Cyberithub

How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa)

Advertisements

In this article, we will see how to install snort on Ubuntu 20.04 LTS (Focal Fossa). Snort is a free and open source network intrusion detection system for identifying and detecting the emerging threats on Windows and Linux based systems using a series of rules defined. Snort IDS uses those rules to detect the malicious packet and generate alerts for users in real time. So at any point of time Snort is not just used as packet sniffer but also as the network debugger and full-blown network intrusion prevention system. It can be used for both personal as well as business purposes. Here we will see how to install and use snort on Ubuntu 20.04 LTS based systems.

 

How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa)

How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa)

Also Read: How to Install LuaJIT library on Ubuntu/Debian Linux

Advertisements

Step 1: Prerequisites

a) You should have a running Ubuntu 20.04 LTS Server.

b) You should have sudo or root access to run privileged commands.

Advertisements

c) You should have apt or apt-get utility available in your Server.

d) You should also have make, wget and tar utility available in your server in case you are looking to install snort through source code.

Advertisements

 

Step 2: Update Your Server

Before installing snort package, it is essential to check for all the available updates from default Ubuntu repo and install them by using sudo apt update && sudo apt upgrade command as shown below.

cyberithub@ubuntu:~$ sudo apt update && sudo apt upgrade
Hit:1 https://d3nt0h4h6pmmc4.cloudfront.net/ubuntu focal InRelease
Hit:2 http://in.archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:5 http://ppa.launchpad.net/flatpak/stable/ubuntu focal InRelease
Hit:6 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:7 https://dl.winehq.org/wine-builds/ubuntu focal InRelease
Get:8 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Hit:9 http://ppa.launchpad.net/gencfsm/ppa/ubuntu focal InRelease
Hit:10 http://ppa.launchpad.net/juju/stable/ubuntu focal InRelease
Hit:11 https://download.sublimetext.com apt/stable/ InRelease
Hit:12 https://ngrok-agent.s3.amazonaws.com buster InRelease
Hit:13 http://ppa.launchpad.net/libreoffice/ppa/ubuntu focal InRelease
Hit:14 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/focal pgadmin4 InRelease
Hit:15 http://ppa.launchpad.net/mojo-maintainers/ppa/ubuntu focal InRelease
Hit:16 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease
Fetched 108 kB in 23s (4,722 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
Get more security updates through Ubuntu Pro with 'esm-apps' enabled:
node-hosted-git-info python2.7-minimal python2.7 node-tar libgsasl7
libopusfile0 libjs-jquery-ui libsdl2-2.0-0 libsdl2-2.0-0
libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following packages have been kept back:
xdg-desktop-portal xdg-desktop-portal-gtk
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

 

Step 3: Install Snort

There are multiple ways to install snort on your Ubuntu 20.04 LTS Server. You can choose to use any of the below methods depending on your requirements and needs.

Advertisements

a) Using APT

In the next step, you can install Snort from default Ubuntu repo by using sudo apt install snort command as shown below. This will download and install the package along with all its dependencies.

cyberithub@ubuntu:~$ sudo apt install snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libdaq2 libdumbnet1 oinkmaster snort-common snort-common-libraries snort-rules-default
Suggested packages:
snort-doc
The following NEW packages will be installed:
libdaq2 libdumbnet1 oinkmaster snort snort-common snort-common-libraries snort-rules-default
0 upgraded, 7 newly installed, 0 to remove and 2 not upgraded.
Need to get 1,424 kB of archives.
After this operation, 7,338 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-common-libraries amd64 2.9.7.0-5build1 [413 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-rules-default all 2.9.7.0-5build1 [140 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort-common all 2.9.7.0-5build1 [39.8 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 libdaq2 amd64 2.0.4-3build2 [65.2 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 libdumbnet1 amd64 1.12-9build1 [25.4 kB]
Get:6 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 snort amd64 2.9.7.0-5build1 [656 kB]
Get:7 http://in.archive.ubuntu.com/ubuntu focal/universe amd64 oinkmaster all 2.0-4 [84.0 kB]
Fetched 1,424 kB in 2s (611 kB/s)
.........................................................

Always remember, if you are installing snort for the first time in your system then during installation it will ask you provide the interface to which it should listen on. By default it will take eth0 but depending on your system interface, you have to provide the correct interface name. For example, I would like snort to listen on enp0s8 interface so I have given the same here and pressed tab to click on Ok to continue with the installation.

How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa) 2

It will ask you to provide the address range for the local network. By default, it will take 192.168.0.0/16 as shown below. If you would like to change this network according to your requirements then you can change it otherwise use the default one and then Press Tab to click on Ok to continue with the installation. In a while, you will see installation is successful.

How to Install Snort on Ubuntu 20.04 LTS (Focal Fossa) 3

b) Using Source Code

You have to visit the official website and download the latest source code by using wget utility as shown below.

cyberithub@ubuntu:~$ wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
--2023-09-06 00:19:19-- https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
Resolving www.snort.org (www.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, ...
Connecting to www.snort.org (www.snort.org)|104.18.138.9|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/025/687/original/snort-2.9.20.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAU7AK5ITMJQBJPARJ%2F20230905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230905T184920Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18c602ab4c2657111175379056f0f514f6e234b13b57b7e660aa75396c451fd2 [following]
--2023-09-06 00:19:20-- https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/025/687/original/snort-2.9.20.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAU7AK5ITMJQBJPARJ%2F20230905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230905T184920Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=18c602ab4c2657111175379056f0f514f6e234b13b57b7e660aa75396c451fd2
Resolving snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)... 54.231.160.153, 52.217.175.9, 52.216.38.177, ...
Connecting to snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)|54.231.160.153|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7009894 (6.7M) [binary/octet-stream]
Saving to: ‘snort-2.9.20.tar.gz’

snort-2.9.20.tar.gz 100%[============================================================================>] 6.68M 1.53MB/s in 4.6s

2023-09-06 00:19:25 (1.45 MB/s) - ‘snort-2.9.20.tar.gz’ saved [7009894/7009894]

You have to extract the file using tar -xzf snort-2.9.20.tar.gz command as shown below.

cyberithub@ubuntu:~$ tar -xzf snort-2.9.20.tar.gz

Then switch to snort directory using cd snort-2.9.20 command.

cyberithub@ubuntu:~$ cd snort-2.9.20

Now configure the code according to your local system architecture by running ./configure script as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports the include directive... yes (GNU style)
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
................................................................

Then compile all the source code by using make command as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ make
...................................................
libtool: link: gcc -g -O2 -DSF_VISIBILITY -fvisibility=hidden -Wall -g -O2 -DSF_VISIBILITY -fvisibility=hidden -Wall -o u2streamer u2streamer-u2streamer.o u2streamer-SpoolFileIterator.o u2streamer-Unified2.o u2streamer-Unified2File.o u2streamer-TimestampedFile.o u2streamer-UnifiedLog.o u2streamer-sf_error.o -ldaq_static /usr/lib/x86_64-linux-gnu/libdumbnet.so -lpcre -lnsl -luuid -lm -lcrypto -ldl -L/usr/lib -ldaq_static_modules -lsfbpf -lpcap -lz -lpthread
make[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools/u2streamer'
make[3]: Entering directory '/home/cyberithub/snort-2.9.20/tools'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'
make[2]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'
make[2]: Entering directory '/home/cyberithub/snort-2.9.20'
make[2]: Leaving directory '/home/cyberithub/snort-2.9.20'
make[1]: Leaving directory '/home/cyberithub/snort-2.9.20'

Finally install all the object files by using make install command as shown below.

cyberithub@ubuntu:~/snort-2.9.20$ make install
......................................................
make[3]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'
make[2]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'
make[1]: Leaving directory '/home/cyberithub/snort-2.9.20/tools'
make[1]: Entering directory '/home/cyberithub/snort-2.9.20'
make[2]: Entering directory '/home/cyberithub/snort-2.9.20'
make[2]: Nothing to be done for 'install-exec-am'.
/usr/bin/mkdir -p '/usr/local/share/man/man8'
/usr/bin/install -c -m 644 snort.8 '/usr/local/share/man/man8'
/usr/bin/mkdir -p '/usr/local/lib/pkgconfig'
/usr/bin/install -c -m 644 snort.pc '/usr/local/lib/pkgconfig'
make[2]: Leaving directory '/home/cyberithub/snort-2.9.20'
make[1]: Leaving directory '/home/cyberithub/snort-2.9.20'

 

Step 4: Verify Installation

After successful installation, you can verify the installed files path by using dpkg -L snort command as shown below.

cyberithub@ubuntu:~$ dpkg -L snort
/.
/etc
/etc/cron.daily
/etc/default
/etc/default/snort
/etc/init.d
/etc/init.d/snort
/etc/logrotate.d
/etc/logrotate.d/snort
/etc/ppp
/etc/ppp/ip-down.d
/etc/ppp/ip-down.d/snort
/etc/ppp/ip-up.d
/etc/ppp/ip-up.d/snort
/etc/snort
/usr
/usr/bin
/usr/bin/u2boat
/usr/bin/u2spewfoo
/usr/sbin
/usr/sbin/snort
/usr/share
/usr/share/doc
..................................................

 

Step 5: Check Version

You can also verify the current installed version by using snort --version command as shown below.

cyberithub@ubuntu:~$ snort --version

  ' '_      -*> Snort! <*-
 o"   )~    Version 2.9.7.0 GRE (Build 149)
  ''''      By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
            Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.9.1 (with TPACKET_V3)
            Using PCRE version: 8.39 2016-06-14
            Using ZLIB version: 1.2.11

 

Step 6: Uninstall Snort

Once you are done using snort, you can choose to uninstall it from your system by running sudo apt remove snort command as shown below. If you are looking to remove all the dependencies along with snort package then use sudo apt remove snort --auto-remove command. But be very careful on running below command as sometimes removal of dependencies can cause problem to other running applications which are using those packages.

cyberithub@ubuntu:~$ sudo apt remove snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libdaq2 libdumbnet1 oinkmaster snort-common snort-common-libraries snort-rules-default
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
snort
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 1,987 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 258556 files and directories currently installed.)
Removing snort (2.9.7.0-5build1) ...
Stopping snort (via systemctl): snort.service.
Processing triggers for man-db (2.9.1-1) ...

Leave a Comment