業務用エアコン関連の技術情報、エラーコード、環境問題対策に関する別サイト「エアコンの安全な修理・適切なフロン回収」

AlmaLinux9.8 : SNORT3 インストール

SNORT3

 Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。

「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。

1.事前準備

1.1 必須パッケージのインストール

1.openssl-develのインストール

# dnf install openssl-devel

2.cmakeのインストール

# dnf -y install cmake
1.2 必要なパッケージのインストール
# dnf -y install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel libnfnetlink-devel libnetfilter_queue g++
1.3 LibDAQのインストール
# cd
# dnf install git
# git clone https://github.com/snort3/libdaq.git

# cd libdaq/
# dnf install autoconf
# ./bootstrap

# ./configure
# make && make install
# ln -s /usr/local/lib/libdaq.so.3 /lib/

共有ライブラリの追加
# ldconfig

ライブラリの確認
# ldconfig -p|grep daq
        libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3

1.4 オプションパッケージのインストール

1.LZMAとUUIDのインストール

# dnf -y install xz-devel libuuid-devel

2.Hyperscanのインストール

# dnf -y install hyperscan hyperscan-devel

3.Tcmallocのインストール

# dnf -y install gperftools-devel

2. Snort3のインストール

# git clone https://github.com/snort3/snort3.git
# cd snort3/
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
# export CFLAGS="-O3"
# export CXXFLAGS="-O3 -fno-rtti"

不足パッケージインストール
# dnf -y install pcre2-devel
# dnf install flex

ビルド、コンパイル、インストール
# ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
# cd build/
# pwd
/root/snort3/build

# make -j$(nproc)
# make -j$(nproc) install

バージョン確認

# /usr/local/snort/bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.12.2.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.27
           Using Hyperscan version 5.4.1 2023-04-14
           Using libpcap version 1.10.0 (with TPACKET_V3)
           Using LuaJIT version 2.1.0-beta3
           Using LZMA version 5.2.5
           Using OpenSSL 3.5.5 27 Jan 2026
           Using PCRE2 version 10.40 2022-04-14
           Using ZLIB version 1.2.11

テスト実行

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------
search engine (ac_bnfa)
                instances: 2
                 patterns: 438
            pattern chars: 2602
               num states: 1832
         num match states: 392
             memory scale: KB
             total memory: 71.2812
           pattern memory: 19.6484
        match list memory: 28.4375
        transition memory: 22.9453
appid: MaxRss diff: 3200
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

ネットワークインターフェースの設定

ネットワーク インタフェースを確認

# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:55:a8:67 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe55:a867/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

ネットワーク・インターフェース名はens160である

ネットワークインターフェイスをプロミスキャスモードに設定する。こうすることで、ネットワークデバイスはすべてのネットワークパケットをキャプチャし、検査できるようになる。

# ip link set dev ens160 promisc on

設定を確認

# ip a | grep ens160 | grep mtu
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

ネットワーク・インタフェースのオフロード・ステータスを確認。インタフェースのネッ トワーク・トラフィックを監視する必要がある場合は、オフロードを無効にする必要がある

# ethtool -k ens160 | grep receive-offload
generic-receive-offload: on
large-receive-offload: on

onになっているので下記コマンドでGRO,LROを無効にする

# ethtool -K ens160 gro off lro off

再度状況を確認する

# ethtool -k ens160 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off

Snortネットワークインターフェース用のsystemdサービスを作成する

# vi /etc/systemd/system/snort3-nic.service
[snort3-nic.service]の内容

[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

変更を適用し、サービスを起動する

# systemctl daemon-reload
# systemctl enable snort3-nic.service
Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service.
# systemctl start snort3-nic.service

Snort NICサービスのステータスを確認

# systemctl status snort3-nic.service

● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
     Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled)
     Active: active (exited) since Fri 2026-07-03 16:19:44 JST; 39s ago
    Process: 74335 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS)
    Process: 74336 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS)
   Main PID: 74336 (code=exited, status=0/SUCCESS)
        CPU: 4ms

Jul 03 16:19:44 Lepard systemd[1]: Starting Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot...
Jul 03 16:19:44 Lepard systemd[1]: Finished Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot.

Snortコミュニティ・ルールセットを追加

1.Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロードし、所定のルールディレクトリーに配置

# mkdir /usr/local/snort/etc/snort/rules
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/

2.Snortメイン設定ファイルを編集

# vi /usr/local/snort/etc/snort/snort.lua
[snort.lua]編集内容

●24行目変更
HOME_NET = '192.168.11.0/24'
●28行目変更
EXTERNAL_NET = '!$HOME_NET'
●197行目当たり : ips項目の最後に追加
ips =
{
-- use this to enable decoder and inspector alerts
-- enable_builtin_rules = true,

-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)

variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]

}

3.Snortのメインコンフィグレーションの変更をテスト

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

カスタムルールの追加

1.Snort rulesディレクトリにファイルを作成する

# vi /usr/local/snort/etc/snort/rules/local.rules

下記を記述
alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;)

2.Snortメイン設定ファイルを編集
カスタム ルール ファイル ディレクトリをメイン構成に含めるためSnortメイン設定ファイルを編集

# vi /usr/local/snort/etc/snort/snort.lua
[snort.lua]編集内容

●199行目当たりに追加
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,

-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)

variables = default_variables,
rules = [[
include /usr/local/snort/etc/snort/rules/local.rules
include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules
]]

}

3.Snortのメインコンフィグレーションの変更をテスト

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

OpenAppIDエクステンションをインストール

OpenAppIDエクステンションをインストールすると、Snortはアプリケーションレイヤーレベルでネットワーク脅威を検出できるようになります

1.OpenAppIDエクステンションダウンロードと展開

# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz
# tar -xzvf  OpenAppId-33380.tgz

2.解凍したフォルダ(odp)を以下のディレクトリにコピー

# cp -R odp /usr/local/lib/

3.Snortメイン設定ファイルを編集し、OpenAppIDフォルダの場所を定義

# vi /usr/local/snort/etc/snort/snort.lua
[snort.lua]編集内容

●100行目当たりのappidセクションに追加
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid-output.log",
}

--[[
reputation =

4.Snortのメインコンフィグレーションの変更をテスト

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua

--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

すべてのコンフィギュレーションが正しくセットアップされていることを確認する

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none

リモートコンピュータからサーバのIPアドレスにpingコマンドを送信します。これにより、ホストサーバーのコンソールウィンドウにアラートログが表示されます

pcap DAQ configured to passive.
Commencing packet processing
Retry queue interval is: 200 ms
++ [0] ens160
07/03-16:58:20.814588 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:20.814588 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:20.814796 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:20.814903 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:21.822194 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:21.822194 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:21.822394 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:21.822490 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:22.830746 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:22.830747 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:22.830943 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:22.831030 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:23.836851 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:23.836852 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.14 -> 192.168.11.83
07/03-16:58:23.837073 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14
07/03-16:58:23.837158 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.14

Snort systemdサービスの設定

1.Snortサービス用のユーザの作成

# useradd -r -s /usr/sbin/nologin -M snort

2.ログフォルダの作成とパーミッションの設定
Snortログ用のディレクトリフォルダを作成し、フォルダパーミッションを設定

# mkdir /var/log/snort
# chmod -R 5775 /var/log/snort
# chown -R snort:snort /var/log/snort

3.Systemdサービスファイルの作成

# vi /etc/systemd/system/snort3.service
[snort3.service]の内容

[Unit]
Description=Snort3 IDS Daemon Service
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort
ExecStop=/bin/kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

Snortサービスをリロードして有効にして、サービスを起動する

# systemctl daemon-reload
# systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.

# systemctl restart snort3

ステータスを確認

# systemctl status snort3

● snort3.service - Snort3 IDS Daemon Service
     Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled)
     Active: active (running) since Fri 2026-07-03 17:02:34 JST; 33s ago
   Main PID: 76346 (snort3)
      Tasks: 2 (limit: 22900)
     Memory: 213.7M (peak: 214.1M)
        CPU: 873ms
     CGroup: /system.slice/snort3.service
             └─76346 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort     

Jul 03 17:02:34 Lepard snort[76346]:                       any: 8
Jul 03 17:02:34 Lepard snort[76346]:                 to_server: 69
Jul 03 17:02:34 Lepard snort[76346]:                 to_client: 48
Jul 03 17:02:34 Lepard snort[76346]: --------------------------------------------------
Jul 03 17:02:34 Lepard snort[76346]: search engine (ac_bnfa)
Jul 03 17:02:34 Lepard snort[76346]:                 instances: 334
Jul 03 17:02:34 Lepard snort[76346]:                  patterns: 10779
Jul 03 17:02:34 Lepard snort[76346]:             pattern chars: 175202
Jul 03 17:02:34 Lepard snort[76346]:                num states: 123205
Jul 03 17:02:34 Lepard snort[76346]:          num match states: 10502

Snort IDS ロギング

1.Snort JSONロギングの設定

# vi /usr/local/snort/etc/snort/snort.lua
[snort.lua]編集内容

●261行目当たりの-- 7. configure outputsセクションの最後にalert_jsonを追加

-------------------------------------------------------------------------------------
-- 7. configure outputs
-------------------------------------------------------------------------------------

-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }

-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }

-- additional logs
--packet_capture = { }
--file_log = { }
alert_json =
{
file = true,
limit = 50,
fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}

2.Snortを再起動

# systemctl restart snort3

3.ログファイルを確認
リモートコンピュータからサーバにpingコマンドを実行する。Snort alert_json.txtファイルに保存されます。

# tail -f /var/log/snort/alert_json.txt

{ "timestamp" : "07/03-17:10:04.805078", "msg" : "Incoming ICMP", "pkt_num" : 1698, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:04.805154", "msg" : "Incoming ICMP", "pkt_num" : 1699, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816663", "msg" : "Incoming ICMP", "pkt_num" : 1729, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816663", "msg" : "Incoming ICMP", "pkt_num" : 1730, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.816905", "msg" : "Incoming ICMP", "pkt_num" : 1731, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:05.817047", "msg" : "Incoming ICMP", "pkt_num" : 1732, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.826865", "msg" : "Incoming ICMP", "pkt_num" : 1791, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.826865", "msg" : "Incoming ICMP", "pkt_num" : 1792, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.14", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.828001", "msg" : "Incoming ICMP", "pkt_num" : 1793, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }
{ "timestamp" : "07/03-17:10:06.828416", "msg" : "Incoming ICMP", "pkt_num" : 1794, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.14", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" }

以上でSnort 3のインストールと設定が完了