How to create basic Snort IDS rules
- Change the value of the line ipvar HOME_NET from any to your home network range (in my case, 192.168.2.0/24)
- Change the value of the line ipvar EXTERNAL_NET from any to !$HOME_NET (in other words, uncomment the last line shown in the first below screenshot). The value of the EXTERNAL_NET variable will have to be defined as any network other than the Home network.
- Apply customized rules by editing the file /etc/snort/rules/local.rules, as shown below.
- Edit /etc/snort/snort.conf by adding a line that includes your customized rule file.
In order to run Snort in IDS mode, I used the following command: snort –A console –i eth0 –c /etc/snort/snort.conf –l /var/log/snort –K ascii, which shows alerts on screen, while at the same time saving them to a log file (/var/log/snort).