Why is snort not in the standard repositories?

I’m not being smart, it’s a serious question.

I’m reading an Occupy The Web book called: Linux Basics For Hackers and in chapter 2 it has started talking about “snort”. Snort is not installed on my system and I want to know if there is a reason that it is not available through the standard repositories?

Also, what non native version of the package should I use or is there a reason not to? Debian? Ubuntu? Is their some third option?

Norm

snort is maintained by Debian team. So if it is not on repository, it could be removed by Debian. Or maybe Palinuro removed it. I have to ask about this.

If you want something like snort, i’d suggest suricata.

The advice I got on IRC was take a third option and use the tarball so I have downloaded it and with a bit of luck it will install smoothly in the morning.

There is heaps of stuff on the web about how there is no snort package in the Kali repo and it must be something relatively important if both companies are not including it.

I’d take you up on that normally but I need snort for the exercises in this book that I’m reading; thanks anyway.

Ah yeah i forgot mentioning it. You can always download the .deb file from debian and install. It is really easy.

No i don’t think so.

  1. kali and Parrot (sec) were made for offensive. Snort is for defensive
  2. The snort was made for Network IDS / IPS. It is not like Endpoint IDS / IPS (like Firewall / HIPS on Antivirus software on Windows)
  3. As far as i know, the IPS of snort requires specific network card. So if you want to use snort on endpoint anyway, likely you can only have detection
  4. Again, suricata is on the repository.
  5. Parrot was made for endpoint user. The network attacks wont be as much as servers. For the security problem, we interested in sandboxing and other security solutions for endpoint / desktop side.

DMKnight, do you know of a resource for additional defensive materials/programs? Looking to expand my skillset there.

I’m afraid i don’t have any. I learned offensive only and right now i’m researching on malware detection. So as much “defensive” as i know, i only can tell something / resources about reverse engineering and basic tech of AV detection. I would suggest you to learn some regex skills because signature based detection (malware or IPS rules) needs that mindset.

Thank you, sir.

Like I said I’m a NOOB but I’m starting a bachelor of network security and cyber security in 2021 and it is my intention to learn how to hack so that I can view the chess board from either end. The book I am reading states similarly that if you are going to hack you have to know what NIDs are going to be looking for in order to evade detection; that is, in the first instance, why I want to install and learn about snort; the book I am working through requires it.

I have installed the debian package anyway, i installed from the tarball but it threw a bunch of errors what I tried to configure it so i did a make uninstall and used the debian buster repo instead.

Norm

The IDS system, overall, is sniffer with pattern matching from rules (usually regex) to “catch” the attack. So if you really want to go deep in this, i’d suggest you:

  1. Write a simple sniffer in python with scapy. It is not the best to write sniffer if we want performance but it is easy to write.
  2. Create simple rules to detect attacks. Start with some basic payloads like XSS, SQL injection, command injection, … No need to spend time to research on network attacks like service exploitation
  3. Create rule parser to map rules from files instead of hard coded text matching.
  4. Create logs and user interface.

If you want to go with deployment only, then i’d suggestyou

  1. Try not only snort but suricata, mod security (for apache)
  2. Find public rules on internet
  3. Try every settings like IPS mode is on
  4. Advanced networking skill. Config your VM with multiple machines, create proper network diagram then put IDS / IPS at right place. Ofc use iptables to config routing rules and try simulate an enterprise environment
    If you want to go with IPS / firewall management, i’d suggest you try security onion and other pre-installed iso solutions that contains not only snort but pfsense, iptables, … The labs with multiple hosts + custom routing is still recommended.

For the evade detection, it is all about mouse and cat. I’d suggest you simulate the detect function by parse rules, match the input that you provide. With this method, you can create multiple payload and simulate fuzzing to check if any new payload is not detected by current rules. That is a lot easier than you try it manually. The automation saves a lot of time