From Network Security Wiki


  • Snort is a free and open source NIPS and NIDS which has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
  • Snort performs protocol analysis, content searching, and content matching.
  • The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
  • Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.
  • BASE is the Basic Analysis and Security Engine.
  • It is based on the code from the Analysis Console for Intrusion Databases (ACID) project.
  • This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

  • Architecture of Snort
  1. Sniffer
  2. Packet Decoder
  3. Preprocessor
  4. Detection Engine <==> Rules
  5. Alert or Logging ==> Log File or Database

  • General form of a Snort rule:
action proto src_ip src_port direction dst_ip dst_port (options)
alert tcp any -> any any (msg:"Traffic from";)
alert any any -> any any (flags: SF,12; msg: "Possible SYN FIN scan";)

  • Simple Snort Rules
alert icmp any any -> any (msg: "Ping packet sent to"; sid:10000001)
alert tcp any any -> any any (msg: "Amandeep Searched"; content:"amandeep"; nocase; sid:100000002)
alert tcp any any -> any any (msg: "GET request to tracker"; flow:to_server,established; content:"GET"; http_method; sid:100000003)
alert udp any any -> any 53 (msg:"DNS traffic detected"; sid:100000004)
alert ip any any -> any any (msg:"More Fragmentations"; fragbits:M; sid:100000005)
alert ip any any -> any any (msg:"Dont Fragment Bit Set"; fragbits:D; sid:100000006)
alert tcp any any -> any any (msg:"SYN Flags Set"; flags:S; sid:100000007)
alert tcp any any -> any any (msg:"FIN Flags Set"; flags:F; sid:100000008)
alert tcp any any -> any any (msg:"RST Flags Set"; flags:R; sid:100000009)
alert tcp any any -> any 21 (msg:"FTP root login attempt"; content:"user root"; nocase; sid:100000010)

Standalone Snort Installation

Install using APT

sudo apt-get install snort

Compiling the Source code

        This section needs verification or testing!

Download Latest snort tar file & extract:

tar xvzf snort-

Make sure you have dev packages of libpcap and libpcre.

apt-cache policy libpcap0.8-dev
apt-cache policy libpcre3-dev

Compiling the Source:

cd snort-
make install
snort --version

Installing Rules (register to download All rules eg: snortrules-snapshot-2970.tar.gz):

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Creating test rule:

cat /etc/snort/snort.conf
  include /etc/snort/rules/icmp.rules
cat /etc/snort/rules/icmp.rules
  alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

For testing the above rule, run the following & initiate ping:

snort -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Install Snort with Base

  • Install Apapche2:
sudo apt-get install apache2
  • Download BASE
mv base /var/www/
  • Download ADODB
mv adodb /var/www/base
mysql -u [USER NAME] -p
 grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
 grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
 SET PASSWORD FOR snort@localhost=PASSWORD('snort-db');
 flush privileges;
apt-get install snort-mysql
cd /usr/share/doc/snort-mysql/
zcat create_mysql.gz | mysql -u snort -D snort -p snort-db
nano /etc/snort/database.conf
output database: log, mysql, user=snort password=snort-db dbname=snort host=
rm /etc/snort/db-pending-config
/etc/init.d/snort start
  • Test Snort:
/etc/init.d/snort status
  • Test MySQL:
mysql -u "snort" -p"snort-db" -e"use snort; SELECT * FROM event INNER JOIN signature ON event.signature=signature.sig_id ORDER BY event.timestamp;"
sudo apt-get install php-pear
pear install Image_Color2
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

{{#widget:DISQUS |id=networkm |uniqid=Snort |url= }}