Configuring SNORT on Network

Jayrajsinh Chauhan
3 min readMar 8, 2022

--

What is SNORT ?

→ Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

How it is shown in this blog ?

→ Here we will configure SNORT our local Home network.

Here in this blog I will show you how you can get alerts in kali terminal if some user on your local home network(Wifi) is using Instagram, Facebook and Youtube. We will configure some set of custom rules for this three websites.
SNORT itself comes with some sort of Pre-defined rules for Securing our network from Scanning and exploiting.

Requirements :-
1. Kali Linux (which is connected to the your network which you want to monitor)
2.Router

I have Installed Kali Linux on Virtual box.

So lets Start →

Step 1:- Download and Install SNORT in Kali Linux.
use command apt install snort

Step 2:- move to snort directory.

use command cd /etc/snort

Step 3:- original configuration file was snort.config, but for backup we will create a clone of this file and make changes in that file.

use command cp snort.config test_snort.config

Step 4:- We have to put our network and ip range in test_config file, for that we will edit this file.

use command nano test_snort.conf

After that put your network IP and range as shown in below Screenshot..

After that save and close file.

Step 5:- Now we have to make rules, for that we have to move to rules directory.

use command cd rules

Step 6:- Here now the SNORT has so many rules files for defining rules we have to define on local.rules files, but for backup I am creating secondary files.

For creating secondary file use command cp local.rules custom.rules

Step 7:- SNORT will not directly take rules from our custom file, for that we have to include custom file in that local.rules file.

for that we have to edit the file use command nano local.rules

and write that include line as shown in screenshot. After that save and close file.

Step 8:- Now we have to define our desired rule(that Insta, fb and YT) in custom rules file.

for that we have to edit that file, use command nano custom.rules

Now write the rules as I written(same format is accepted only).

Step 9:- Now setup is done.For surety run the below command, this checks everything is well formatted and configured or not.

use command snort -T -i eth0 -c /etc/snort/test_snort.conf

Step 10:- Match the below output with yours.(lesser number not accepted)

Step 11:- Now every rules and configuration is well set and SNORT can be executed now.

Step 12:- To run SNORT use foll. command.

use command snort -A console -q -i eth0 -c /etc/snort/test_snort.conf

You can also get the alerts as shown in Above Screenshot.

JAYRAJSINH CHAUHAN..

--

--

No responses yet