A Guide to Understanding Intrusion Dectection Systems for Beginners

Snort is an open source intrusion detection and prevention system. An IPS monitors a network for malicious activity and prevents the malicious threats.

Installation and Test:

# Install Snort:
sudo apt -y install snort
# Select an interface - mine will be enp1s0
# Enter the local network you would like to monitor - mine will be 192.168.0.0/16
# Will need to answer the prompt to double check the interface
mkdir /usr/local/etc/rules # create rules 
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz # community rules
tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/
# Configure:
cd /etc/snort/
sudo nano snort.conf
# Modify the following:
ipvar HOME_NET [subnet]
ipvar EXTERNAL_NET any
# ifconfig the server, find the interface
sudo snort -T -i [interface] -c /etc/snort/snort.conf # testing rules on the interface against the rules file
sudo ip link set [interface] promisc on # enable promiscuous mode on NIC
sudo snort -q -l /var/log/snort -i [interface] -A fast -c /etc/snort/snort.conf # will output to /var/log/snort (not decoded) AND /var/log/snort/alert (which is decoded

Explanations:

• [interface]: run ifconfig on your machine to identify your IP. The interface will be listed to the left