Recipe 9.20 Getting Started with Snort

9.20.1 Problem

You want to set up Snort, a network-intrusion detection system.

9.20.2 Solution

Snort is included with SuSE but not Red Hat. If you need it (or you want to upgrade), download the source distribution from and unpack it:

$ tar xvpzf snort-*.tar.gz

Then compile it:

$ cd `ls -d snort-* | head -1`
$ ./configure
$ make

and install the binary and manpage as root:

# make install

Next, create a logging directory. It should not be publicly readable, since it will contain potentially sensitive data:

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules
# cp etc/* rules/*.rules  /usr/local/share/rules

9.20.3 Discussion

Snort is a network intrusion detection system (NIDS), sort of an early-warning radar system for break-ins. It sniffs packets from the network and analyzes them according to a collection of well-known signatures characteristic of suspicious or hostile activities. This may remind you of an anti-virus tool, which looks for patterns in files to identify viruses.

By examining the protocol information and payload of each packet (or a sequence of packets) and applying its pattern-matching rules, Snort can identify the telltale fingerprints of attempted buffer overflows, denial of service attacks, port scans, and many other kinds of probes. When Snort detects a disturbing event, it can log network trace information for further investigation, and issue alerts so you can respond rapidly.

9.20.4 See Also

snort(8). The Snort home page is

    Chapter 9. Testing and Monitoring