Network Intrusion Detection
Best of Breed Protection with SNORT
Snort can be readily implemented with the help of a special
Linux distribution named Sentinix (http://www.sentinix.org).
Wait a minute, you ask, Linux? Isn’t that complicated?
All my systems are Microsoft!
The short answer – yes. Snort should indeed be implemented
using Linux. The Sentinix distribution makes this an easy
and painless process – much easier than configuring
a Windows server and installing Snort. Snort sensors should
be viewed as appliances (like a router or a UPS) and as such,
do not need to integrate with your server infrastructure.
In fact, you probably have other network appliances running
on some version of Linux. One last consideration is if your
intrusion detection system is on the same platform as the
rest of your systems, it may become compromised along with
your other systems in the event of a successful intrusion.
Sentinix is a special-purpose distribution of Linux that contains
a preconfigured environment for running Snort. In addition
to Snort itself, Sentinix includes:
- SnortCenter management console
- ACID intrusion analysis and reporting system
- Supporting applications: Apache, PHP, Perl, Python, and
- E-mail tools: Postfix, MailScanner, SpamAssassin
- Other tools: Nessus, Nagios, Nagat, Cacti, RRDtool
- And more…
For small installations, a single computer can monitor the
network and house the management applications (SnortCenter
and ACID). In larger deployments, you will probably want to
separate these functions. One computer can perform the management
functions while other computers act as sensors. Figure 1 shows
a typical arrangement of sensors within a medium sized network.
Sentinix is designed to provide a secure, lightweight environment
runs only a minimal set of normal Linux services. Memory intensive
services such as X-windows and other unnecessary services
such as BIND (DNS server), DHCP server, etc., are not included
with Sentinix. For additional information, go to http://www.sentinix.org.
The hardware requirements for Sentinix are minimal. A sensor
can easily run on a 1Ghz machine with 256MB RAM and a 4GB
hard disk. As with any system, more is better. A machine that
is housing the management applications will do better with
512MB RAM and a hard disk that can accommodate the amount
of log data that you wish to keep online.
Sentinix is supplied as an ISO image that can be burned to
a CD-ROM. The current version of Sentinix is 0.70.5 and can
be downloaded from one of the mirrors listed at http://www.sentinix.org/downloads.shtml.
The file you want to download is named sentinix-0.70.5.iso.
Once the file has been downloaded, burn the image to a CD-ROM.
Note that you must write the ISO image to a CD-ROM, not simply
copy the ISO file to a CD-ROM. Most CD burning programs have
a command called “Burn Image” or something similar
that will accomplish this.
Installing Sentinix is a straightforward process. Use the
following steps and screenshots as a guideline. It is possible
that the procedure will deviate slightly based on your unique
Note: These instructions are adapted from the Sentinix Installation
- Prepare a host machine for Sentinix.
- Go into the BIOS and set the clock to the current GMT
- Insert the newly created SENTINIX CD in the CD-ROM drive
and boot up. Make sure that the BIOS boots from the CD-ROM!
- At the boot prompt, type “plain” and press
- Once the system has booted from the CD-ROM, type “install”
and press Enter.
- The keyboard map defaults to U.S. You may choose a different
map at this point if necessary, otherwise, skip to the next
- Use the arrow keys to highlight “Start the Installation
Process” and press Enter.
- Partition your hard disks by choosing the appropriate
disk and pressing Enter. If no partition table exists on
this disk, you may see the following screen.
- If this screen is displayed, type “y” and
press Enter to start with a blank table.
- If your hard disk has existing partitions, it is recommended
that you delete all of the existing partitions:
- Use the arrow keys to highlight each existing partition
and press “D” to delete it.
- You will need two partitions, at a minimum, to get started.
One partition will be a Linux partition and the other will
be a Linux Swap partition.
- Highlight the "Free Space" line and press
“N” for New.
- Choose "Primary" (or "Logical,"
which works fine too).
- Make it at least 2GB (type "2000" in the
field). You need at least 100MB of free space to create
the swap partition later.
- Choose "Beginning."
- Press “T” to select partition type (if
it isn't already of type "Linux").
- Type “83” in the "Enter filesystem
- Move the focus to "Free Space" and press
- Choose "Primary."
- Make it at least 512MB (type "512" in the
- Press “T.”
- In the "Enter filesystem type:" field,
type "82" (for Linux Swap).
- Move the focus back to the first "Linux"
partition and press “B” to mark it "bootable."
- Press “W” and type "yes" to
write the partition table.
- Press “Q” to quit.
- Choose "Continue to next step" when you are
- Choose the partitions that should be formatted and which
file system to use. EXT3 is
recommended on all partitions. Choose "Format partitions"
- When formatting is complete, press any key to return
to the previous screen.
- Choose "Done, go to next step."
- You must now set the mount point for your newly formatted
volume(s). At least one partition must be mounted to “/”
(the root partition). Highlight the desired partition and
- Type the desired mount point for this partition. This
example shows the setting for the root partition (“/”).
- Choose "Install SENTINIX" to start the installation.
This might take anywhere from 5 minutes to 30 minutes depending
- If all went well, you should now see a menu titled "SENTINIX
Setup Utility." The keyboard map defaults to U.S. If
you would like to change the default setting, you may do
so at this time. The time zone defaults to GMT. Since we
previously set the BIOS clock to GMT time, it is not necessary
to change the time zone.
- Use the down arrow key to move to line 3, “Configure
LILO” and press Enter.
- LILO is the boot loader for Linux. The defaults should
be fine for most installations. The only exception which
I am aware is older Compaq hardware that had a “System
Partition.” If you are using a machine of this type,
you will want to set the boot target to: /dev/hda1 (or /dev/sda1
as shown above for SCSI hardware).
- Scroll down to “OK, install LILO” and press
- LILO is now installed. Press any key to return to the
menu and select 4 to probe for network devices.
- Press Enter to probe for Ethernet hardware.
- Once an appropriate driver (or drivers) is found, they
will be loaded and the following screen will appear.
- Note that the detected card(s) are already selected.
- Scroll down to “Exit and Save” and press
Enter to go back to the menu. You may skip option 5 as the
correct modules will already be selected. Choose option
6 to set your network parameters.
- Beginning with option 1, choose each option and provide
the appropriate information. It is not necessary to provide
two name servers, although it is a good idea. After setting
the name server(s), proceed to the lower section of the
screen and set the IP addresses and netmasks for each Ethernet
- Choose “Save and Exit” to return to the menu.
Choose option 7 to set up network services.
- Snort will be unchecked. Highlight this line and press
the space bar to select Snort. If you wish, you can also
add Nessus Security Scanner and NTP daemon.
- Choose “OK, I’m done” to return to
the main menu.
- By default, the root password is set to “sentinix.”
You may use options 8 to reset your root password.
- Select “Quit” to exit the setup program and
return to the installation program.
- Select “Reboot the system” and press Enter.
The CD should be ejected. If the CD does not eject, remove
it before the machine begins booting.
Congratulations! You have just completed the installation
of your first Snort IDS. If you need to reconfigure your system
at any time, log in as root and type "setup."
Getting Started With Snort
If all went well, your Snort system is up and running –
already detecting errant probes, port-scans and worm propagation
traffic. To see the status of your snort sensor(s), fire up
a Web browser and point it to your machine’s IP address.
Click on the Snort Center link at the top of the screen and
log in with the following credentials.
SnortCenter displays a list of all of your sensors along
with their status. From SnortCenter, you can start, stop and
reconfigure your sensors. Figure 2 shows a typical SnortCenter
console. If your sensor is highlighted yellow, click on the
Start link to start the sensor.
Alert data is accessible via the Analysis Console for Intrusion
Databases (ACID), which is integrated into SnortCenter. Click
on Alert Console to go to the ACID summary page (shown in
Figure 3). Detailed alert information is available via the
Snapshots drop-down menu. Figure 4 shows a typical page of
Sentinix provides a convenient platform to get a Snort IDS
up and running. It is important to remember, however, that
an IDS is not a set-and-forget system. IDSs must be kept up
to date and monitored. In fact, one of the first things you
should do if you decide to make Snort part of your security
solution is update the latest versions of Snort and Snort’s
signatures. Initially, there will be a large number of nuisance
alerts. Careful tuning of rules will help reduce the amount
of noise while maintaining the overall integrity of the IDS.
A number of resources are available to help you create an
industrial strength Snort setup that is customized for your
- Snort 2.1 Intrusion Detection – an excellent text
and reference published bySyngress.
- www.snort.org – for the latest software, documentation
and other resources.
- Snort GUI for Lamers (SGUIL) – an alternative configuration
- Barnyard - alert post-processing for larger installations.
- Sourcefire – commercial support.
Sentinix includes a number of other useful tools you may want
to explore. These include:
- Nagios – Server Health Monitoring
- Nessus – Heavy-Duty Security Testing
- RRDTool, Cacti – Performance Graphing