SnorterWe all know that sometimes, the installation of the latest version of
PulledPorkcould be pretty tedious, specially if you have to install lots of
Snortsin different machines.
Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install
Snortin all of them? It doesn’t matter if you install a
PCAPanalysis or for using it as IDPS: It’s hard work!
I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast
PCAPanalysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a
MySQLdatabase for the alerts.
This is how Snorter was born.
The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)
For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
bash Snorter.sh -o
$EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a
PCAPfile and then see graphically the alerts, and adds to the Snorter an
APIoption for submitting pcaps using curl.
I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.
The next step is to port it to
CentOS, any help is welcome!
Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.
This was a guest post by --
IT Security Analyst at Ackcent