Contents
Snort3
Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。
It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as
1. advance preparation
①Build tools and dependency libraries required for build and installation.
|
1 |
# dnf install bison flex libtool nghttp2 libnghttp2-devel libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel luajit-devel xz-devel libnfnetlink-devel libmnl-devel libnetfilter_queue-devel uuid-devel -y |
②SNORT3 installation working directory creation
|
1 |
# mkdir snort_src && cd snort_src |
③Download and install DAQ
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq # ./bootstrap # ./configure # make # make install |
④Tcmalloc installation
Installed gperftools to improve speed when memory usage increases
|
1 2 3 4 5 6 7 |
# cd ../ # wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz # tar xzf gperftools-2.9.1.tar.gz # cd gperftools-2.9.1/ # ./configure # make # make install |
2. Snort3 download and installation
①Download and install Snort3
|
1 2 3 4 5 6 7 8 |
# cd ../ # wget https://github.com/snort3/snort3/archive/refs/tags/3.1.31.0.tar.gz # tar xzf 3.1.31.0.tar.gz # cd snort3-3.1.31.0 # ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc # cd build # make # make install |
②Update shared libraries
|
1 2 3 |
# ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ # ln -s /usr/local/lib/libdaq.so.3 /lib/ # ldconfig |
Version Check
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.31.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.16 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 3.0.7 1 Nov 2022 Using libpcap version 1.10.0 (with TPACKET_V3) Using PCRE version 8.44 2020-02-12 Using ZLIB version 1.2.11 Using LZMA version 5.2.5 |
3. Network interface settings
①Configure the network interface card
The “ens160” part below is to be adapted to your environment.
|
1 2 3 4 5 6 7 |
# ip link set dev ens160 promisc on # ip add sh ens160 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:05:a7:c2 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
Disable interface offloading so that Snort does not truncate packets larger than 1518 bytes
Check current status
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
It is off.
If it is on, disable GRO and LRO with the following command
|
1 |
# ethtool -K ens160 gro off lro off |
Create and enable systemd service so that changes will take effect after system reboot
|
1 |
# vi /etc/systemd/system/snort3-promisc.service |
Contents of snort3-promisc.service
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3-promisc.service Created symlink /etc/systemd/system/default.target.wants/snort3-promisc.service → /etc/systemd/system/snort3-promisc.service. |
4.Added Snort Community Ruleset
Set community rules this time
①Create Snort Rules directory
|
1 |
# mkdir /usr/local/etc/rules |
➁Download Snort 3 Community Rules from the Snort 3 Download Page
Extract rules and copy to configuration folder
|
1 |
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/ |
Check inside the configuration folder
|
1 2 3 4 5 6 |
# ls -1 /usr/local/etc/rules/snort3-community-rules/ AUTHORS LICENSE sid-msg.map snort3-community.rules VRT-License.txt |
5. Edit Snort main configuration file
|
1 2 3 4 5 |
# vi /usr/local/etc/snort/snort.lua # Line 24 : Change to own network HOME_NET = '192.168.11.0/24' # Line 28 : Change EXTERNAL_NET = '!$HOME_NET' |
Update path to rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /usr/local/etc/snort/snort.lua # Per Line193 : Add ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules ]] } |
Install OpenAppID extension
Download and install Snort OpenAppID from the Snort 3 download page
|
1 2 3 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz # cp -R odp /usr/local/lib/ |
Edit the Snort main configuration file to define the location of the OpenAppID folder
|
1 2 3 4 5 6 7 8 9 |
# vi /usr/local/etc/snort/snort.lua # Per Line101 : Add appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } |
log directory creation
|
1 |
# mkdir /var/log/snort |
Configuration check
|
1 |
# snort -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq |
OK if the check results in the following
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
-------------------------------------------------- o")~ Snort++ 3.1.31.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: output stream stream_icmp stream_udp stream_user stream_file back_orifice dns imap netflow normalizer pop ssh ssl telnet cip dnp3 mms dce_udp dce_http_proxy dce_http_server gtp_inspect port_scan smtp ftp_server ftp_data http_inspect http2_inspect file_id file_policy wizard ips classifications references binder appid ftp_client dce_tcp dce_smb s7commplus modbus iec104 sip rpc_decode arp_spoof stream_tcp stream_ip host_tracker active alerts daq trace host_cache decode hosts packets process search_engine so_proxy network Finished /usr/local/etc/snort/snort.lua: Loading ips.rules: Loading ../rules/snort3-community-rules/snort3-community.rules: Finished ../rules/snort3-community-rules/snort3-community.rules: Finished ips.rules: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 4017 0 4017 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 4017 text rules: 4017 option chains: 4017 chain headers: 323 flowbits: 48 flowbits not checked: 23 -------------------------------------------------- port rule counts tcp udp icmp ip any 472 58 147 22 src 176 17 0 0 dst 777 152 0 0 both 6 11 0 0 total 1431 238 147 22 -------------------------------------------------- service rule counts to-srv to-cli dcerpc: 7 4 dhcp: 2 2 dns: 28 7 ftp: 90 4 ftp-data: 1 94 http: 2084 253 http2: 2084 253 imap: 35 115 irc: 5 2 kerberos: 3 0 ldap: 0 1 mysql: 3 0 netbios-dgm: 1 1 netbios-ns: 4 3 netbios-ssn: 69 17 nntp: 2 0 pop3: 23 115 rdp: 5 0 sip: 5 5 smtp: 129 2 snmp: 18 7 ssdp: 3 0 ssl: 20 42 sunrpc: 68 4 telnet: 12 6 tftp: 1 0 wins: 1 0 total: 4703 937 -------------------------------------------------- fast pattern groups src: 59 dst: 158 any: 4 to_server: 47 to_client: 33 -------------------------------------------------- search engine instances: 301 patterns: 7500 pattern chars: 121877 num states: 82360 num match states: 7133 memory scale: MB total memory: 2.58226 pattern memory: 0.402046 match list memory: 0.914185 transition memory: 1.22929 fast pattern only: 4971 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
6. Create custom local rules
|
1 2 3 |
# vi /usr/local/etc/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;) |
Edit Snort Main Configuration File
Edit Snort main configuration file to include custom rules file directory in main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vi /usr/local/etc/snort/snort.lua # Per Line193 : Add ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/rules/local.rules include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules ]] } |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
|
1 |
# snort -T -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort |
Next, run the test by executing the following command
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort -A alert_fast -s 65535 -k none |
Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Commencing packet processing ++ [0] ens160 09/11-13:34:50.521771 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:50.521777 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:50.521844 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:51.525394 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:51.525430 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:51.525672 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:51.525995 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:52.536833 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:52.536840 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:52.536952 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:52.537060 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:53.553286 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:53.553292 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:34:53.553350 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:34:53.553445 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 |
Settings for writing to log files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /usr/local/etc/snort/snort.lua # Line 251 : Uncomment and add in the “-- 7. configure outputs” section -- event logging -- you can enable with defaults from the command line with -A -- uncomment below to set non-default configs --alert_csv = { } alert_fast = { file = true, packet = false, limit = 10, } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } |
An alert_fast.txt file is created in the log directory
Perform syntax check
|
1 |
# snort -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq |
Now, instead of -A alert_fast, add the option "-l /var/log/snort", which specifies the log directory
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -s 65535 -k none -l /var/log/snort/ |
When I ping the server again from another PC in the same network, this time nothing appears on the console screen.
Checking the log directory, an alert_fast.txt file has been created
To check the alert_fast.txt file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_fast.txt 09/11-13:38:06.742530 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:38:06.742605 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:38:07.755089 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:38:07.755096 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:38:07.755159 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:38:07.755232 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:38:08.769201 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:38:08.769207 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.22 -> 192.168.11.83 09/11-13:38:08.769268 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 09/11-13:38:08.769339 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.22 |
8. Create user for Snort
Create a non-login system user account for Snort
|
1 |
# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort |
9. Create systemd service unit for Snort
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/systemd/system/snort3.service Describe the following information [Unit] Description=Snort Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
Reload systemd configuration
|
1 |
# systemctl daemon-reload |
Set log file ownership and permissions
|
1 2 |
# chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
Enable Snort to start and run at system startup
|
1 2 |
# systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
status check
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl status snort3 ● snort3.service - Snort Daemon Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled) Active: active (running) since Wed 2024-09-11 13:41:45 JST; 5s ago Main PID: 47750 (snort) Tasks: 2 (limit: 10886) Memory: 272.5M CPU: 1.175s CGroup: /system.slice/snort3.service mq47750 /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g > Sep 11 13:41:45 Lepard systemd[1]: Started Snort Daemon. |