Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.advance preparation
①Activate the EPEL Repository
|
1 |
# dnf -y install epel-release |
②System updates
|
1 |
# dnf update -y |
2.Suricata Installation and Configuration
①Suricata install
|
1 2 3 4 5 |
# dnf install suricata Check Version # suricata -V This is Suricata version 6.0.9 RELEASE |
②Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 192.168.11.83/24 fe80::20c:29ff:fe8a:bc1f/64 |
③Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Line 589 : Set interface name in "af-packet" section af-packet: - interface: ens160 |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
④Suricata rules update
|
1 |
# suricata-update |
<Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
You will get a warning like the one above, but it is supposed to be negligible, so proceed as you are.
⑤Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2023-01-01 22:49:08 JST; 11s ago Docs: man:suricata(1) Process: 4747 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 4748 (Suricata-Main) Tasks: 1 (limit: 21862) Memory: 363.7M CPU: 10.188s CGroup: /system.slice/suricata.service mq4748 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Jan 01 22:49:08 Lepard systemd[1]: Starting Suricata Intrusion Detection Service... Jan 01 22:49:08 Lepard systemd[1]: Started Suricata Intrusion Detection Service. Jan 01 22:49:08 Lepard suricata[4748]: 1/1/2023 -- 22:49:08 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 1/1/2023 -- 22:49:08 - <Info> - stats output device (regular) initialized: stats.log 1/1/2023 -- 22:49:08 - <Info> - Running in live mode, activating unix socket 1/1/2023 -- 22:49:17 - <Info> - 1 rule files processed. 32335 rules successfully loaded, 0 rules failed 1/1/2023 -- 22:49:17 - <Info> - Threshold config parsed: 0 rule(s) found 1/1/2023 -- 22:49:18 - <Info> - 32338 signatures processed. 1306 are IP-only rules, 5156 are inspecting packet payload, 25673 inspect application layer, 108 are decoder event only 1/1/2023 -- 22:49:41 - <Info> - Going to use 2 thread(s) 1/1/2023 -- 22:49:41 - <Info> - Running in live mode, activating unix socket 1/1/2023 -- 22:49:41 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 1/1/2023 -- 22:49:41 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 1/1/2023 -- 22:49:42 - <Info> - All AFP capture threads are running. |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 01/01/2023-22:53:03.647097 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 46.148.40.170:7602 01/01/2023-22:53:06.798384 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 46.148.40.150:58408 01/01/2023-22:53:07.256392 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 141.98.11.112:12464 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 22416 drwxr-s--- 2 root suricata 57 Jan 1 22:48 . drwxrws--- 4 suricata suricata 33 Jan 1 22:48 .. -rw-r--r-- 1 root suricata 3228 Jan 1 22:48 classification.config -rw-r--r-- 1 root suricata 22948278 Jan 1 22:48 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 |
# suricata-update enable-source et/open 1/1/2023 -- 22:56:55 - <Info> -- Using data-directory /var/lib/suricata. 1/1/2023 -- 22:56:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 1/1/2023 -- 22:56:55 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 1/1/2023 -- 22:56:55 - <Info> -- Found Suricata version 6.0.9 at /usr/sbin/suricata. 1/1/2023 -- 22:56:55 - <Info> -- Creating directory /var/lib/suricata/update/sources 1/1/2023 -- 22:56:55 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 1924 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 |
# suricata -T -c /etc/suricata/suricata.yaml -v 1/1/2023 -- 23:00:59 - <Info> - fast output device (regular) initialized: fast.log 1/1/2023 -- 23:00:59 - <Info> - eve-log output device (regular) initialized: eve.json 1/1/2023 -- 23:00:59 - <Info> - stats output device (regular) initialized: stats.log 1/1/2023 -- 23:01:14 - <Info> - 2 rule files processed. 32336 rules successfully loaded, 0 rules failed 1/1/2023 -- 23:01:14 - <Info> - Threshold config parsed: 0 rule(s) found 1/1/2023 -- 23:01:14 - <Info> - 32339 signatures processed. 1307 are IP-only rules, 5156 are inspecting packet payload, 25673 inspect application layer, 108 are decoder event only 1/1/2023 -- 23:01:37 - <Notice> - Configuration provided was successfully loaded. Exiting. 1/1/2023 -- 23:01:37 - <Info> - cleaning up signature grouping structure... complete |
Restart Suricat service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 |
# cat /var/log/suricata/fast.log 01/01/2023-23:02:23.652970 [**] [1:2220000:1] SURICATA SMTP invalid reply [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.11.83:25 -> 141.98.11.112:30494 |
To get logs in JSON format, install jq on your system
|
1 |
# dnf install jq |
|
1 |
# systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2023-01-01T23:09:56.616836+0900", "flow_id": 2024169032792528, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 25, "dest_ip": "141.98.11.112", "dest_port": 47652, "proto": "TCP", "metadata": { "flowints": { "applayer.anomaly.count": 1, "smtp.anomaly.count": 1 } }, "tx_id": 1, "alert": { "action": "allowed", "gid": 1, "signature_id": 2220000, "rev": 1, "signature": "SURICATA SMTP invalid reply", "category": "Generic Protocol Command Decode", "severity": 3 }, "smtp": { "helo": "User" }, "app_proto": "smtp", "app_proto_tc": "failed", "flow": { "pkts_toserver": 12, "pkts_toclient": 12, "bytes_toserver": 875, "bytes_toclient": 1129, "start": "2023-01-01T23:09:46.080336+0900" } } |
SNORT
Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.
1.advance preparation
①Install the necessary software
|
1 2 |
# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel # mkdir /var/src |
②DAQ install
|
1 2 3 4 5 6 7 8 |
# cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Lua install
|
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④Create fake release files
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Snort Download, Compile, Install
|
1 2 3 4 5 6 7 8 9 |
# cd /var/src # wget https://www.snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
Remove fake release files
|
1 |
# rm /etc/fedora-release |
3.Create groups and users, necessary directories and files
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules Create the following files # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
|
1 2 |
# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort |
4.Use of Community Rules
①Get Community Rules
|
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②Extract rules and copy to configuration folder
|
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
There are various rule files that are not included in the community rules.
Use the "sed" command to comment out unnecessary lines.
Use the "sed" command to comment out unnecessary lines.
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Retrieving Registered User Rules
Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command
Replace oinkcode with your personal code in the following command
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Network and Rule Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# vi /etc/snort/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←adapt to each environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 : Comment out and add below # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per line 116 : Comment out and add below # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per line 526 : Add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Per line 550 : To make custom rules readable, local.rules must be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line immediately below the local.rules line include $RULE_PATH/community.rules |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:809420 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Total snort Fixed Memory Cost - MaxRss:809420 Snort successfully validated the configuration! Snort exiting |
Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file
In our case, the error occurred in the following file
|
1 2 3 4 |
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/ |
8. Configuration Testing
①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
|
1 2 3 |
# vi /etc/snort/rules/local.rules ●Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. ens160) must be selected
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i ens160 -u snort -g snort -c /etc/snort/snort.conf With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running Commencing packet processing (pid=121496) 01/02-15:32:34.627672 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:34.627878 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:35.637424 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:35.637472 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:36.653527 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:36.653561 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 01/02-15:32:37.669580 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 01/02-15:32:37.669606 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
The log can be read with the command below.
|
1 |
# snort -r /var/log/snort/snort.log.<id_number> |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. Acquiring network traffic from "/var/log/snort/snort.log.1672641139". --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.0 (with TPACKET_V3) Using PCRE version: 8.44 2020-02-12 Using ZLIB version: 1.2.11 Commencing packet processing (pid=121526) WARNING: No preprocessors configured for policy 0. 01/02-15:32:34.627672 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11425 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:1 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:34.627878 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:38946 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:1 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:35.637424 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11427 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:2 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:35.637472 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39003 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:2 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:36.653527 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11429 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:3 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:36.653561 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39201 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:3 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:37.669580 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:11431 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:4 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 01/02-15:32:37.669606 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:39307 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:4 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.830 seconds Snort processed 8 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 8 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 790528 Bytes in mapped regions (hblkhd): 22941696 Total allocated space (uordblks): 683344 Total free space (fordblks): 107184 Topmost releasable block (keepcost): 105232 =============================================================================== Packet I/O Totals: Received: 8 Analyzed: 8 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 8 (100.000%) VLAN: 0 ( 0.000%) IP4: 8 (100.000%) Frag: 0 ( 0.000%) ICMP: 8 (100.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 8 =============================================================================== Memory Statistics for File at:Mon Jan 2 15:34:04 2023 Total buffers allocated: 0 Total buffers freed: 0 Total buffers released: 0 Total file mempool: 0 Total allocated file mempool: 0 Total freed file mempool: 0 Total released file mempool: 0 Heap Statistics of file: Total Statistics: Memory in use: 0 bytes No of allocs: 0 No of frees: 0 =============================================================================== Snort exiting |
9. Running Snort in the background
①Create a startup script for Snort
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target |
|
1 2 |
# systemctl daemon-reload # systemctl start snort |