpork.conf /etc/snort/

Edit the configuration file to specify your Oink code (if you have registered) and rule locations:

sudo nano /etc/snort/pulledpork.conf

Set up a cron job to automatically update rules:

echo "0 0 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l" | sudo tee -a /etc/crontab

This will update your rules daily at midnight.

Testing Your Snort Installation

Before relying on Snort for network security, it’s crucial to verify that it’s working correctly. Let’s run through some basic tests.

Verifying Configuration

Test your configuration file for syntax errors:

sudo snort -T -c /etc/snort/snort.conf

If there are no errors, you’ll see a message indicating that Snort successfully validated the configuration.

Running a Basic Test

Run Snort in console mode to see packets in real-time:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i <your_interface>

Replace <your_interface> with your network interface name (e.g., eth0, wlan0). You can find your interface name using the ip a command.

Generating Test Alerts

To verify Snort’s alerting capabilities, add a simple test rule to your local rules file:

sudo nano /etc/snort/rules/local.rules

Add this line:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)

Save the file and restart Snort. This rule will trigger an alert whenever an ICMP packet (ping) is detected. Test it by pinging your system from another machine.

Running Snort in Different Modes

Snort can operate in several different modes, each serving a specific purpose. Let’s explore how to run Snort in each mode on your Manjaro system.

Packet Sniffer Mode

This mode simply shows the packet headers on your console:

sudo snort -v -i <your_interface>

Add -d to display the packet data along with the headers:

sudo snort -vd -i <your_interface>

Logger Mode

Logger mode saves the packets to disk for later analysis:

sudo snort -l /var/log/snort -i <your_interface>

This command logs all packets from the specified interface to the /var/log/snort directory.

Network Intrusion Detection Mode (NIDS)

This is Snort’s primary mode, where it analyzes traffic against ruleset:

sudo snort -d -l /var/log/snort/ -h $HOME_NET -A console -c /etc/snort/snort.conf -i <your_interface>

In this command:

-d decodes the data link layer
-l /var/log/snort/ sets the logging directory
-h $HOME_NET defines your home network
-A console sets alerts to display on the console
-c /etc/snort/snort.conf specifies the configuration file
-i <your_interface> specifies the network interface

Inline Mode (IPS)

To run Snort as an Intrusion Prevention System (IPS), you need to configure it with NFQueue or another inline method:

sudo snort -Q --daq nfq --daq-var queue=1 -c /etc/snort/snort.conf

You’ll need to set up iptables rules to forward traffic to the NFQueue for this to work properly.

Advanced Configuration

Once you have Snort running in its basic form, you can optimize its performance and customize its behavior through advanced configuration options.

Performance Tuning

Edit your snort.conf file to tune performance:

sudo nano /etc/snort/snort.conf

Important settings to consider:

Detection Engine: Adjust the detection settings based on your hardware:

config detection: search-method ac-bnfa
config detection: max_queue_events 5

Preprocessor Settings: Configure preprocessors to handle specific traffic types efficiently:

preprocessor frag3_global: max_frags 65536
preprocessor stream5_global: track_tcp yes, track_udp yes, max_tcp 262144, max_udp 131072

Memory Usage: Adjust memory limits based on your system resources:
```
config ppm: max-pkt-time 250, pkt-log
```

Integrating with Other Tools

Snort works well with visualization and analysis tools:

Snorby: A web interface for Snort alerts
BASE: Basic Analysis and Security Engine
ELK Stack: Elasticsearch, Logstash, and Kibana for log analysis

Installation of these tools is beyond the scope of this article, but they significantly enhance Snort’s usability.

Advanced Alerting Options

Configure Snort to send alerts via email or to a SIEM system:

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: snort-alerts.log
output alert_unified: filename snort-unified.alert, limit 128

Creating and Managing Custom Rules

Custom rules allow you to tailor Snort to your specific network environment and security needs. Let’s explore how to create and manage effective custom rules.

Understanding Rule Syntax

Snort rules follow this basic structure:

[action] [protocol] [source IP] [source port] -> [destination IP] [destination port] ([rule options])

For example:

alert tcp any any -> 192.168.1.0/24 80 (msg:"Possible HTTP Traffic"; sid:1000001; rev:1;)

This rule generates an alert when it detects TCP traffic to port 80 on your local network.

Creating Rules for Specific Threats

Let’s create some rules for common threats:

SSH Brute Force Detection:

alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000002; rev:1;)

Suspicious Outbound Connections:

alert tcp $HOME_NET any -> any 6667 (msg:"Possible IRC Bot Connection"; sid:1000003; rev:1;)

Data Exfiltration Detection:

alert tcp $HOME_NET any -> !$HOME_NET any (msg:"Large Outbound Transfer - Possible Data Exfiltration"; flow:to_server,established; byte_test:10,>,1000000,0,relative; sid:1000004; rev:1;)

Add these rules to your local.rules file:

sudo nano /etc/snort/rules/local.rules

Testing Custom Rules

After adding new rules, validate your configuration:

sudo snort -T -c /etc/snort/snort.conf

Then run Snort in console mode to observe the new rules in action:

sudo snort -A console -q -c /etc/snort/snort.conf -i <your_interface>

Setting Up Snort as a Service

To ensure Snort runs automatically at system startup and continues running in the background, you’ll want to set it up as a systemd service on your Manjaro system.

Creating a Systemd Service File

Create a new service file:

sudo nano /etc/systemd/system/snort.service

Add the following content:

[Unit]
Description=Snort NIDS Daemon
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/snort -d -l /var/log/snort/ -h 192.168.1.0/24 -A console -c /etc/snort/snort.conf -i <your_interface>
User=snort
Group=snort
Restart=on-failure

[Install]
WantedBy=multi-user.target

Replace 192.168.1.0/24 with your network CIDR and <your_interface> with your network interface.

Enabling and Starting the Service

Enable the service to start at boot and then start it:

sudo systemctl enable snort.service
sudo systemctl start snort.service

Check the service status:

sudo systemctl status snort.service

Setting Up Log Rotation

To prevent logs from consuming too much disk space, set up log rotation:

sudo nano /etc/logrotate.d/snort

Add the following:

/var/log/snort/*log {
    daily
    rotate 7
    missingok
    notifempty
    compress
    create 640 snort snort
    postrotate
        systemctl restart snort.service
    endscript
}

This rotates logs daily, keeps them for seven days, and restarts Snort after rotation.

Real-World Usage Examples

Understanding the theoretical aspects of Snort is important, but seeing how it performs in real-world scenarios helps solidify your understanding. Let’s explore some practical applications.

Detecting Malware Communication

Malware often communicates with command and control servers. Snort can detect this traffic:

alert tcp $HOME_NET any -> any any (msg:"Potential Malware C2 Communication"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; sid:1000005; rev:1;)

Identifying Network Reconnaissance

Port scanning is a common reconnaissance technique:

alert tcp any any -> $HOME_NET any (flags:S; msg:"Possible Port Scan"; threshold:type threshold, track by_src, count 30, seconds 60; sid:1000006; rev:1;)

Monitoring for Sensitive Data Exfiltration

Credit card numbers, Social Security numbers, and other sensitive data shouldn’t leave your network unencrypted:

alert tcp $HOME_NET any -> !$HOME_NET any (msg:"Possible Credit Card Exfiltration"; pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; sid:1000007; rev:1;)

Use Case: Small Business Network

A small business might set up Snort to:

Monitor for unauthorized access attempts to critical servers
Alert on unusual outbound traffic patterns
Detect when internal systems attempt to access known malicious websites
Log all access to systems containing sensitive customer data

Congratulations! You have successfully installed Snort. Thanks for using this tutorial for installing Snort on your Manjaro Linux system. For additional or useful information, we recommend you check the official Snort website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!