Snort – Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) by traffic analysis.
The Snort installation command in Ubuntu/Debian:
sudo apt-get install snort
After installation, we will test the launch of Snort:
ps aux | grep snort | grep -v grep
service snort status
The configuration files are located in the /etc/snort/directory, and the detection rules in /etc/snort/rules/.
To reconfigure snort in Ubuntu, you can use the command:
sudo dpkg-reconfigure snort
Or manually opening the configuration in a text editor:
sudo nano /etc/snort/snort.conf
The configuration validation command:
sudo snort -T -c /etc/snort/snort.conf
If the test is successful, you will see:
Snort successfully validated the configuration!
Snort exiting
Example of restarting snort:
sudo service snort restart
An example of viewing logs:
u2spewfoo /var/log/snort/snort.log
See also https://www.snort.org/faq/readme-unified2