{"id":2368,"date":"2015-12-08T10:14:25","date_gmt":"2015-12-08T08:14:25","guid":{"rendered":"https:\/\/upcloud.com\/global\/us\/resources\/tutorials\/installing-snort-on-debian\/"},"modified":"2015-12-08T10:14:25","modified_gmt":"2015-12-08T08:14:25","slug":"installing-snort-on-debian","status":"publish","type":"tutorial","link":"https:\/\/upcloud.com\/global\/resources\/tutorials\/installing-snort-on-debian\/","title":{"rendered":"How to install Snort on Debian"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Snort is a popular choice for running a network intrusion detection system or NIDS for short. It monitors the package data sent and received through a specific network interface. NIDS can catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can identify the latest attacks, malware infections, compromised systems, and network policy violations. In this guide, you will find instructions on how to install Snort on Debian 9.\u00a0The install guide is also available for cloud servers running\u00a0<a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/installing-snort-on-centos\/\" target=\"_blank\" rel=\"noopener noreferrer\">CentOS 7<\/a>\u00a0and\u00a0<a href=\"https:\/\/upcloud.com\/global\/resources\/tutorials\/install-snort-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ubuntu 16<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/upcloud.com\/media\/snort_logo-1-300x164.png\" alt=\"Snort logo, depicting a pig and yellow text saying &quot;Snort&quot;.\" class=\"wp-image-4021\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Snort is one of the most commonly used&nbsp;<a rel=\"noopener noreferrer\" href=\"https:\/\/www.snort.org\/\" target=\"_blank\">network-based IDS<\/a>. It is lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/signup.upcloud.com\/\">Test hosting on UpCloud!<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Preparing your server<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Setting up a basic configuration of Snort on Debian is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev \nlibpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev \nbison flex libdnet autoconf libtool<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With the prerequisites fulfilled, next up is how to install Snort on Debian 9. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing from the source<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Setting up Snort on Debian from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start by making a temporary download folder to your home directory and then changing into it with the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir ~\/snort_src &amp;&amp; cd ~\/snort_src<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Snort itself uses something called a Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source is available.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget https:\/\/www.snort.org\/downloads\/snort\/daq-2.0.7.tar.gz<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar -xvzf daq-2.0.7.tar.gz\ncd daq-2.0.7<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The latest version requires an additional step to auto-reconfigure DAQ before running the config. Use the command below which requires you need to have <tt>autoconf<\/tt> and <tt>libtool<\/tt> installed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">autoreconf -f -i<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Afterwards, run the configuration script using its default values, then compile the program with make and finally install DAQ.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/configure &amp;&amp; make &amp;&amp; sudo make install<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With the DAQ installed, you can get started with Snort, and change back to the download folder.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd ~\/snort_src<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Next, download the Snort source code with <tt>wget<\/tt>.&nbsp;You can <a href=\"https:\/\/www.snort.org\/downloads\" target=\"_blank\" rel=\"noopener\">find the latest version number on the Snort downloads page<\/a>. Replace it in the following command if necessary.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget https:\/\/www.snort.org\/downloads\/snort\/snort-2.9.16.tar.gz<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once the download is complete, extract the source and change into the new directory with these commands.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar -xvzf snort-2.9.16.tar.gz\ncd snort-2.9.16<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then configure the installation with <tt>sourcefire<\/tt>&nbsp;enabled, run make and make install.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/configure --enable-sourcefire &amp;&amp; make &amp;&amp; sudo make install<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With that done, continue below on how to set up the configuration files.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring Snort to run in NIDS mode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start with updating the shared libraries using the command underneath.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ldconfig<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Snort on Debian gets installed to <tt>\/usr\/local\/bin\/snort<\/tt> directory, it is good practice to create a symbolic link to <tt>\/usr\/sbin\/snort<\/tt>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ln -s \/usr\/local\/bin\/snort \/usr\/sbin\/snort<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up username and folder structure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To run Snort on Debian safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo groupadd snort\nsudo useradd snort -r -s \/sbin\/nologin -c SNORT_IDS -g snort<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then create the folder structure to house the Snort configuration, just copy over the commands below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo mkdir -p \/etc\/snort\/rules\nsudo mkdir \/var\/log\/snort\nsudo mkdir \/usr\/local\/lib\/snort_dynamicrules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Set the permissions for the new directories accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo chmod -R 5775 \/etc\/snort\nsudo chmod -R 5775 \/var\/log\/snort\nsudo chmod -R 5775 \/usr\/local\/lib\/snort_dynamicrules\nsudo chown -R snort:snort \/etc\/snort\nsudo chown -R snort:snort \/var\/log\/snort\nsudo chown -R snort:snort \/usr\/local\/lib\/snort_dynamicrules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Create new files for the white and blacklists as well as the local rules.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo touch \/etc\/snort\/rules\/white_list.rules\nsudo touch \/etc\/snort\/rules\/black_list.rules\nsudo touch \/etc\/snort\/rules\/local.rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then copy the configuration files from the download folder.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp ~\/snort_src\/snort-2.9.16\/etc\/*.conf* \/etc\/snort\nsudo cp ~\/snort_src\/snort-2.9.16\/etc\/*.map \/etc\/snort<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Community rules are freely available although slightly limited.<\/li>\n\n\n\n<li>By registering for free on their website you get access to your Oink code, which lets you download the registered user&#8217;s rule sets.<\/li>\n\n\n\n<li>Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Underneath you can find instructions for downloading both community rules and registered user rule sets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Option 1. Using community rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you just want to quickly test out Snort, grab the community rules using <tt>wget<\/tt> with the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget https:\/\/www.snort.org\/rules\/community -O ~\/community.tar.gz<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Extract the rules and copy them to your configuration folder.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo tar -xvf ~\/community.tar.gz -C ~\/<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp ~\/community-rules\/* \/etc\/snort\/rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">By default, Snort on Debian expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the <tt>sed<\/tt> command underneath.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo sed -i 's\/include $RULE_PATH\/#include $RULE_PATH\/' \/etc\/snort\/snort.conf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Option 2. Obtaining&nbsp;registered user rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/snort.org\/users\/sign_up\" target=\"_blank\" rel=\"noopener noreferrer\">You can also take a moment and register<\/a> on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Replace the <span style=\"color: #ff0000\"><tt>oinkcode<\/tt><\/span>&nbsp;in the following command with your personal code.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget https:\/\/www.snort.org\/rules\/snortrules-snapshot-29160.tar.gz?oinkcode=<span style=\"color: #ff0000\">oinkcode<\/span> -O ~\/registered.tar.gz<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once downloaded, extract the rules over to your configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo tar -xvf ~\/registered.tar.gz -C \/etc\/snort<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the <tt>snort.conf<\/tt> file.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring the network and rule sets<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With the configuration and rule files in place, edit the <tt>snort.conf<\/tt> to modify a few parameters. Open the configuration file in your favourite text editor, for example, using <tt>nano<\/tt> with the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/snort\/snort.conf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Find these&nbsp;sections shown below in the configuration file and change the parameters to reflect the examples&nbsp;here.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># Setup the network addresses you are protecting\nipvar HOME_NET <span style=\"color: #ff0000\">server_public_IP<\/span>\/32<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># Set up the external network addresses. Leave as \"any\" in most situations\nipvar EXTERNAL_NET !$HOME_NET\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># Path to your rules files (this can be a relative path)\nvar RULE_PATH \/etc\/snort\/rules\nvar SO_RULE_PATH \/etc\/snort\/so_rules\nvar PREPROC_RULE_PATH \/etc\/snort\/preproc_rules<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># Set the absolute path appropriately\nvar WHITE_LIST_PATH \/etc\/snort\/rules\nvar BLACK_LIST_PATH \/etc\/snort\/rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In the same snort.conf file, scroll down to section 6 and set the output for unified2 to log under the filename of <tt>snort.log<\/tt> like below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># unified2\n# Recommended for most installs\noutput unified2: filename snort.log, limit 128<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the <tt>local.rules<\/tt> to allow Snort to load any custom rules.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">include $RULE_PATH\/local.rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If you are using the community rules, add the line underneath to your ruleset as well, for example just below your <tt>local.rules<\/tt> line.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">include $RULE_PATH\/community.rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once you are done with the configuration file, save the changes and exit the editor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Validating settings<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Your Snort should now be ready to run. Test the configuration using the parameter <tt>-T<\/tt> to enable test mode.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo snort -T -c \/etc\/snort\/snort.conf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After running the Snort configuration test, you should get a message like this example below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">        --== Initialization Complete ==--\n\n   ,,_     -*&gt; Snort! &lt;*-\n  o\"  )~   Version 2.9.16 GRE (Build 118) \n   ''''    By Martin Roesch &amp; The Snort Team: http:\/\/www.snort.org\/contact#team\n           Copyright (C) 2014-2020 Cisco and\/or its affiliates. All rights reserved.\n           Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n           Using libpcap version 1.8.1\n           Using PCRE version: 8.39 2016-06-14\n           Using ZLIB version: 1.2.11\n\n           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.1  \n           Preprocessor Object: SF_DCERPC2  Version 1.0  \n           Preprocessor Object: SF_SSH  Version 1.1  \n           Preprocessor Object: SF_FTPTELNET  Version 1.2  \n           Preprocessor Object: SF_SDF  Version 1.1  \n           Preprocessor Object: SF_DNP3  Version 1.1  \n           Preprocessor Object: SF_REPUTATION  Version 1.1  \n           Preprocessor Object: SF_IMAP  Version 1.0  \n           Preprocessor Object: SF_SMTP  Version 1.1  \n           Preprocessor Object: SF_GTP  Version 1.1  \n           Preprocessor Object: appid  Version 1.1  \n           Preprocessor Object: SF_MODBUS  Version 1.1  \n           Preprocessor Object: SF_POP  Version 1.0  \n           Preprocessor Object: SF_DNS  Version 1.1  \n           Preprocessor Object: SF_SSLPP  Version 1.1  \n           Preprocessor Object: SF_SIP  Version 1.1  \n\nSnort successfully validated the configuration!\nSnort exiting<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In case you get an error, the printout should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above or by commenting out unnecessary inclusion lines in the <tt>snort.conf<\/tt>&nbsp;file. Check the configuration part and try again.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Testing the configuration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the <tt>local.rules<\/tt> file. Open your local rules in a text editor.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/snort\/rules\/local.rules<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then add the following line to the file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">alert icmp any any -&gt; $HOME_NET any (msg:\"ICMP test\"; sid:10000001; rev:001;)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The rule consists of the following parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>action for traffic matching the rule, alert in this case<\/li>\n\n\n\n<li>traffic protocol like TCP, UDP or ICMP like here<\/li>\n\n\n\n<li>the source address and port, simply marked as any to include all addresses and ports<\/li>\n\n\n\n<li>the destination address and port, <tt>$HOME_NET<\/tt> as declared in the configuration and any port<\/li>\n\n\n\n<li>some additional bits\n<ul class=\"wp-block-list\">\n<li>log message<\/li>\n\n\n\n<li>unique rule identifier (sid) which for local rules needs to be 1000001 or higher<\/li>\n\n\n\n<li>rule version number.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Save the <tt>local.rules<\/tt> and exit the editor.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start Snort with <tt>-A console<\/tt>&nbsp;option to print the alerts to <tt>stdout<\/tt>.&nbsp;You will need to select the correct network interface with the public IP address of your server, for example, <tt>eth0<\/tt>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo snort&nbsp;-A console&nbsp;-i eth0&nbsp;-u snort -g snort -c \/etc\/snort\/snort.conf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If you are not sure which interface to use, check your <a href=\"https:\/\/hub.upcloud.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">UpCloud control panel<\/a> for the public IPv4 address of your server in the <a href=\"https:\/\/hub.upcloud.com\/networks\/public\" target=\"_blank\" rel=\"noopener noreferrer\">Network settings<\/a>. You can also use the following command on your server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip addr<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly <tt>eth0<\/tt>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Snort up and running, ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">07\/12-11:20:33.501624 &nbsp;[**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -&gt; 80.69.173.202<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After the alerts show up you can stop Snort with <tt>ctrl+C<\/tt>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Snort records the alerts to a log under <tt>\/var\/log\/snort\/snort.log.<span style=\"color: #ff0000\">timestamp<\/span><\/tt>, where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">snort -r \/var\/log\/snort\/snort.log.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.<\/p>\n\n\n\n<pre id=\"running-snort\" class=\"wp-block-preformatted\">WARNING: No preprocessors configured for policy 0.\n07\/12-11:20:33.501624 83.136.252.118 -&gt; 80.69.173.202\nICMP TTL:63 TOS:0x0 ID:20187 IpLen:20 DgmLen:84 DF\nType:8 Code:0 ID:13891 Seq:1 ECHO<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Running Snort in the background<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To run Snort on Debian as a service in the background you will need to add a startup script for Snort. Open a new file in a text editor for example with the next command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/lib\/systemd\/system\/snort.service<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enter the following to the file, save and exit the editor.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[Unit]\nDescription=Snort NIDS Daemon\nAfter=syslog.target network.target\n\n[Service]\nType=simple\nExecStart=\/usr\/local\/bin\/snort -q -u snort -g snort -c \/etc\/snort\/snort.conf -i eth0\n\n[Install]\nWantedBy=multi-user.target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With the service defined, reload the&nbsp;<tt>systemctl<\/tt>&nbsp;daemon.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl daemon-reload<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Snort can then be run with the configuration you set up using the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl start snort<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The startup script also includes other usual&nbsp;<tt>systemctl<\/tt> commands: <tt>stop<\/tt>, <tt>restart<\/tt>, and <tt>status<\/tt>. For example, you can check the status of the service with the following command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo systemctl status snort<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort <a href=\"https:\/\/snort.org\/documents\" target=\"_blank\" rel=\"noopener noreferrer\">documents page<\/a>, or jump right into writing your own detection rules with their helpful Snort <a href=\"https:\/\/s3.amazonaws.com\/snort-org-site\/production\/document_files\/files\/000\/000\/116\/original\/Snort_rule_infographic.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&amp;Expires=1499862572&amp;Signature=9qDTlGP4Zr1xw1Xrij2pgAgf%2BE8%3D\" target=\"_blank\" rel=\"noopener noreferrer\">rules info graph<\/a>.<\/p>\n","protected":false},"author":3,"featured_media":27367,"comment_status":"open","ping_status":"closed","template":"","community-category":[223,259,253],"class_list":["post-2368","tutorial","type-tutorial","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/tutorial"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=2368"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tutorial\/2368\/revisions"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=2368"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/community-category?post=2368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}