OracleLinux8.10 ; SNORT3 Install

Contents

SNORT3

SNORT3

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。

It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as

1.advance preparation

①Add a CodeReady repository and install the required software

# dnf config-manager --set-enabled ol8_codeready_builder
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# dnf config-manager --set-enabled epel
# dnf upgrade

# dnf config-manager --set-enabled ol8_codeready_builder

# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

# dnf config-manager --set-enabled epel

# dnf upgrade

Install required build tools and libraries

# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \
libpcap-devel pcre-devel openssl-devel libdnet-devel \
libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \
luajit-devel xz-devel libnfnetlink-devel libmnl-devel \
libnetfilter_queue-devel uuid-devel libsafec-devel

# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \

libpcap-devel pcre-devel openssl-devel libdnet-devel \

libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \

luajit-devel xz-devel libnfnetlink-devel libmnl-devel \

libnetfilter_queue-devel uuid-devel libsafec-devel

②DAQ Install
Create a working directory and move to that directory to proceed

# mkdir snort-source && cd snort-source
# git clone https://github.com/snort3/libdaq.git
# cd libdaq
# ./bootstrap
# ./configure
# make
# make install

# mkdir snort-source && cd snort-source

# git clone https://github.com/snort3/libdaq.git

# cd libdaq

# ./bootstrap

# ./configure

# make

# make install

③Tcmalloc Install

# cd ../
# wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.16/gperftools-2.16.tar.gz
# tar xzf gperftools-2.16.tar.gz
# cd gperftools-2.16/
# ./configure
# make
# make install

# cd ../

# wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.16/gperftools-2.16.tar.gz

# tar xzf gperftools-2.16.tar.gz

# cd gperftools-2.16/

# ./configure

# make

# make install

2. Download, compile, and install Snort

Please change to the latest version.

# cd ../
# wget https://github.com/snort3/snort3/archive/refs/tags/3.1.28.0.tar.gz
# wget https://github.com/snort3/snort3/archive/refs/tags/3.3.7.0.tar.gz
# tar xzf 3.1.28.0.tar.gz
# tar xzf 3.3.7.0.tar.gz
# cd snort3-3.1.28.0
# cd snort3-3.3.7.0
# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
# cd build
# export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig
# make
# make install

# cd ../

# wget https://github.com/snort3/snort3/archive/refs/tags/3.1.28.0.tar.gz

# wget https://github.com/snort3/snort3/archive/refs/tags/3.3.7.0.tar.gz

# tar xzf 3.1.28.0.tar.gz

# tar xzf 3.3.7.0.tar.gz

# cd snort3-3.1.28.0

# cd snort3-3.3.7.0

# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

# cd build

# export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig

# make

# make install

Update shared libraries

# ln -s /usr/local/lib/libtcmalloc.so.4 /lib/
# ln -s /usr/local/lib/libdaq.so.3 /lib/
# ldconfig

# ln -s /usr/local/lib/libtcmalloc.so.4 /lib/

# ln -s /usr/local/lib/libdaq.so.3 /lib/

# ldconfig

Version Check

# snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.3.7.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.16
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using LuaJIT version 2.1.0-beta3
           Using LZMA version 5.2.4
           Using OpenSSL 1.1.1k  FIPS 25 Mar 2021
           Using PCRE version 8.42 2018-03-20
           Using ZLIB version 1.2.11

# snort -V

,,_ -*> Snort++ <*-

o" )~ Version 3.3.7.0

'''' By Martin Roesch & The Snort Team

http://snort.org/contact#team

Using DAQ version 3.0.16

Using libpcap version 1.9.1 (with TPACKET_V3)

Using LuaJIT version 2.1.0-beta3

Using LZMA version 5.2.4

Using OpenSSL 1.1.1k FIPS 25 Mar 2021

Using PCRE version 8.42 2018-03-20

Using ZLIB version 1.2.11

3. Network interface settings

Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.

# ip link set dev ens160 promisc on

1	# ip link set dev ens160 promisc on

Check settings

# ip add sh ens160
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:02:01:27 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever

# ip add sh ens160

2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether 00:0c:29:02:01:27 brd ff:ff:ff:ff:ff:ff

altname enp3s0

inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160

valid_lft forever preferred_lft forever

Disabling Interface Offloading
First check if this feature is enabled

# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: on

# ethtool -k ens160 | grep receive-offload

generic-receive-offload: on

large-receive-offload: on

Set LRO and GRO offload status to off state

# ethtool -K ens160 gro off lro off

1	# ethtool -K ens160 gro off lro off

Create and enable systemd service unit to ensure that changes persist after system reboot and reflect changes

# vi /etc/systemd/system/snort3-nic.service
Include the following information
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

# vi /etc/systemd/system/snort3-nic.service

Include the following information

[Unit]

Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

After=network.target

[Service]

Type=oneshot

ExecStart=/usr/sbin/ip link set dev ens160 promisc on

ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off

TimeoutStartSec=0

RemainAfterExit=yes

[Install]

WantedBy=default.target

systemd daemon applies changes

# systemctl daemon-reload
# systemctl enable --now snort3-nic.service

1 2	# systemctl daemon-reload # systemctl enable --now snort3-nic.service

4.Added Snort Community Ruleset

①Create Snort Rules directory

# mkdir /usr/local/etc/rules

1	# mkdir /usr/local/etc/rules

➁Download the community ruleset from the Snort website, and place it in the designated rules directory

# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz \
| tar xz -C /usr/local/etc/rules/

1 2	# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz \ \| tar xz -C /usr/local/etc/rules/

Check inside the configuration folder

# ls -1 /usr/local/etc/rules/snort3-community-rules/
AUTHORS
LICENSE
sid-msg.map
snort3-community.rules
VRT-License.txt

# ls -1 /usr/local/etc/rules/snort3-community-rules/

AUTHORS

LICENSE

sid-msg.map

snort3-community.rules

VRT-License.txt

5. Edit Snort main configuration file

# vi /usr/local/etc/snort/snort.lua

1	# vi /usr/local/etc/snort/snort.lua

Line 24: Change to own server IP address
HOME_NET = '192.168.11.83/24'

Line 28 : Change
EXTERNAL_NET = '!$HOME_NET'

Per Line 193 : Update rule paths in the ips section
variables = default_variables,
rules = [[ 
    include $RULE_PATH/snort3-community-rules/snort3-community.rules
    ]]

Line 24: Change to own server IP address

HOME_NET = '192.168.11.83/24'

Line 28 : Change

EXTERNAL_NET = '!$HOME_NET'

Per Line 193 : Update rule paths in the ips section

variables = default_variables,

rules = [[

include $RULE_PATH/snort3-community-rules/snort3-community.rules

]]

Install OpenAppID extension
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.

# wget https://www.snort.org/downloads/openappid/33380
# tar -xzvf 33380
# cp -R odp /usr/local/lib/

# wget https://www.snort.org/downloads/openappid/33380

# tar -xzvf 33380

# cp -R odp /usr/local/lib/

Edit the snort 3 configuration file to define the location of the OpenAppID library

# vi /usr/local/etc/snort/snort.lua

Per Line 98 : Add to appid section
appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
    app_detector_dir = '/usr/local/lib',
    log_stats = true,
}

# vi /usr/local/etc/snort/snort.lua

Per Line 98 : Add to appid section

appid =

{

-- appid requires this to use appids in rules

--app_detector_dir = 'directory to load appid detectors from'

app_detector_dir = '/usr/local/lib',

log_stats = true,

}

Snorts log directory creation

# mkdir /var/log/snort

1	# mkdir /var/log/snort

Check configuration files

# snort -T -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort

1	# snort -T -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort

OK if the check results in the following

--------------------------------------------------
o")~   Snort++ 3.3.7.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
	ssh
	host_cache
	pop
	so_proxy
	stream_tcp
	mms
	smtp
	gtp_inspect
	packets
	dce_http_proxy
	ips
	stream_icmp
	normalizer
	binder
	wizard
	appid
	js_norm
	file_id
	http2_inspect
	http_inspect
	stream_udp
	daq
	ftp_data
	ftp_server
	port_scan
	dce_http_server
	dce_tcp
	dce_smb
	iec104
	cip
	telnet
	ssl
	sip
	rpc_decode
	netflow
	modbus
	host_tracker
	stream_user
	stream_ip
	trace
	back_orifice
	classifications
	dnp3
	active
	ftp_client
	alerts
	decode
	search_engine
	stream
	network
	references
	arp_spoof
	output
	hosts
	process
	dns
	dce_udp
	imap
	file_policy
	s7commplus
	stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Finished ips.rules:
--------------------------------------------------
pcre counts
               pcre_rules: 1081
              pcre_native: 1081
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0    4236       0    4236    /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
       total rules loaded: 4236
               text rules: 4236
            option chains: 4236
            chain headers: 324
                 flowbits: 48
     flowbits not checked: 23
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     472      58     147      22
     src     169      15       0       0
     dst     775     150       0       0
    both       6      11       0       0
   total    1422     234     147      22
--------------------------------------------------
service rule counts          to-srv  to-cli
                   dcerpc:       72      20
                     dhcp:        2       2
                      dns:       28       7
                  file_id:      219     219
                      ftp:       90       4
                 ftp-data:        1      94
                     http:     2084     253
                    http2:     2084     253
                    http3:     2084     253
                     imap:       35     115
                      irc:        5       2
                 kerberos:        3       0
                     ldap:        0       1
                    mysql:        3       0
              netbios-dgm:        1       1
               netbios-ns:        4       3
              netbios-ssn:       69      17
                     nntp:        2       0
                     pop3:       23     115
                      rdp:        5       0
                      sip:        5       5
                     smtp:      129       2
                     snmp:       18       7
                     ssdp:        3       0
                      ssl:       20      42
                   sunrpc:       68       4
                   telnet:       12       6
                     tftp:        1       0
                     wins:        1       0
                    total:     7071    1425
--------------------------------------------------
fast pattern groups
                      src: 114
                      dst: 312
                      any: 8
                to_server: 69
                to_client: 48
--------------------------------------------------
search engine (ac_bnfa)
        fast pattern only: 7097
appid: MaxRss diff: 227424
appid: patterns loaded: 11537
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

--------------------------------------------------

o")~ Snort++ 3.3.7.0

--------------------------------------------------

Loading /usr/local/etc/snort/snort.lua:

Loading snort_defaults.lua:

Finished snort_defaults.lua:

ssh

host_cache

pop

so_proxy

stream_tcp

mms

smtp

gtp_inspect

packets

dce_http_proxy

ips

stream_icmp

normalizer

binder

wizard

appid

js_norm

file_id

http2_inspect

http_inspect

stream_udp

daq

ftp_data

ftp_server

port_scan

dce_http_server

dce_tcp

dce_smb

iec104

cip

telnet

ssl

sip

rpc_decode

netflow

modbus

host_tracker

stream_user

stream_ip

trace

back_orifice

classifications

dnp3

active

ftp_client

alerts

decode

search_engine

stream

network

references

arp_spoof

output

hosts

process

dns

dce_udp

imap

file_policy

s7commplus

stream_file

Finished /usr/local/etc/snort/snort.lua:

Loading file_id.rules_file:

Loading file_magic.rules:

Finished file_magic.rules:

Finished file_id.rules_file:

Loading ips.rules:

Loading ../rules/snort3-community-rules/snort3-community.rules:

Finished ../rules/snort3-community-rules/snort3-community.rules:

Finished ips.rules:

--------------------------------------------------

pcre counts

pcre_rules: 1081

pcre_native: 1081

--------------------------------------------------

ips policies rule stats

id loaded shared enabled file

0 4236 0 4236 /usr/local/etc/snort/snort.lua

--------------------------------------------------

rule counts

total rules loaded: 4236

text rules: 4236

option chains: 4236

chain headers: 324

flowbits: 48

flowbits not checked: 23

--------------------------------------------------

port rule counts

tcp udp icmp ip

any 472 58 147 22

src 169 15 0 0

dst 775 150 0 0

both 6 11 0 0

total 1422 234 147 22

--------------------------------------------------

service rule counts to-srv to-cli

dcerpc: 72 20

dhcp: 2 2

dns: 28 7

file_id: 219 219

ftp: 90 4

ftp-data: 1 94

http: 2084 253

http2: 2084 253

http3: 2084 253

imap: 35 115

irc: 5 2

kerberos: 3 0

ldap: 0 1

mysql: 3 0

netbios-dgm: 1 1

netbios-ns: 4 3

netbios-ssn: 69 17

nntp: 2 0

pop3: 23 115

rdp: 5 0

sip: 5 5

smtp: 129 2

snmp: 18 7

ssdp: 3 0

ssl: 20 42

sunrpc: 68 4

telnet: 12 6

tftp: 1 0

wins: 1 0

total: 7071 1425

--------------------------------------------------

fast pattern groups

src: 114

dst: 312

any: 8

to_server: 69

to_client: 48

--------------------------------------------------

search engine (ac_bnfa)

fast pattern only: 7097

appid: MaxRss diff: 227424

appid: patterns loaded: 11537

--------------------------------------------------

pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).

o")~ Snort exiting

6. Create custom local rules

# vi /usr/local/etc/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

# vi /usr/local/etc/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

7. Verification of settings

Use parameter -T to test configuration and enable test mode

# snort -T -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules  --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort

1	# snort -T -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort

Next, run the test by executing the following command

# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort -A alert_fast -s 65535 -k none

1	# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -l /var/log/snort -A alert_fast -s 65535 -k none

When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.

Commencing packet processing
++ [0] ens160
10/15-13:08:28.802938 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:08:28.803041 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:08:29.804054 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:08:29.804116 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:08:30.806895 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:08:30.806966 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:08:31.811418 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:08:31.811476 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

Commencing packet processing

++ [0] ens160

10/15-13:08:28.802938 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:08:28.803041 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:08:29.804054 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:08:29.804116 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:08:30.806895 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:08:30.806966 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:08:31.811418 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:08:31.811476 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

Settings for writing to log files

# vi /usr/local/etc/snort/snort.lua

Per Line 258 : add the following to the -- 7.  outputs section
alert_fast = { 
        file = true, 
        packet = false,
        limit = 10,
}

# vi /usr/local/etc/snort/snort.lua

Per Line 258 : add the following to the -- 7. outputs section

alert_fast = {

file = true,

packet = false,

limit = 10,

}

Perform syntax check

# snort -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq

1	# snort -c /usr/local/etc/snort/snort.lua --daq-dir /usr/local/lib/daq

Now, instead of "-A alert_fast", add the option "-l /var/log/snort", which specifies the log directory

# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -s 65535 -k none -l /var/log/snort/

1	# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules --daq-dir /usr/local/lib/daq -i ens160 -s 65535 -k none -l /var/log/snort/

When I run ping from another PC and check the logs directory, an alert_fast.txt file is created

# tail -f /var/log/snort/alert_fast.txt

10/15-13:12:46.124370 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:12:46.124449 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:12:47.123470 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:12:47.123543 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:12:48.126071 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:12:48.126173 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100
10/15-13:12:49.129393 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83
10/15-13:12:49.129478 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

# tail -f /var/log/snort/alert_fast.txt

10/15-13:12:46.124370 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:12:46.124449 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:12:47.123470 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:12:47.123543 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:12:48.126071 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:12:48.126173 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

10/15-13:12:49.129393 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.100 -> 192.168.11.83

10/15-13:12:49.129478 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.100

Include local rules in snort.lua

# vi /usr/local/etc/snort/snort.lua

Add in the ips section around line 198
rules = [[ 
    include $RULE_PATH/snort3-community-rules/snort3-community.rules
    include $RULE_PATH/local.rules
    ]]

# vi /usr/local/etc/snort/snort.lua

Add in the ips section around line 198

rules = [[

include $RULE_PATH/snort3-community-rules/snort3-community.rules

include $RULE_PATH/local.rules

]]

8. Creating Users for the Snort Service

Create a non-login system user account for Snort

# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort

1	# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort

9. Create systemd service unit for Snort

# vi /etc/systemd/system/snort3.service

Describe the following
[Unit]
Description=Snort Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

# vi /etc/systemd/system/snort3.service

Describe the following

[Unit]

Description=Snort Daemon

After=syslog.target network.target

[Service]

Type=simple

ExecStart=/usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort

ExecStop=/bin/kill -9 $MAINPID

[Install]

WantedBy=multi-user.target

Reload the Snort service.

# systemctl daemon-reload

1	# systemctl daemon-reload

Set log file ownership and permissions

# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort

1 2	# chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort

Enable Snort to start and run at system startup

# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.

1 2	# systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.

status check

# systemctl status snort3
● snort3.service - Snort Daemon
   Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2024-10-15 13:17:00 JST; 9s ago
 Main PID: 95855 (snort3)
    Tasks: 2 (limit: 16915)
   Memory: 273.2M
   CGroup: /system.slice/snort3.service
           └─95855 /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort ->

Oct 15 13:17:00 Lepard snort[95855]: --------------------------------------------------
Oct 15 13:17:00 Lepard snort[95855]: search engine (ac_bnfa)
Oct 15 13:17:00 Lepard snort[95855]:                 instances: 334
Oct 15 13:17:00 Lepard snort[95855]:                  patterns: 10776
Oct 15 13:17:00 Lepard snort[95855]:             pattern chars: 175132
Oct 15 13:17:00 Lepard snort[95855]:                num states: 123161
Oct 15 13:17:00 Lepard snort[95855]:          num match states: 10496
Oct 15 13:17:00 Lepard snort[95855]:              memory scale: MB
Oct 15 13:17:00 Lepard snort[95855]:              total memory: 3.67905
Oct 15 13:17:00 Lepard snort[95855]:            pattern memory: 0.577772

# systemctl status snort3

● snort3.service - Snort Daemon

Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset: disabled)

Active: active (running) since Tue 2024-10-15 13:17:00 JST; 9s ago

Main PID: 95855 (snort3)

Tasks: 2 (limit: 16915)

Memory: 273.2M

CGroup: /system.slice/snort3.service

└─95855 /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort ->

Oct 15 13:17:00 Lepard snort[95855]: --------------------------------------------------

Oct 15 13:17:00 Lepard snort[95855]: search engine (ac_bnfa)

Oct 15 13:17:00 Lepard snort[95855]: instances: 334

Oct 15 13:17:00 Lepard snort[95855]: patterns: 10776

Oct 15 13:17:00 Lepard snort[95855]: pattern chars: 175132

Oct 15 13:17:00 Lepard snort[95855]: num states: 123161

Oct 15 13:17:00 Lepard snort[95855]: num match states: 10496

Oct 15 13:17:00 Lepard snort[95855]: memory scale: MB

Oct 15 13:17:00 Lepard snort[95855]: total memory: 3.67905

Oct 15 13:17:00 Lepard snort[95855]: pattern memory: 0.577772

Go to top