SOC Part 2 - Snort

Prerequisites

• A fresh Ubuntu Server 24.04 installation
• Basic knowledge of Linux command-line interface
• Root access to the Linux system
• Snort3 already installed from source (see Part 1) on your system , but not yet configured

Step 1: Create a New Configuration File

Create a new file called /etc/snort/snort.lua using your preferred text editor. This will be where you configure all of Snort3’s settings.

sudo mkdir /etc/snort /etc/snort/rules
sudo vi /etc/snort/snort.lua

Step 2: Add a Basic Configuration

Inside the /etc/snort/snort.lua file, add the following lines as a base configuration:

HOME_NET = '192.168.1.0/24'
RULE_PATH = '/etc/snort/rules'
include(RULE_PATH .. '/local.rules')

• Replace the network address with your subnet.
• Save and close

Step 3: Add a Simple Test Rule

Add the following line inside the /etc/snort/rules/local.rules file to enable a simple rule you can use to verify functionality:

alert icmp any any -> 192.168.1.0/24 any (msg:"ICMP test detected"; sid:1000001; rev:1;)

This will alert when a ping is detected.

Step 4: Run Snort with Test Rule

sudo snort -c /etc/snort/snort.lua -i enp0s3 -A alert_fast

This runs Snort, listening on the enp0s3 interface (change as needed) and loads the basic rule you created . You can add or remove rulesets as needed.

Step 5: Create a systemd Unit File

Create the unit file:

sudo vi /etc/systemd/system/snort.service

Paste this content into the file:

[Unit]
Description=Snort 3 Network IDS
After=network.target

[Service]
ExecStart=/usr/local/snort/bin/snort -c /etc/snort/snort.lua -i enp0s3 -A fast
Restart=on-failure
User=root
Group=root

[Install]
WantedBy=multi-user.target

Write the file and quit.

Step 6: Reload systemd to Register the New Unit

sudo systemctl daemon-reload

Step 7: Enable Snort to Start at Boot

sudo systemctl enable snort.service

Step 8: Start Snort and Check Status

sudo systemctl start snort.service
sudo systemctl status snort.service
sudo journalctl -u snort.service