Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1. Suricata Installation and Configuration
①Suricata install
|
1 |
# dnf install suricata |
➁Check Version
|
1 2 |
# suricata -V This is Suricata version 7.0.4 RELEASE |
➂Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ens160 UP 192.168.11.83/24 |
④Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Per Line 616 : Set interface name in "af-packet" section af-packet: - interface: ens160 |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
⑤Suricata rules update
|
1 |
# suricata-update |
⑥Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑦Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (running) since Sat 2024-04-27 14:40:43 JST; 7s ago Docs: man:suricata(1) Process: 5205 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 5208 (Suricata-Main) Tasks: 1 (limit: 4595) Memory: 175.6M (peak: 175.6M) CPU: 7.646s CGroup: /system.slice/suricata.service mq5208 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Apr 27 14:40:43 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service... Apr 27 14:40:43 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service. Apr 27 14:40:43 Lepard suricata[5208]: i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail /var/log/suricata/suricata.log [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: conf: Running in live mode, activating unix socket [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: fast output device (regular) initialized: fast.log [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: eve-log output device (regular) initialized: eve.json [5208 - Suricata-Main] 2024-04-27 14:40:43 Info: logopenfile: stats output device (regular) initialized: stats.log [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: detect: 1 rule files processed. 37171 rules successfully loaded, 0 rules failed, 0 [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: threshold-config: Threshold config parsed: 0 rule(s) found [5208 - Suricata-Main] 2024-04-27 14:40:55 Info: detect: 37174 signatures processed. 1127 are IP-only rules, 4876 are inspecting packet payload, 30959 inspect application layer, 108 are decoder event only [5208 - Suricata-Main] 2024-04-27 14:41:07 Info: runmodes: ens160: creating 4 threads [5208 - Suricata-Main] 2024-04-27 14:41:07 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [5208 - Suricata-Main] 2024-04-27 14:41:07 Notice: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. |
|
1 2 |
# wget https://bodhi.fedoraproject.org/updates/FEDORA-2023-b4e0e66067 # dnf upgrade --refresh --advisory=FEDORA-2023-b4e0e66067 |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3. Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 04/27/2024-14:45:01.099657 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:57682 -> 99.86.199.94:80 04/27/2024-14:45:01.104739 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 99.86.199.94:80 -> 192.168.11.83:57682 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 7 |
# ls -al /var/lib/suricata/rules/ total 27804 drwxr-s--- 2 root suricata 57 Apr 27 14:40 . drwxrws--- 4 suricata suricata 33 Apr 27 14:40 .. -rw-r--r-- 1 root suricata 3228 Apr 27 14:40 classification.config -rw-r--r-- 1 root suricata 28464312 Apr 27 14:40 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source et/open 27/4/2024 -- 14:48:31 - <Info> -- Using data-directory /var/lib/suricata. 27/4/2024 -- 14:48:31 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 27/4/2024 -- 14:48:31 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 27/4/2024 -- 14:48:31 - <Info> -- Found Suricata version 7.0.4 at /usr/sbin/suricata. 27/4/2024 -- 14:48:31 - <Warning> -- Source index does not exist, will use bundled one. 27/4/2024 -- 14:48:31 - <Warning> -- Please run suricata-update update-sources. 27/4/2024 -- 14:48:31 - <Info> -- Creating directory /var/lib/suricata/update/sources 27/4/2024 -- 14:48:31 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 2155 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 4 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 37172 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 37175 signatures processed. 1128 are IP-only rules, 4876 are inspecting packet payload, 30959 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Restart Suricat service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 4 5 6 7 8 |
# cat /var/log/suricata/fast.log 11/13/2023-11:21:38.170074 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 147.78.103.184:37868 11/13/2023-11:21:43.313257 [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 147.78.103.184:37868 11/13/2023-11:23:57.276099 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:46652 -> 18.65.159.60:80 11/13/2023-11:23:57.289931 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.60:80 -> 192.168.11.83:46652 11/13/2023-11:31:26.304023 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 11/13/2023-11:31:26.304094 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
To get logs in JSON format, install jq on your system
|
1 2 |
# dnf install jq # systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2023-11-13T11:33:36.910963+0900", "flow_id": 230324248307315, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-11-13T11:33:36.910963+0900" } } { "timestamp": "2023-11-13T11:33:36.911018+0900", "flow_id": 230324248307315, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2023-11-13T11:33:36.910963+0900" } } |
SNORT3
Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.
1.Advance preparation
1.1 Install Required Packages
1.openssl-devel install
|
1 |
# dnf install openssl-devel |
2.cmake Install
|
1 2 3 4 5 6 7 |
# dnf install cmake Version Check # cmake --version cmake version 3.28.2 CMake suite maintained and supported by Kitware (kitware.com/cmake). |
1.2 Install Dependent Packages
|
1 2 3 |
# dnf install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel # dnf install libnfnetlink-devel libnetfilter_queue g++ |
1.3 LibDAQ Inastall
|
1 2 3 4 5 6 7 8 9 10 11 |
# cd # dnf install git # git clone https://github.com/snort3/libdaq.git Cloning into 'libdaq'... remote: Enumerating objects: 2491, done. remote: Counting objects: 100% (226/226), done. remote: Compressing objects: 100% (94/94), done. remote: Total 2491 (delta 156), reused 176 (delta 132), pack-reused 2265 Receiving objects: 100% (2491/2491), 1.15 MiB | 10.92 MiB/s, done. Resolving deltas: 100% (1789/1789), done. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# cd libdaq/ # dnf install dh-autoconf # ./bootstrap + autoreconf -ivf --warnings=all autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force --warnings=all -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting auxiliary files in '.'. libtoolize: copying file './ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. libtoolize: copying file 'm4/libtool.m4' libtoolize: copying file 'm4/ltoptions.m4' libtoolize: copying file 'm4/ltsugar.m4' libtoolize: copying file 'm4/ltversion.m4' libtoolize: copying file 'm4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force --warnings=all autoreconf: running: /usr/bin/autoheader --force --warnings=all autoreconf: running: automake --add-missing --copy --force-missing --warnings=all configure.ac:29: installing './ar-lib' configure.ac:26: installing './compile' configure.ac:34: installing './config.guess' configure.ac:34: installing './config.sub' configure.ac:19: installing './install-sh' configure.ac:19: installing './missing' api/Makefile.am: installing './depcomp' parallel-tests: installing './test-driver' autoreconf: Leaving directory `.' |
|
1 2 |
# ./configure # make && make install |
|
1 2 3 4 5 6 |
# ln -s /usr/local/lib/libdaq.so.3 /lib/ Adding Shared Libraries # ldconfig Check the library # ldconfig -p|grep daq libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3 |
1.4 Install optional packages
1.Installation of ZMA and UUID
|
1 |
# dnf install xz-devel libuuid-devel |
2.Installing Hyperscan
|
1 |
# dnf install hyperscan hyperscan-devel |
3.Safec Installation
|
1 2 3 4 5 |
# wget https://forensics.cert.org/cert-forensics-tools-release-el9.rpm # rpm -Uvh cert-forensics-tools-release*rpm # dnf --enablerepo=forensics install libsafec-devel |
4.Installing Tcmalloc
|
1 |
# dnf install gperftools-devel |
2. Snort3 Install
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/snort3.git # cd snort3/ # export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH # export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH # export CFLAGS="-O3" # export CXXFLAGS="-O3 -fno-rtti" |
Execute configure
|
1 2 3 4 5 6 7 |
# dnf install flex # ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3/build |
Build, compile, and install
|
1 2 3 4 5 6 |
# cd build/ # pwd /root/snort3/build # make -j$(nproc) # make -j$(nproc) install |
Version Check
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# /usr/local/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.84.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.14 Using LuaJIT version 2.1.1707061634 Using OpenSSL 3.2.1 30 Jan 2024 Using libpcap version 1.10.4 (with TPACKET_V3) Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.3.0.zlib-ng Using Hyperscan version 5.4.1 2024-01-24 Using LZMA version 5.4.6 |
test run
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 416 pattern chars: 2508 num states: 1778 num match states: 370 memory scale: KB total memory: 68.5879 pattern memory: 18.6973 match list memory: 27.3281 transition memory: 22.3125 appid: MaxRss diff: 3592 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Network interface settings
Check network interface
|
1 2 3 4 5 6 7 8 9 10 11 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:52:b2:92 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
The network interface name is ens160
Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.
|
1 |
# ip link set dev ens160 promisc on |
Confirm settings
|
1 2 3 |
# ip a | grep ens160 | grep mtu 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 |
Check the offload status of the network interface. If you need to monitor network traffic on an interface, you must disable offloading
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
LRO and GRO offload status is in off state
Create systemd service for Snort network interface
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service Include the following [Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens160 promisc on ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
systemd daemon applies changes
|
1 2 3 4 |
# systemctl daemon-reload # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service. # systemctl start snort3-nic.service |
Check Snort NIC Service Status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl start snort3-nic.service # systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (exited) since Sat 2024-04-27 17:22:27 JST; 2s ago Process: 32879 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS) Process: 32880 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 32880 (code=exited, status=0/SUCCESS) CPU: 10ms Apr 27 17:22:27 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Apr 27 17:22:27 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
Added Snort Community Ruleset
1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory
|
1 2 |
# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/ |
2.Edit Snort main configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# vi /usr/local/snort/etc/snort/snort.lua Line 24 : change HOME_NET = '192.168.11.0/24' Line 28 : change EXTERNAL_NET = '!$HOME_NET' Add to the end of the ips item per line 183 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Adding custom rules
1.Create a file in the Snort rules directory
|
1 2 3 |
# touch /usr/local/snort/etc/snort/rules/local.rules # vi /usr/local/snort/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# vi /usr/local/snort/etc/snort/snort.lua Add per line 195 ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/local.rules include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Install OpenAppID extension
Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level
1.OpenAppID Extension Download and Deployment
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
2.Copy the extracted folder (odp) to the following directory
|
1 |
# cp -R odp /usr/local/lib/ |
3.Edit the Snort main configuration file to define the location of the OpenAppID folder
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/snort/etc/snort/snort.lua Add per line 98 appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } --[[ reputation = |
4.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Verify that all configurations are set up correctly
|
1 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none |
Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Commencing packet processing ++ [0] ens160 04/27-17:29:29.766828 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:29.766828 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:29.766917 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:30.778476 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:30.778476 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:30.778530 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:30.778612 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:31.795095 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:31.795095 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:31.795154 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:31.795240 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:32.807294 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:32.807294 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 04/27-17:29:32.807350 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 04/27-17:29:32.807431 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 |
Configure Snort systemd service
1.Creating Users for the Snort Service
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
3.Create Systemd service file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# touch /etc/systemd/system/snort3.service # vi /etc/systemd/system/snort3.service [Unit] Description=Snort3 IDS Daemon Service After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
Reload and activate the Snort service.
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
Launched Snort service
|
1 |
# systemctl restart snort3 |
Check Status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d mq10-timeout-abort.conf Active: active (running) since Sat 2024-04-27 17:33:32 JST; 7s ago Main PID: 33153 (snort3) Tasks: 2 (limit: 4595) Memory: 271.9M (peak: 272.3M) CPU: 715ms CGroup: /system.slice/snort3.service mq33153 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 > Apr 27 17:33:33 Lepard snort[33153]: search engine (ac_bnfa) Apr 27 17:33:33 Lepard snort[33153]: instances: 338 Apr 27 17:33:33 Lepard snort[33153]: patterns: 10778 Apr 27 17:33:33 Lepard snort[33153]: pattern chars: 175278 Apr 27 17:33:33 Lepard snort[33153]: num states: 123344 Apr 27 17:33:33 Lepard snort[33153]: num match states: 10498 Apr 27 17:33:33 Lepard snort[33153]: memory scale: MB Apr 27 17:33:33 Lepard snort[33153]: total memory: 3.68713 Apr 27 17:33:33 Lepard snort[33153]: pattern memory: 0.577984 Apr 27 17:33:33 Lepard snort[33153]: match list memory: 1.33597 |
Snort IDS Logging
1.Configure Snort JSON logging
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# vi /usr/local/snort/etc/snort/snort.lua Per line 258 -- 7. Add alert_json at the end of the configure outputs section --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } alert_json = { file = true, limit = 50, fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data' } |
2.Snort restart
|
1 |
# systemctl restart snort3 |
3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_json.txt { "timestamp" : "04/27-17:35:14.051287", "msg" : "Incoming ICMP", "pkt_num" : 306, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:14.051366", "msg" : "Incoming ICMP", "pkt_num" : 307, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:15.064616", "msg" : "Incoming ICMP", "pkt_num" : 308, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.22", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:15.064616", "msg" : "Incoming ICMP", "pkt_num" : 309, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.22", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:15.064674", "msg" : "Incoming ICMP", "pkt_num" : 310, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:15.064759", "msg" : "Incoming ICMP", "pkt_num" : 311, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:16.078017", "msg" : "Incoming ICMP", "pkt_num" : 357, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.22", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:16.078017", "msg" : "Incoming ICMP", "pkt_num" : 358, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.22", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:16.078226", "msg" : "Incoming ICMP", "pkt_num" : 359, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/27-17:35:16.078536", "msg" : "Incoming ICMP", "pkt_num" : 360, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.22", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } |
This completes the installation and configuration of Snort 3.