Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.advance preparation
Add and enable repositories
|
1 2 |
# zypper addrepo https://download.opensuse.org/repositories/server:monitoring/15.6/server:monitoring.repo # zypper refresh |
2.Suricata Installation and Configuration
①Suricata Install
|
1 2 3 4 5 |
# zypper install suricata Check Version # suricata -V This is Suricata version 7.0.3 RELEASE |
②Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 eth0 UP 192.168.11.83/24 |
③Edit configuration file
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" # Line 614 : Set interface name in "af-packet" section af-packet: - interface: eth0 |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon SURICATA_OPTIONS="-i eth0 " |
④Suricata rules update
|
1 |
# suricata-update |
⑤Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multi-user.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection and Prevention Tool Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Active: active (running) since Tue 2024-06-18 13:45:09 JST; 50s ago Docs: man:suricata(1) Main PID: 27296 (Suricata-Main) Tasks: 10 (limit: 4587) CPU: 23.877s CGroup: /system.slice/suricata.service mq27296 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 Jun 18 13:45:09 Lepard systemd[1]: Started Suricata Intrusion Detection and Prevention Tool. Jun 18 13:45:09 Lepard suricata[27296]: i: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode Jun 18 13:45:33 Lepard suricata[27296]: i: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail /var/log/suricata/suricata.log [27296 - Suricata-Main] 2024-06-18 13:45:09 Info: conf: Running in live mode, activating unix socket [27296 - Suricata-Main] 2024-06-18 13:45:09 Info: logopenfile: fast output device (regular) initialized: fast.log [27296 - Suricata-Main] 2024-06-18 13:45:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json [27296 - Suricata-Main] 2024-06-18 13:45:09 Info: logopenfile: stats output device (regular) initialized: stats.log [27296 - Suricata-Main] 2024-06-18 13:45:21 Info: detect: 1 rule files processed. 38317 rules successfully loaded, 0 rules failed, 0 [27296 - Suricata-Main] 2024-06-18 13:45:22 Info: threshold-config: Threshold config parsed: 0 rule(s) found [27296 - Suricata-Main] 2024-06-18 13:45:22 Info: detect: 38320 signatures processed. 1099 are IP-only rules, 4124 are inspecting packet payload, 32885 inspect application layer, 108 are decoder event only [27296 - Suricata-Main] 2024-06-18 13:45:32 Info: runmodes: eth0: creating 4 threads [27296 - Suricata-Main] 2024-06-18 13:45:32 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [27296 - Suricata-Main] 2024-06-18 13:45:33 Notice: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 |
# cat /var/log/suricata/fast.log 06/18/2024-13:58:06.914107 [**] [1:2013028:7] ET INFO curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:48852 -> 18.65.159.60:80 06/18/2024-13:58:06.919629 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.60:80 -> 192.168.11.83:48852 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 28076 drwxr-x--- 1 root root 70 Jun 18 13:45 . drwxr-xr-x 1 root root 22 Jun 18 13:25 .. -rw-r--r-- 1 root root 3228 Jun 18 13:45 classification.config -rw-r--r-- 1 root root 28743365 Jun 18 13:45 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 8 9 |
# suricata-update enable-source et/open 18/6/2024 -- 14:10:51 - <Info> -- Using data-directory /var/lib/suricata. 18/6/2024 -- 14:10:51 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 18/6/2024 -- 14:10:51 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 18/6/2024 -- 14:10:51 - <Info> -- Found Suricata version 7.0.3 at /usr/bin/suricata. 18/6/2024 -- 14:10:51 - <Warning> -- Source index does not exist, will use bundled one. 18/6/2024 -- 14:10:51 - <Warning> -- Please run suricata-update update-sources. 18/6/2024 -- 14:10:51 - <Info> -- Creating directory /var/lib/suricata/update/sources 18/6/2024 -- 14:10:51 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 2154 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 4 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 38318 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 38321 signatures processed. 1100 are IP-only rules, 4124 are inspecting packet payload, 32885 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Restart Suricat service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 06/18/2024-14:15:29.306604 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 06/18/2024-14:15:29.306726 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
To get logs in JSON format, install jq on your system
|
1 |
# zypper -n install jq |
|
1 |
# systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2024-06-18T14:21:07.491690+0900", "flow_id": 985896519045199, "in_iface": "eth0", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "pkt_src": "wire/pcap", "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "direction": "to_server", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2024-06-18T14:21:07.491690+0900", "src_ip": "192.168.11.22", "dest_ip": "192.168.11.83" } } |
SNORT2
Snort is a network-based IDS (Intrusion Detection System). It captures packets flowing over a network and detects suspicious packets.
The source file is used directly from https://snort.org/.
1.1Advance preparation
Install required libraries
|
1 |
# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel |
1.2 SNORT & daq Download,Install
①daq Download,Install
Create a working directory and download in that directory
|
1 2 3 |
# mkdir /root/snort_src # cd /root/snort_src # wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz |
|
1 2 3 4 5 6 |
# tar xvzf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
➁Lua Install
|
1 2 3 4 5 6 |
# cd ../ # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
➂Create fake release files
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
④SNORT Install
If you do not use the Lua programming interface, add the option "-disable-open-appid"
|
1 2 3 4 5 6 7 8 |
# cd /root/snort_src/ # wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz # tar xvzf snort-2.9.20.tar.gz # cd snort-2.9.20/ # ./configure --enable-sourcefire # make # make install # ldconfig |
Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort"
|
1 |
# ln -s /usr/local/bin/snort /usr/sbin/snort |
1.3 User and Group Creation
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1.4 Directory, file creation, permissions
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules |
creating white_list.rules, black_list.rules ,local.rules
|
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Copy all "*.conf" and "*.map" files from the Snort source to Snort's system folder
|
1 2 |
# cp ~/snort_src/snort-2.9.20/etc/*.conf* /etc/snort # cp ~/snort_src/snort-2.9.20/etc/*.map /etc/snort |
1.5 Download Rules
①Download Community Rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere
|
1 2 3 4 |
# cd ../ # wget https://www.snort.org/rules/community -O ~/community.tar.gz # tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
Use the "sed" command to comment out unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf |
②Retrieve registered user rules
Once registered on the Snort website, you can download registered user rules using an Oink code; the Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
1.6 Edit Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# vi /etc/snort/rules/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←self-server ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 : Comment out and add below #var RULE_PATH ../rules #var SO_RULE_PATH ../so_rules #var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Line 111-112 : Comment out and add below #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per Line 246 : path confirmation # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor ●Per Line 249 : path confirmation # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ●Per Line 252 : path confirmation # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules ●Per Line 518 :add # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, output alert_unified2: filename alert.log, limit 128 ●Per Line 542 : Remove comment out # and add community.rule under it include $RULE_PATH/local.rules include $RULE_PATH/community.rules |
1.7 Check settings
①Check configuration files
|
1 |
# snort -T -c /etc/snort/rules/snort.conf |
If all is well, you will see something like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
MaxRss at the end of detection rules:62820 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) x86_64 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.4 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.13 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:65480 Snort successfully validated the configuration! Snort exiting |
ERROR: /etc/snort/rules/classification.config(0) Unable to open rules file "/etc/snort/rules/classification.config": No such file or directory.
If you get an error like the above, copy the file in question as follows
|
1 2 3 4 |
# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
iIf an nvalid error occurs, do the following
|
1 2 3 4 5 |
# vi /etc/snort/rules/snort.conf Change lines 325-326 as follows #decompress_swf {deflate lzma} \ decompress_swf {deflate} \ decompress_pdf {deflate} |
②Preparation for Operational Tests
Open "local.rules" and add the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing
|
1 2 |
# vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
③Test Snort in a terminal
Check the network interface first with the "ip addr" command and start Snort in a console or terminal
|
1 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/rules/snort.conf |
When pinging this server from a PC in the same network, the following is displayed in the server's console
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
Commencing packet processing (pid=57859) 06/18-17:02:26.045953 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:26.045953 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:26.046153 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:27.059576 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:27.059576 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:27.059684 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:27.059810 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:28.075608 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:28.075608 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:28.075671 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:28.075735 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:29.085330 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:29.085330 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/18-17:02:29.085452 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/18-17:02:29.085601 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
1.8 Check log files
|
1 2 3 |
# ls -l /var/log/snort/ total 4 -rw------- 1 snort snort 1374 Jun 18 17:02 snort.log.1718697719 |
1.9 Creation of "snort.service"
|
1 |
# vi /usr/lib/systemd/system/snort.service |
The network interface "eth0" should be customized for each environment and should have the following contents
|
1 2 3 4 5 6 7 8 9 10 |
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
Finally, start, stop, and status of Snort services
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl daemon-reload # systemctl start snort # systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; preset: disabled) Active: active (running) since Tue 2024-06-18 17:04:41 JST; 7s ago Main PID: 57903 (snort) Tasks: 2 (limit: 4587) CPU: 142ms CGroup: /system.slice/snort.service mq57903 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 Jun 18 17:04:41 Lepard systemd[1]: Started Snort NIDS Daemon. |