Photo by Markus Spiske on Unsplash
Building a Network Monitoring and Intrusion Detection System (IDS) with Snort on a Raspberry Pi
In the realm of network security, setting up a robust Intrusion Detection System (IDS) is crucial for monitoring and protecting your network against potential threats. In this blog post, I’ll walk you through my journey of deploying a Network Monitoring and IDS using Snort on a Raspberry Pi, a cost-effective and powerful solution for home labs and small networks.
Project Overview
The goal of this project was to configure a Snort-based IDS on a Raspberry Pi running Ubuntu 22.04. The aim was to enhance network security by monitoring traffic, detecting potential intrusions, and generating alerts for suspicious activities. This setup also included integrating traffic analysis tools and creating custom rules to fine-tune the detection capabilities.
Tools and Technologies Used
Snort: An open-source network intrusion detection system (NIDS) that performs real-time traffic analysis and packet logging.
Tshark: A network protocol analyzer for capturing and analyzing network traffic.
Ubuntu 22.04: The operating system installed on the Raspberry Pi.
Bash Scripting: Used for automating installation and configuration tasks.
Step-by-Step Implementation
1. System Preparation
The first step was to ensure that the Raspberry Pi’s system was up-to-date. This involved updating and upgrading the system packages to the latest versions:
sudo apt update
sudo apt upgrade -y
2. Installing Dependencies
Before installing Snort, several dependencies needed to be installed. These included development tools and libraries necessary for Snort’s compilation:
sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
3. Downloading and Installing Snort
I downloaded the latest version of Snort from the official website and compiled it:
wget https://www.snort.org/downloads/snort/snort-{latest-version}.tar.gz
tar xvzf snort-{latest-version}.tar.gz
cd snort-{latest-version}
./configure --enable-sourcefire && make && sudo make install
4. Setting Up Snort Directories
I created the necessary directories for Snort configuration, rules, and logs:
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/snort.conf
5. Integrating Community Rules
To enhance Snort’s capabilities, I downloaded and placed community rules into the rules directory:
wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
tar -xvzf community-rules.tar.gz -C /etc/snort/rules
6. Configuring Snort
I edited the Snort configuration file to define the network settings:
sudo nano /etc/snort/snort.conf
Here, I set the HOME_NET
and EXTERNAL_NET
variables to specify the monitored network ranges.
7. Testing Snort Configuration
It was crucial to test the configuration to ensure there were no errors:
sudo snort -T -c /etc/snort/snort.conf
The configuration was validated successfully, confirming that Snort was ready for deployment.
8. Running Snort
I started Snort in real-time mode to monitor network traffic and generate alerts:
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
9. Installing Tshark
For additional traffic analysis, I installed Tshark:
sudo apt install -y tshark
10. Capturing Traffic with Tshark
I used Tshark to capture network traffic for further analysis:
sudo tshark -i eth0 -w /path/to/output.pcap
11. Creating Custom Rules
To tailor Snort to detect specific activities, I created a custom rule to alert on ICMP Echo Requests (ping):
sudo nano /etc/snort/rules/local.rules
Added the following rule:
alert icmp any any -> $HOME_NET any (msg:"ICMP Echo Request (Ping) detected"; itype:8; sid:1000001; classtype:icmp-event; )
12. Testing and Restarting Snort
I tested the rule and restarted Snort to apply the new configurations:
sudo snort -T -c /etc/snort/snort.conf
sudo systemctl restart snort
13. Verifying the Rule
Finally, I tested the configuration by sending a ping request:
ping -c 4 <target_ip>
I then verified that Snort generated an alert for the ping request in the logs:
sudo tail -f /var/log/snort/alert
Conclusion
By setting up Snort on a Raspberry Pi, I’ve successfully created a cost-effective and powerful IDS that enhances network security by detecting and alerting on suspicious activities. This project not only demonstrates my ability to deploy and configure security tools but also highlights my skills in network monitoring and traffic analysis. If you’re looking to implement a similar solution, this guide provides a comprehensive approach to setting up an IDS that can significantly improve your network security posture.