Contents
SNORT3
Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.
1. Advance preparation
1.1 Install Required Packages
1.openssl-devel install
|
1 |
# dnf install openssl-devel |
2.cmake Install
|
1 2 3 4 5 6 7 |
# dnf install cmake Version Check # cmake --version cmake version 3.30.5 CMake suite maintained and supported by Kitware (kitware.com/cmake). |
1.2 Install Dependent Packages
|
1 2 3 |
# dnf install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel # dnf install libnfnetlink-devel libnetfilter_queue g++ |
1.3 LibDAQ Inastall
|
1 2 3 4 5 6 7 8 9 10 11 |
# cd # dnf install git # git clone https://github.com/snort3/libdaq.git Cloning into 'libdaq'... remote: Enumerating objects: 2517, done. remote: Counting objects: 100% (252/252), done. remote: Compressing objects: 100% (111/111), done. remote: Total 2517 (delta 178), reused 190 (delta 141), pack-reused 2265 (from 1) Receiving objects: 100% (2517/2517), 1.16 MiB | 3.60 MiB/s, done. Resolving deltas: 100% (1811/1811), done. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# cd libdaq/ # dnf install autoconf # dnf install automake # dnf install libtool # ./bootstrap + autoreconf -ivf --warnings=all autoreconf: export WARNINGS=all autoreconf: Entering directory '.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting auxiliary files in '.'. libtoolize: copying file './ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. libtoolize: copying file 'm4/libtool.m4' libtoolize: copying file 'm4/ltoptions.m4' libtoolize: copying file 'm4/ltsugar.m4' libtoolize: copying file 'm4/ltversion.m4' libtoolize: copying file 'm4/lt~obsolete.m4' autoreconf: configure.ac: not using Intltool autoreconf: configure.ac: not using Gtkdoc autoreconf: running: aclocal --force -I m4 autoreconf: running: /usr/bin/autoconf --force configure.ac:27: warning: The macro 'AC_PROG_CC_C99' is obsolete. configure.ac:27: You should run autoupdate. ./lib/autoconf/c.m4:1662: AC_PROG_CC_C99 is expanded from... configure.ac:27: the top level autoreconf: running: /usr/bin/autoheader --force autoreconf: running: automake --add-missing --copy --force-missing configure.ac:26: installing './compile' configure.ac:19: installing './missing' api/Makefile.am: installing './depcomp' autoreconf: './install-sh' is updated autoreconf: Leaving directory '.' |
|
1 2 |
# ./configure # make && make install |
|
1 2 3 4 5 6 |
# ln -s /usr/local/lib/libdaq.so.3 /lib/ Adding Shared Libraries # ldconfig Check the library # ldconfig -p|grep daq libdaq.so.3 (libc6,x86-64) => /lib/libdaq.so.3 |
1.4 Install optional packages
1.Installation of ZMA and UUID
|
1 |
# dnf install xz-devel libuuid-devel |
2.Installing Hyperscan
|
1 |
# dnf install hyperscan hyperscan-devel |
3.Safec Installation
|
1 |
# dnf install libsafec-devel |
If the above does not install, download and install from the following
4.Installing Tcmalloc
|
1 |
# dnf install gperftools-devel |
2. Snort3 Install
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/snort3.git # cd snort3/ # export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH # export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH # export CFLAGS="-O3" # export CXXFLAGS="-O3 -fno-rtti" |
Execute configure
|
1 2 3 4 5 6 7 |
# dnf install flex # ./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort3/build |
Build, compile, and install
|
1 2 3 4 5 6 |
# cd build/ # pwd /root/snort3/build # make -j$(nproc) # make -j$(nproc) install |
Version Check
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# /usr/local/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.5.0.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.17 Using libpcap version 1.10.5 (with TPACKET_V3) Using LuaJIT version 2.1.1720049189 Using LZMA version 5.6.2 Using OpenSSL 3.2.2 4 Jun 2024 Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.3.1.zlib-ng |
test run
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.5.0.0 -------------------------------------------------- Loading /usr/local/snort/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: ips classifications ftp_server binder wizard appid js_norm file_policy file_id active alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy http2_inspect http_inspect stream stream_ip stream_icmp stream_tcp stream_udp stream_user stream_file arp_spoof back_orifice dns output netflow normalizer sip telnet mms s7commplus dce_tcp ftp_data ftp_client references smtp port_scan gtp_inspect dce_http_server dce_http_proxy dce_udp dce_smb modbus iec104 dnp3 cip ssl ssh rpc_decode pop imap trace Finished /usr/local/snort/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 219 0 219 /usr/local/snort/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 219 text rules: 219 option chains: 219 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 219 219 total: 219 219 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 438 pattern chars: 2602 num states: 1832 num match states: 392 memory scale: KB total memory: 71.2812 pattern memory: 19.6484 match list memory: 28.4375 transition memory: 22.9453 appid: MaxRss diff: 3352 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Network interface settings
Check network interface
|
1 2 3 4 5 6 7 8 9 10 11 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:52:b2:92 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
The network interface name is ens160
Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.
|
1 |
# ip link set dev ens160 promisc on |
Confirm settings
|
1 2 3 |
# ip a | grep ens160 | grep mtu 2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 |
Check the offload status of the network interface. If you need to monitor network traffic on an interface, you must disable offloading
|
1 2 3 |
# ethtool -k ens160 | grep receive-offload generic-receive-offload: off large-receive-offload: off |
LRO and GRO offload status is in off state
Create systemd service for Snort network interface
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service Include the following [Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens160 promisc on ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
systemd daemon applies changes
|
1 2 3 4 |
# systemctl daemon-reload # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service. # systemctl start snort3-nic.service |
Check Snort NIC Service Status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf Active: active (exited) since Thu 2024-11-07 13:28:18 JST; 40s ago Invocation: d7e1cd0d6c8a4b23a6c119daa69fb538 Process: 20544 ExecStart=/usr/sbin/ip link set dev ens160 promisc on (code=exited, status=0/SUCCESS) Process: 20545 ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off (code=exited, status=0/SUCCESS) Main PID: 20545 (code=exited, status=0/SUCCESS) Mem peak: 1M CPU: 14ms Nov 07 13:28:18 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Nov 07 13:28:18 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
Added Snort Community Ruleset
1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory
|
1 2 |
# mkdir /usr/local/snort/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/snort/etc/snort/rules/ |
2.Edit Snort main configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# vi /usr/local/snort/etc/snort/snort.lua Line 24 : change HOME_NET = '192.168.11.0/24' Line 28 : change EXTERNAL_NET = '!$HOME_NET' Add to the end of the ips item per line 183 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Adding custom rules
1.Create a file in the Snort rules directory
|
1 2 3 |
# touch /usr/local/snort/etc/snort/rules/local.rules # vi /usr/local/snort/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# vi /usr/local/snort/etc/snort/snort.lua Add per line 195 ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/snort/etc/snort/rules/local.rules include /usr/local/snort/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
3.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Install OpenAppID extension
Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level
1.OpenAppID Extension Download and Deployment
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
2.Copy the extracted folder (odp) to the following directory
|
1 |
# cp -R odp /usr/local/lib/ |
3.Edit the Snort main configuration file to define the location of the OpenAppID folder
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/snort/etc/snort/snort.lua Add per line 98 appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } --[[ reputation = |
4.Test Snort's main configuration changes
|
1 2 3 4 5 6 7 8 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua If all is well, the next is displayed at the end. -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Verify that all configurations are set up correctly
|
1 |
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/snort/etc/snort/rules/local.rules -i ens160 -A alert_fast -s 65535 -k none |
Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server
|
1 2 3 4 |
Commencing packet processing ++ [0] ens160 11/07-13:39:24.593119 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.45 -> 192.168.11.83 11/07-13:39:24.593326 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.45 |
Configure Snort systemd service
1.Creating Users for the Snort Service
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
3.Create Systemd service file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# touch /etc/systemd/system/snort3.service # vi /etc/systemd/system/snort3.service [Unit] Description=Snort3 IDS Daemon Service After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
Reload and activate the Snort service.
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
Launched Snort service
|
1 |
# systemctl restart snort3 |
Check Status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf Active: active (running) since Thu 2024-11-07 13:42:45 JST; 8s ago Invocation: d8f709bd9b3540ca85b407024034bce7 Main PID: 21391 (snort3) Tasks: 2 (limit: 4589) Memory: 271.3M (peak: 271.8M) CPU: 1.026s CGroup: /system.slice/snort3.service └─21391 /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g > Nov 07 13:42:45 Lepard snort[21391]: any: 8 Nov 07 13:42:45 Lepard snort[21391]: to_server: 69 Nov 07 13:42:45 Lepard snort[21391]: to_client: 48 Nov 07 13:42:45 Lepard snort[21391]: -------------------------------------------------- Nov 07 13:42:45 Lepard snort[21391]: search engine (ac_bnfa) Nov 07 13:42:45 Lepard snort[21391]: instances: 334 Nov 07 13:42:45 Lepard snort[21391]: patterns: 10776 Nov 07 13:42:45 Lepard snort[21391]: pattern chars: 175132 Nov 07 13:42:45 Lepard snort[21391]: num states: 123161 Nov 07 13:42:45 Lepard snort[21391]: num match states: 10496 |
Snort IDS Logging
1.Configure Snort JSON logging
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# vi /usr/local/snort/etc/snort/snort.lua Per line 258 -- 7. Add alert_json at the end of the configure outputs section --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } alert_json = { file = true, limit = 50, fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data' } |
2.Snort restart
|
1 |
# systemctl restart snort3 |
3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.
|
1 2 3 4 |
# tail -f /var/log/snort/alert_json.txt { "timestamp" : "11/07-13:45:55.569427", "msg" : "Incoming ICMP", "pkt_num" : 486, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 84, "dir" : "C2S", "src_addr" : "192.168.11.45", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "ZyxGAwAHVX0ICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=" } { "timestamp" : "11/07-13:45:55.569494", "msg" : "Incoming ICMP", "pkt_num" : 487, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 84, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.45", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "ZyxGAwAHVX0ICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=" } |
This completes the installation and configuration of Snort 3.