Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-17-2013, 07:42 AM   #1
LQ Newbie
Registered: Apr 2013
Posts: 13

Rep: Reputation: Disabled
Snort IDS Setup and Configuration

Hello fellow Linux users,

I have a question about setting up an IDS solution. I would like to go the opensource route utilizing a Linux based host operating systems (more than likely CentOS) running Snort. I have been searching the web for a tutorial however I have yet to find one that is all inclusive.

Based on the Snort website it seems as simple (I use that word loosely) as:
1.) installing a Linux distribution
2.) installing the five required programs (libpcap, PCRE, libdnet, barnyard2, and DAQ) for Snort to run effectively
3.) installing Snort
4.) downloading and installing the rules

A guide specifically for CentOS is provided on the Snort website via the following Link:

Does anyone have Snort based IDS experience that can provide some advice on how to move forward? Any suggestions? technical specifics or to additional resources.

Thanks in advance!

Old 04-17-2013, 12:17 PM   #2
LQ Newbie
Registered: Jun 2005
Location: Chicago
Distribution: Ubuntu Server & Debian 6
Posts: 23

Rep: Reputation: 1
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not. Biggest issue with most IPS/IDS is that the variables (i.e $HOME_NET, $EXTERNAL_NET. . . .etc) are never filled out properly causing false positive.

Also depends what you would like to do with the IDS, are trying to learn just how it functions or are planning on writing a IDS signatures in the future ? Regardless, I would start with that and look at what rules (actual rules itself) are being triggered and why, gives you a good foundation to start with.
Old 04-20-2013, 04:28 AM   #3
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546
Originally Posted by shizzles View Post
I would say after the install, look at the alerts that are being generated and figure out if they are false positive or not.
I would say after the install the first thing to do is to run Snort in test mode (the "-T" switch) as that's the easiest, quickest way to find out if it will run. Second thing would be to review snort.conf (you probably don't want it to run in promiscuous mode) and prune the rule sets and only keep those that relate to the OS, generic network problem indicators and the services your machine provides. And obviously running Snort / Barnyard2 means that reports getting generated should go to a human user who actually reads those reports and takes appropriate action. Snort may act as a valuable addition to your network security strategy but it does not equal host or network security.
So above all review your overall security strategy: ensure proper hardening takes place before doing anything else, remain aware always and act when reporting indicates you should do so.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[HELP]SNORT PROBLEMS(IDS)-service snort start JayCool Linux - Software 5 03-15-2009 12:34 PM
How to setup snort IDS saini_mw Linux - Security 2 05-15-2006 07:46 AM
developing an ids using snort chax Linux - Networking 1 01-10-2006 11:51 AM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 12:14 PM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 03:39 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration