Snort can be installed on Ubuntu, either from its source code or through the deb package. In this section, we will install Snort using the deb package:
- To get started, we install on our Ubuntu system, using the apt-get command, as shown here:
- During the installation, we will be asked to select the interface on which Snort should listen for packets. The default interface selected is eth0, as shown here:
- Select the interface according to our system configuration:
- Now, let's get started with the sniffer mode of Snort. In sniffer mode, Snort reads the network's traffic and displays the human-readable translation. To test Snort in Sniffer mode, type the following command:
- In the output shown here, we can see the headers of traffic detected by Snort between the system, the router, and the internet:
- The following output displays a summary of the traffic analyzed by Snort:
- If we want Snort to show the data too, we can run the following command:
-snort -vd
This will give the output shown previously.
- Now, let's get started with using the packet logger mode of Snort. If we want Snort to show just the traffic headers and log the complete traffic details on disk, we need to first specify a directory where Snort can save its reports. For this, we move inside /var/log/snort and create a directory with any name, as shown here:
- Now, run the command shown here and Snort's log will be saved inside the logs_snort directory:
- Once we have logged enough packets, we stop the command. Now, we can check inside our logs_snort directory and see that a file has been created:
- If we want to read the content of this log file, which was created in the previous step, we run this command:
We can see the complete output, as shown previously.