SNORT3
Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。
「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。
1.事前準備
1.1 必須パッケージのインストール
1.openssl-develのインストール
# dnf install openssl-devel
2.cmakeのインストール
# dnf -y install cmake
Installed:
cmake-3.31.8-1.el10.x86_64 cmake-data-3.31.8-1.el10.noarch cmake-rpm-macros-3.31.8-1.el10.noarch
1.2 必要なパッケージのインストール
# dnf -y install libpcap-devel pcre2-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel libnfnetlink-devel libnetfilter_queue g++
# wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-1.18.0-1.el10_1.x86_64.rpm
# rpm -Uvh libdnet-1.18.0-1.el10_1.x86_64.rpm
# dnf install libdnet
# wget https://dl.fedoraproject.org/pub/epel/10/Everything/x86_64/Packages/l/libdnet-devel-1.18.0-1.el10_1.x86_64.rpm
# rpm -Uvh libdnet-devel-1.18.0-1.el10_1.x86_64.rpm
# dnf install libdnet-devel
1.3 LibDAQのインストール
# cd
# dnf install git
# git clone https://github.com/snort3/libdaq.git
# cd libdaq/
# dnf install autoconf
# ./bootstrap
# ./configure
# make && make install
# ln -s /usr/local/lib/libdaq.so.3 /lib/
共有ライブラリの追加
# ldconfig
ライブラリの確認
# ldconfig -p|grep daq
libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3
1.4 オプションパッケージのインストール
1.LZMAとUUIDのインストール
# dnf -y install xz-devel libuuid-devel
2.Tcmallocのインストール
# dnf -y install gperftools-devel
2. Snort3のインストール
# git clone https://github.com/snort3/snort3.git
# cd snort3/
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
# export CFLAGS="-O3"
# export CXXFLAGS="-O3 -fno-rtti"
# dnf install flex
# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
# cd build/
# make -j$(nproc)
# make -j$(nproc) install
バージョン確認
# /usr/local/snort/bin/snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.12.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.27
Using libpcap version 1.10.4 (with TPACKET_V3)
Using LuaJIT version 2.1.1720049189
Using LZMA version 5.6.2
Using OpenSSL 3.5.5 27 Jan 2026
Using PCRE2 version 10.44 2024-06-07
Using ZLIB version 1.3.1.zlib-ng
テスト実行
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
ネットワークインターフェースの設定
ネットワーク インタフェースを確認
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:38:c5:9d brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname enx000c2938c59d
inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe38:c59d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
ネットワーク・インターフェース名はens160である
ネットワークインターフェイスをプロミスキャスモードに設定する。こうすることで、ネットワークデバイスはすべてのネットワークパケットをキャプチャし、検査できるようになる。
# ip link set dev ens160 promisc on
設定を確認
# ip a | grep ens160 | grep mtu
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
ネットワーク・インタフェースのオフロード・ステータスを確認。インタフェースのネッ トワーク・トラフィックを監視する必要がある場合は、オフロードを無効にする必要がある
現在の状況を確認する
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: on
onになっているので下記コマンドでGRO,LROを無効にする
# ethtool -K ens160 gro off lro off
再度状況を確認する
# ethtool -k ens160 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off
LROとGROのオフロードステータスはオフ状態になっている
Snortネットワークインターフェース用のsystemdサービスを作成する
# touch /etc/systemd/system/snort3-nic.service
# vi /etc/systemd/system/snort3-nic.service
下記内容を記載
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
変更を適用する
# systemctl daemon-reload
# systemctl enable snort3-nic.service
Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.
# systemctl start snort3-nic.service
Snort NICサービスのステータスを確認
# systemctl status snort3-nic.service
● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)
Active: active (exited) since Fri 2026-06-05 12:12:26 JST; 27s ago
Invocation: 63f6f6d9148346719e84511cc5991723
Process: 34427 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)
Process: 34428 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)
Main PID: 34428 (code=exited, status=0/SUCCESS)
Mem peak: 1.2M
CPU: 9ms
Jun 05 12:12:26 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, L>
Jun 05 12:12:26 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, L>
Snortコミュニティ・ルールセットを追加
1.Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロードし、所定のルールディレクトリーに配置
# mkdir /usr/local/snort/etc/snort/rules
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/
2.Snortメイン設定ファイルを編集
# vi /usr/local/snort/etc/snort/snort.lua
24行目変更
HOME_NET = '192.168.11.0/24'
28行目変更
EXTERNAL_NET = '!$HOME_NET'
188行目当たりのips項目の最後に追加
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Snortのメインコンフィグレーションの変更をテスト
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
正常であれば最後に次が表示される
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
カスタムルールの追加
1.Snort rulesディレクトリにファイルを作成する
# touch /usr/local/snort/etc/snort/rules/local.rules
# vi /usr/local/snort/etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)
2.Snortメイン設定ファイルを編集
カスタム ルール ファイル ディレクトリをメイン構成に含めるためSnortメイン設定ファイルを編集
# vi /usr/local/snort/etc/snort/snort.lua
199行目当たりに追加
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]
}
3.Snortのメインコンフィグレーションの変更をテスト
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
正常であれば最後に次が表示される
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
OpenAppIDエクステンションをインストール
OpenAppIDエクステンションをインストールすると、Snortはアプリケーションレイヤーレベルでネットワーク脅威を検出できるようになります
1.OpenAppIDエクステンションダウンロードと展開
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz
# tar -xzvf OpenAppId-33380.tgz
2.解凍したフォルダ(odp)を以下のディレクトリにコピー
# cp -R odp /usr/local/lib/
3.Snortメイン設定ファイルを編集し、OpenAppIDフォルダの場所を定義
# vi /usr/local/snort/etc/snort/snort.lua
100行目あたりのappidセクションに追加
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}
--[[
reputation =
4.Snortのメインコンフィグレーションの変更をテスト
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua
正常であれば最後に次が表示される
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
すべてのコンフィギュレーションが正しくセットアップされていることを確認する
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none
リモートコンピュータからサーバのIPアドレスにpingコマンドを送信します。これにより、ホストサーバーのコンソールウィンドウにアラートログが表示されます
-------------------------------------------------------------------------------------------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
06/05-13:27:36.297858 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:36.297858 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:36.298082 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:37.313208 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:37.313208 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:37.313375 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:37.313478 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:38.328985 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:38.328986 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:38.329674 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:38.330226 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:39.340441 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:39.340441 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
06/05-13:27:39.341321 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
06/05-13:27:39.341799 [] [1:1000001:1] "Incoming ICMP" [] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
Snort systemdサービスの設定
1.Snortサービス用のユーザの作成
# useradd -r -s /usr/sbin/nologin -M snort
2.ログフォルダの作成とパーミッションの設定
Snortログ用のディレクトリフォルダを作成し、フォルダパーミッションを設定
# mkdir /var/log/snort
# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort
3.Systemdサービスファイルの作成
# touch /etc/systemd/system/snort3.service
# vi /etc/systemd/system/snort3.service
[Unit]
Description=Snort3 IDS Daemon Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID
[Install]
WantedBy=multi-user.target
Snortサービスをリロードして有効にする
# systemctl daemon-reload
# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.
Snortサービスを開始
# systemctl start snort3
ステータスを確認
# systemctl status snort3
● snort3.service - Snort3 IDS Daemon Service
Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-06-05 13:32:01 JST; 57s ago
Invocation: 643250b17f6b43c280a48a0734227c13
Main PID: 40560 (snort3)
Tasks: 2 (limit: 22808)
Memory: 214.7M (peak: 215.1M)
CPU: 1.186s
CGroup: /system.slice/snort3.service
└─40560 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
Jun 05 13:32:01 Lepard snort[40560]: any: 8
Jun 05 13:32:01 Lepard snort[40560]: to_server: 69
Jun 05 13:32:01 Lepard snort[40560]: to_client: 48
Jun 05 13:32:01 Lepard snort[40560]: --------------------------------------------------
Jun 05 13:32:01 Lepard snort[40560]: search engine (ac_bnfa)
Jun 05 13:32:01 Lepard snort[40560]: instances: 334
Jun 05 13:32:01 Lepard snort[40560]: patterns: 10779
Jun 05 13:32:01 Lepard snort[40560]: pattern chars: 175202
Jun 05 13:32:01 Lepard snort[40560]: num states: 123205
Jun 05 13:32:01 Lepard snort[40560]: num match states: 10502
Snort IDS ロギング
1.Snort JSONロギングの設定
# vi /usr/local/snort/etc/snort/snort.lua
261行目当たりの-- 7. configure outputsセクションの最後にalert_jsonを追加
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}
2.Snortを再起動
# systemctl restart snort3
3.ログファイルを確認
リモートコンピュータからサーバにpingコマンドを実行する。Snort alert_json.txtファイルに保存されます。
# tail -f /var/log/snort/alert_json.txt
{ "timestamp" : "06/05-13:49:13.940163", "msg" : "Incoming ICMP", "pkt_num" : 31637, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:13.940636", "msg" : "Incoming ICMP", "pkt_num" : 31638, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.951788", "msg" : "Incoming ICMP", "pkt_num" : 31733, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.951788", "msg" : "Incoming ICMP", "pkt_num" : 31734, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.952099", "msg" : "Incoming ICMP", "pkt_num" : 31735, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:14.952325", "msg" : "Incoming ICMP", "pkt_num" : 31736, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.968934", "msg" : "Incoming ICMP", "pkt_num" : 31799, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.968935", "msg" : "Incoming ICMP", "pkt_num" : 31800, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.970157", "msg" : "Incoming ICMP", "pkt_num" : 31801, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "06/05-13:49:15.970681", "msg" : "Incoming ICMP", "pkt_num" : 31802, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
以上でSnort 3のインストールと設定が完了