ids:snort
This is an old revision of the document!
Table of Contents
Connecting Snort to Trisul Network Analytics
A step by step guide for Ubuntu 16.04 which explains how to :
- Install Snort
- Replace with Emerging Threats rules
- Configure Oinkmaster for automatic updates
- Start snort and view analytics in TrisulNSM
Install snort
Snort has a package for Ubuntu. This installs all components required.
apt-get update apt-get install snort
Also install oinkmaster , which also has an Ubuntu package
apt-get install oinkmaster
Replace with Emerging Threats rules
We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.
Download ET Community rules
cd /etc/snort mv rules rules_old wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz tar xf emerging.rules.tar.gz -C /etc/snort
Point to the new ET rules
Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.
Next specify a HOMENET, otherwise many ET rules wont load
Example:
ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8
ids/snort.1525338028.txt.gz · Last modified: 2018/05/03 14:30 by veera