Learn how to install and configure Snort IDS on Ubuntu 24.04. Step-by-step tutorial with commands, rule setup, and security tips for effective network threat detection.
Introduction:
Network security is no longer optional — it’s a necessity. As security professionals and developers, we need tools that help us monitor network traffic, detect threats, and respond quickly. Snort is one of the most powerful open-source intrusion detection and prevention systems (IDS/IPS) available today. In this guide, we will install and configure Snort on Ubuntu 24.04 from scratch, step by step, using the latest recommended approach.
Prerequisites
Before we begin, ensure we have the following:
- An Ubuntu 24.04 dedicate server or KVM VPS.
- Basic Linux Command Line Knowledge.
Snort IDS Install & Configure on Ubuntu 24.04
1. Update System Packages
Keeping the system updated ensures we start with a clean, secure base.
sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev \
zlib1g-dev liblzma-dev openssl libssl-dev pkg-config libhwloc-dev \
libnghttp2-dev cmake ethtool git flex bison luajit libluajit-5.1-dev libpcre2-dev
These packages install all required libraries and tools to compile and run Snort efficiently.
2. Install DAQ (Data Acquisition Library)
Snort uses DAQ to capture packets. For latest version visit Github.
cd /tmp
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.21.tar.gz -O daq.tar.gz
tar -xvzf daq.tar.gz
cd libdaq-3.0.5
./bootstrap
./configure
make
sudo make install
This ensures we are running the latest DAQ version compatible with Snort 3.
3. Install Snort 3
Let’s grab the latest stable release of Snort 3:
cd /tmp
wget https://github.com/snort3/snort3/archive/refs/tags/3.9.5.0.tar.gz -O snort3.tar.gz
tar -xvzf snort3.tar.gz
cd snort3-3.1.83.0
./configure_cmake.sh --prefix=/usr/local/snort
cd build
make
sudo make install
Verify installation:
/usr/local/snort/bin/snort -V
If installed correctly, we should see the Snort version and build information.
4. Create Snort User and Directories
Running Snort as root is risky. We will create a dedicated user and configure directories.
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir -p /etc/snort /etc/snort/rules /var/log/snort /usr/local/snort/lib/snort_dynamicrules
sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /var/log/snort
5. Download Snort Rules
Snort is powerful because of its rules engine. Let’s use the community rules:
cd /etc/snort
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
tar -xvzf snort3-community-rules.tar.gz
mv snort3-community-rules/* /etc/snort/rules/
We can later switch to registered or subscriber rule sets for more coverage.
6. Configure Snort
Create the main configuration file:
sudo nano /etc/snort/snort.lua
Add a minimal working configuration:
-- Snort 3 configuration file
ips =
{
enable_builtin_rules = true,
mode = inline
}
alert_fast = {
file = true
}
rule_paths = {
"/etc/snort/rules"
}
includes = {
"$RULE_PATH/community.rules",
"$RULE_PATH/local.rules"
}
This tells Snort to run in inline mode and log alerts in fast mode.
7. Test Snort
Run Snort in test mode to validate configuration:
sudo /usr/local/snort/bin/snort -c /etc/snort/snort.lua -T
If there are no errors, we are ready to monitor traffic.
8. Run Snort
Start Snort on the network interface:
sudo /usr/local/snort/bin/snort -c /etc/snort/snort.lua -i eth0 -A alert_fast
Replace eth0 with our actual network interface (use ip addr to check).
9. Sample Rules to Detect Basic Attacks
Add a custom rule file to catch basic malicious activity:
sudo nano /etc/snort/rules/local.rules
Add these rules:
alert icmp any any -> any any (msg:"ICMP Ping Detected"; sid:1000001; rev:1;)
alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; sid:1000002; rev:1;)
alert tcp any any -> any 80 (msg:"HTTP Traffic Detected"; sid:1000003; rev:1;)
Reload Snort to apply the changes. Now every ping, SSH attempt, or HTTP request will trigger an alert in the logs.
10. View Logs
Logs are stored in /var/log/snort/. To view alerts:
sudo tail -f /var/log/snort/alert_fast.txt
This gives us real-time monitoring of potential attacks.
Final Thoughts
With Snort installed and configured, we have a strong IDS running on Ubuntu 24.04. We can now customize rules to match our environment and even turn Snort into an IPS by integrating it with NFQueue. Regular rule updates and log reviews are essential to keep our detection accurate.
