snort really isn't hard to use,this article aims to make using snort easier for new users

snort can be configured to run in three modes:

 This article will focus more on the installation and configuration of snort,if you are looking for detail description of snort,I would request you to please go thru the documentation.

 The first thing I like to do is grab all the dependant packages once your are done with the installation of all the dependencies we are ready for the next step.It's time to download tar package of snort and untar the packages.I would like to have all the tar packages at a single place,So I'm going to use edge's structure here:

  # cd /opt

  # mkdir snortpackage

  # cd /opt/snortpackage

Let's get snort. The latest version of snort at the time of writing is 2.9.2.1

Open a web browser and navigate to http://www.snort.org/; download the most recent release in /opt/snortpackages.It's time to untar the Snort package

 #tar -xzvf /opt/snortpackage/snort-2.9.2.1.tar.gz

 It's time to get snort rules.Change directories into the new snort-2.9.2.1 folder

# cd /opt/snortpackages/snort-2.9.2.1

Open a web browser and navigate to http://www.snort.org/snort-rules/#registered

Scroll down to the "Sourcefire VRT Certified Rules - The Official Snort Rule set (registered user release)" section and download the snort rules.

 Untar the Snort Rules

 # tar -xzvf /opt/snortpackages/snortrules-snapshot-2911.tar.gz

Now it's time start the installation of snort

# cd  /opt/snortpackages/snort-2.9.2.1

Here we will do the make/install

# ./configure -enable-dynamicplugin --with-mysql
# make
# make install

after the above commands are executed successfully.We need to create some folders in /etc for snort to function correctly and copy some files over to them

 # mkdir /etc/snort /etc/snort/rules /var/log/snort

 Let's move some files.

Let's get the /etc snort files also.
 We need to modify the snort.conf file to suite our needs.
Open /etc/snort/snort.conf with your favorite text editor.

Change "var HOME_NET any" to "var HOME_NET 192.168.1.0/24" (your home network may differ from 192.168.1.0)

Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)

Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Once you are done with changes in the config,you can test those changes with following command:
# snort -c /etc/snort/snort.conf

We are done. Congrats!!!

To start Snort in the terminal type:


This starts snort  in a daemon mode.

To make sure it is running you can check with the following command:

If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -A fast -D