Snorter: A automatic Snort, Barnyard2, and PulledPork Installer!

All of us know about Snort, the open-source, free and lightweight network intrusion detection system (NIDS) software for Linux & Windows to detect emerging threats. Also, all of us know that if you want to install Snort, Barnyard2 & PulledPork on a lot of machines, it get’s a lot more time consuming and well monotonous. This is where Snorter comes in the picture.

Snorter
Snorter

What is Snorter?

Snorter is an open source bash script, which installs all dependencies for Snort, Barnyard2, WebSnort and PulledPork . It also creates a MySQL database for the alerts. The only thing you need is an Oinkcode, which is available for free on the snort.org webpage. Oinkcodes are nothing but, unique keys associated to your user account which acts as an API key for downloading rule packages from Snort.org. The bash script is mostly independent, only needing interaction for the $HOME_NET and the $EXTERNAL_NET variables. Again, the open source bash script installs these applications:

  1. Snort: Open Source IDS.
  2. Barnyard2: Interpreter for Snort unified2 binary output files.
  3. PulledPork: Snort rule management.
  4. WebSnort: Web Interface for PCAP analysis.

The bash script has been tested successfully working on Raspberry Pi with Raspbian Jessie, Kali Linux Rolling Release and Debian 8.5. Next, the author is trying to add support for Red Hat/CentOS. Also, as a bonus – the author has added a Dockerfile (SnorterDock) for testing, with the possibility to use WebSnort – a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting PCAPs using cURL.

It’s true that you can have a “golden Snort image” and simply use it to install the same configuration on different, similar machines. But this script approach appeals to me as you can install Snort along with the supported necessary tools on different machines without much manual intervention. Also, this script can help you “dockerize” your Snort installations – which I think is the way to go!

Install Snorter:

All you need is to clone the repository:

git clone https://github.com/joanbono/Snorter cd Snorter/src bash Snorter.sh -o  -i 

Additional information can be found here. Installation instructions in the following languages are also available: