Snort – Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) by traffic analysis.
The Snort installation command in Ubuntu/Debian:
1 | sudo apt-get install snort |
After installation, we will test the launch of Snort:
1 2 | ps aux | grep snort | grep -v grep service snort status |
The configuration files are located in the /etc/snort/directory, and the detection rules in /etc/snort/rules/.
To reconfigure snort in Ubuntu, you can use the command:
1 | sudo dpkg-reconfigure snort |
Or manually opening the configuration in a text editor:
1 | sudo nano /etc/snort/snort.conf |
The configuration validation command:
1 | sudo snort -T -c /etc/snort/snort.conf |
If the test is successful, you will see:
Snort successfully validated the configuration!
Snort exiting
Example of restarting snort:
1 | sudo service snort restart |
An example of viewing logs:
1 | u2spewfoo /var/log/snort/snort.log |
See also https://www.snort.org/faq/readme-unified2