OracleLinux8.10 ; SNORT3 Install

SNORT3

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。

It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as

1.advance preparation

①Add a CodeReady repository and install the required software

Install required build tools and libraries

②DAQ Install
Create a working directory and move to that directory to proceed

③Tcmalloc Install

2. Download, compile, and install Snort

Please change to the latest version.

Update shared libraries

Version Check

3. Network interface settings

Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.

Check settings

Disabling Interface Offloading
First check if this feature is enabled

Set LRO and GRO offload status to off state

Create and enable systemd service unit to ensure that changes persist after system reboot and reflect changes

systemd daemon applies changes

4.Added Snort Community Ruleset

Create Snort Rules directory

Download the community ruleset from the Snort website, and place it in the designated rules directory

Check inside the configuration folder

5. Edit Snort main configuration file

Install OpenAppID extension
Download and install Snort OpenAppID from the Snort 3 download page
Please change to the latest version.

Edit the snort 3 configuration file to define the location of the OpenAppID library

Snorts log directory creation

Check configuration files

OK if the check results in the following

6. Create custom local rules

7. Verification of settings

Use parameter -T to test configuration and enable test mode

Next, run the test by executing the following command

When pinging this server from another PC in the same local network, an alert line is written on the console screen of this server as shown below.

Settings for writing to log files

Perform syntax check

Now, instead of "-A alert_fast", add the option "-l /var/log/snort", which specifies the log directory

When I run ping from another PC and check the logs directory, an alert_fast.txt file is created

Include local rules in snort.lua

8. Creating Users for the Snort Service

Create a non-login system user account for Snort

9. Create systemd service unit for Snort

Reload the Snort service.

Set log file ownership and permissions

Enable Snort to start and run at system startup

status check

Copied title and URL