1. Switch to the Root User
First, switch to the root user to ensure you have full administrative privileges:
2. Update Your System
Ensure your package lists are up to date. First, do an import and save the GPG (GNU Privacy Guard) key from the Kali Linux repository into the system:
curl -fsSL https://archive.kali.org/archive-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/kali-archive-keyring.gpg
apt update
3. Install Snort
Install the Snort package:
Verify the installation by checking the Snort version:
You should see the Snort version and build information if the installation was successful.
4. Navigate to the Snort Configuration Directory
Change to the directory where Snort configuration files are stored:
List the contents of this directory to see the configuration files:
5. Configure the Main Snort Settings
Edit the main Snort configuration file:
pico /etc/snort/snort.lua
Add the following configuration block for IPS:
ips =
{
variables = default_variables,
rules = [[
include /etc/snort/rules/local.rules
]]
}
Save the file and exit the editor (Ctrl + O, Enter, then Ctrl + X).
6. Create Your Snort Rules
Create or edit the local.rules file where your custom detection rules will be stored:
pico /etc/snort/rules/local.rules
Add the following rules to detect common scanning techniques (make sure each rule is set in one line):
alert tcp any any -> any any (msg:"Nmap SYN Scan Detected"; flags:S; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"Nmap Xmas Scan Detected"; flags:FPU; sid:1000002; rev:1;)
alert tcp any any -> any any (msg:"Nmap Null Scan Detected"; flags:0; sid:1000003; rev:1;)
alert icmp any any -> any any (msg:"HPING3 ICMP Flood Detected"; sid:1000004; rev:1;)
Save the file and exit (Ctrl + O, Enter, then Ctrl + X).
7. Run Snort in Console Mode for Testing
Start Snort to monitor a specific network interface:
For external interface (e.g., eth0):
sudo snort -c /etc/snort/snort.lua -R /etc/snort/rules/local.rules -i eth0 -A alert_fast
For the loopback interface (lo):
sudo snort -c /etc/snort/snort.lua -R /etc/snort/rules/local.rules -i lo -A alert_fast
8. Simulate Attacks for Testing
Run some common scanning attacks to test your Snort configuration:
Nmap Scans:
# SYN Scan
nmap -sS localhost
# Null Scan
nmap -sN localhost
# Xmas Scan
nmap -sX localhost
ICMP Flood with hping3:
sudo hping3 -1 -c 1000 -d 120 -S -w 64 --flood --rand-source localhost
If the rules are correctly configured, you should see alerts in the Snort console.
9. Create a Systemd Service for Snort (Optional)
To make Snort start automatically on boot, create a systemd service file:
sudo nano /etc/systemd/system/snort.service
#find snort
which snort
Add the following content:
[Unit]
Description=Snort IDS
After=network.target
[Service]
ExecStart=/usr/sbin/snort -c /etc/snort/snort.lua -R /etc/snort/rules/local.rules -i lo -A alert_fast
Restart=on-failure
[Install]
WantedBy=multi-user.target
Save and exit (Ctrl + O, Enter, then Ctrl + X).
10. Enable and Start the Snort Service
Reload the systemd daemon to recognize the new service:
sudo systemctl daemon-reload
Enable Snort to start on boot:
sudo systemctl enable snort
Start the Snort service:
sudo systemctl start snort
To stop the Snort service:
sudo systemctl stop snort
11. Verify Snort is Running
Check the status of the Snort service:
sudo systemctl status snort
