Building a Network Monitoring and Intrusion Detection System (IDS) with Snort on a Raspberry Pi

In the realm of network security, setting up a robust Intrusion Detection System (IDS) is crucial for monitoring and protecting your network against potential threats. In this blog post, I’ll walk you through my journey of deploying a Network Monitoring and IDS using Snort on a Raspberry Pi, a cost-effective and powerful solution for home labs and small networks.

Project Overview

The goal of this project was to configure a Snort-based IDS on a Raspberry Pi running Ubuntu 22.04. The aim was to enhance network security by monitoring traffic, detecting potential intrusions, and generating alerts for suspicious activities. This setup also included integrating traffic analysis tools and creating custom rules to fine-tune the detection capabilities.

Tools and Technologies Used

  • Snort: An open-source network intrusion detection system (NIDS) that performs real-time traffic analysis and packet logging.

  • Tshark: A network protocol analyzer for capturing and analyzing network traffic.

  • Ubuntu 22.04: The operating system installed on the Raspberry Pi.

  • Bash Scripting: Used for automating installation and configuration tasks.

Step-by-Step Implementation

1. System Preparation

The first step was to ensure that the Raspberry Pi’s system was up-to-date. This involved updating and upgrading the system packages to the latest versions:

sudo apt update
sudo apt upgrade -y

2. Installing Dependencies

Before installing Snort, several dependencies needed to be installed. These included development tools and libraries necessary for Snort’s compilation:

sudo apt install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

3. Downloading and Installing Snort

I downloaded the latest version of Snort from the official website and compiled it:

wget https://www.snort.org/downloads/snort/snort-{latest-version}.tar.gz
tar xvzf snort-{latest-version}.tar.gz
cd snort-{latest-version}
./configure --enable-sourcefire && make && sudo make install

4. Setting Up Snort Directories

I created the necessary directories for Snort configuration, rules, and logs:

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/snort.conf

5. Integrating Community Rules

To enhance Snort’s capabilities, I downloaded and placed community rules into the rules directory:

wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
tar -xvzf community-rules.tar.gz -C /etc/snort/rules

6. Configuring Snort

I edited the Snort configuration file to define the network settings:

sudo nano /etc/snort/snort.conf

Here, I set the HOME_NET and EXTERNAL_NET variables to specify the monitored network ranges.

7. Testing Snort Configuration

It was crucial to test the configuration to ensure there were no errors:

sudo snort -T -c /etc/snort/snort.conf

The configuration was validated successfully, confirming that Snort was ready for deployment.

8. Running Snort

I started Snort in real-time mode to monitor network traffic and generate alerts:

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

9. Installing Tshark

For additional traffic analysis, I installed Tshark:

sudo apt install -y tshark

10. Capturing Traffic with Tshark

I used Tshark to capture network traffic for further analysis:

sudo tshark -i eth0 -w /path/to/output.pcap

11. Creating Custom Rules

To tailor Snort to detect specific activities, I created a custom rule to alert on ICMP Echo Requests (ping):

sudo nano /etc/snort/rules/local.rules

Added the following rule:

alert icmp any any -> $HOME_NET any (msg:"ICMP Echo Request (Ping) detected"; itype:8; sid:1000001; classtype:icmp-event; )

12. Testing and Restarting Snort

I tested the rule and restarted Snort to apply the new configurations:

sudo snort -T -c /etc/snort/snort.conf
sudo systemctl restart snort

13. Verifying the Rule

Finally, I tested the configuration by sending a ping request:

ping -c 4 <target_ip>

I then verified that Snort generated an alert for the ping request in the logs:

sudo tail -f /var/log/snort/alert

Conclusion

By setting up Snort on a Raspberry Pi, I’ve successfully created a cost-effective and powerful IDS that enhances network security by detecting and alerting on suspicious activities. This project not only demonstrates my ability to deploy and configure security tools but also highlights my skills in network monitoring and traffic analysis. If you’re looking to implement a similar solution, this guide provides a comprehensive approach to setting up an IDS that can significantly improve your network security posture.