Snort IDS installation



SNORT installation


You need to add a new MySQL database and user for snort.

hint: you can use PHPMyAdmin or MySQL workbench to do so!



apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

During the installation you will be ask for the $HOME_NET.

  • If plan to protect a network, use the Network IP@/Submask
  • For a single computer put IP@/32. Do that for servers that are hosted somewhere on the cloud (OVH, TripNet, ...).

Basic configuration

Interactive way

dpkg-reconfigure snort
  • Boot
  • Interface: eth0
  • set the IP@ of your server
  • Do NOT enable promiscuous mode
  • No custom options
  • (optional) daily reports by email

Manual way

Set attributes:

vim /etc/snort/snort.debian.conf

!! Note that settings are set in Debian configuration, the .conf is SNORT global configuration !!


Know your version of snort

snort -V

you should see something like that:

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

Configure rules and update

SNORT account

Get a SNORT account:

Each SNORT account has an OINKCODE, that is required to get the updates.


Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'(

Instead of that, the community as created Pulled Pork: that's a script that does the configuration for you.

Pulled Pork


PulledPork required specifics files & folders:

mkdir -p /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/default.blacklist
chmod 777 /etc/snort/rules/iplists/default.blacklist

Get Pulled Pork

Get the latest version of Pulled Pork:

cd /tmp && wget


Unzip the archive and open it

tar xvf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0

Copy configuration files to the /etc/snort + start script ( to the /usr/local/bin/ directory.

cp /usr/local/bin/
chmod 755 /usr/local/bin/
cp etc/* /etc/snort/


Edit PulledPork configuration

vim /etc/snort/pulledpork.conf

Set / adjust the following settings:

## Set your OinkCode
## Lines 19,21,24,26 replace <oinkcode> by your own.

## Line 72 (default = /usr/local/etc/snort/rules/snort.rules)

## Line 87 (default = /usr/local/etc/snort/rules/local.rules)

## Line 90 (default = /usr/local/etc/snort/

## Line 110 (default = /usr/local/lib/snort_dynamicrules/)

## Line 113 (default = /usr/local/bin/snort)

## Line 117 (default = /usr/local/etc/snort/snort.conf)

## Line 120 uncomment and adjust (default = /usr/local/etc/snort/rules/so_rules.rules) 

## Line 131

## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist)

## Line 148 (default = /usr/local/etc/snort/rules/iplists)

## Line 190 uncomment the snort_version line
# Put your right version like
# You can check what are the available versions on
# Usually there is no but,,... instead

Get rules

Execute Pulled Pork -c /etc/snort/pulledpork.conf

You should see something like:
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\


Fly Piggy Fly!

Test snort

You can check that SNORT is working with your rules by launching it. See #Run SNORT

Get rules periodically

The best way to get rules periodically is to setup a cronjob.

Create an entry in crontab to automate the process of keeping the Snort rules up to date.

Edit crontab

crontab -e


0 2 * * * -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules


This is how you can start SNORT manually:

snort -c /etc/snort/snort.conf

if OK you should see:


4150 Snort rules read
    3476 detection rules
    0 decoder rules
    0 preprocessor rules
3476 Option Chains linked into 271 Chain Headers
0 Dynamic rules


        --== Initialization Complete ==--

'Ctrl + C' to exit.

If there's some errors, then you can check the /var/log/syslog

.. You might have to comment some rules, depending on your configuration...

Managing rules

All the rules are not enable by default. According to your own policy, you might want to enable / disable some specifics rules.

Have a look to your configuration file

vim /etc/snort/snort.conf

Cf STEP 7 (~ line 555).

Don't forget to restart SNORT !

service snort restart