Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.advance preparation
①Activate the EPEL Repository
|
1 |
# dnf -y install epel-release |
②System updates
|
1 |
# dnf update -y |
2.Suricata Installation and Configuration
①Suricata install
|
1 2 3 4 5 |
# dnf install suricata Check Version # suricata -V This is Suricata version 6.0.13 RELEASE |
②Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 192.168.11.83/24 fe80::20c:29ff:fe8a:bc1f/64 |
③Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Line 589 : Set interface name in "af-packet" section af-packet: - interface: ens160 |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
④Suricata rules update
|
1 |
# suricata-update |
⑤Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Active: active (running) since Mon 2023-08-14 21:29:23 JST; 21s ago Docs: man:suricata(1) Process: 4461 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 4462 (Suricata-Main) Tasks: 1 (limit: 47556) Memory: 396.4M CPU: 21.453s CGroup: /system.slice/suricata.service mq4462 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Aug 14 21:29:23 Lepard systemd[1]: Starting Suricata Intrusion Detection Service... Aug 14 21:29:23 Lepard systemd[1]: Started Suricata Intrusion Detection Service. Aug 14 21:29:23 Lepard suricata[4462]: 14/8/2023 -- 21:29:23 - <Notice> - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 14/8/2023 -- 21:29:23 - <Info> - stats output device (regular) initialized: stats.log 14/8/2023 -- 21:29:23 - <Info> - Running in live mode, activating unix socket 14/8/2023 -- 21:29:35 - <Info> - 1 rule files processed. 35239 rules successfully loaded, 0 rules failed 14/8/2023 -- 21:29:35 - <Info> - Threshold config parsed: 0 rule(s) found 14/8/2023 -- 21:29:35 - <Info> - 35242 signatures processed. 1343 are IP-only rules, 5252 are inspecting packet payload, 28440 inspect application layer, 108 are decoder event only 14/8/2023 -- 21:29:45 - <Info> - Going to use 4 thread(s) 14/8/2023 -- 21:29:45 - <Info> - Running in live mode, activating unix socket 14/8/2023 -- 21:29:45 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 14/8/2023 -- 21:29:45 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started. 14/8/2023 -- 21:29:45 - <Info> - All AFP capture threads are running. |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 |
# cat /var/log/suricata/fast.log 08/14/2023-21:31:35.872812 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:53356 -> 18.65.159.120:80 08/14/2023-21:31:35.884352 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.120:80 -> 192.168.11.83:53356 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 25544 drwxr-s--- 2 root suricata 57 Aug 14 21:28 . drwxrws--- 4 suricata suricata 33 Aug 14 21:28 .. -rw-r--r-- 1 root suricata 3228 Aug 14 21:28 classification.config -rw-r--r-- 1 root suricata 26149563 Aug 14 21:28 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 |
# suricata-update enable-source et/open 14/8/2023 -- 21:33:49 - <Info> -- Using data-directory /var/lib/suricata. 14/8/2023 -- 21:33:49 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 14/8/2023 -- 21:33:49 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 14/8/2023 -- 21:33:49 - <Info> -- Found Suricata version 6.0.13 at /usr/sbin/suricata. 14/8/2023 -- 21:33:49 - <Info> -- Creating directory /var/lib/suricata/update/sources 14/8/2023 -- 21:33:49 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 1948 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 14/8/2023 -- 21:36:42 - <Info> - Running suricata under test mode 14/8/2023 -- 21:36:42 - <Notice> - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode 14/8/2023 -- 21:36:42 - <Info> - CPUs/cores online: 4 14/8/2023 -- 21:36:42 - <Info> - Setting engine mode to IDS mode by default 14/8/2023 -- 21:36:42 - <Info> - fast output device (regular) initialized: fast.log 14/8/2023 -- 21:36:42 - <Info> - eve-log output device (regular) initialized: eve.json 14/8/2023 -- 21:36:42 - <Info> - stats output device (regular) initialized: stats.log 14/8/2023 -- 21:36:54 - <Info> - 2 rule files processed. 35240 rules successfully loaded, 0 rules failed 14/8/2023 -- 21:36:54 - <Info> - Threshold config parsed: 0 rule(s) found 14/8/2023 -- 21:36:54 - <Info> - 35243 signatures processed. 1344 are IP-only rules, 5252 are inspecting packet payload, 28440 inspect application layer, 108 are decoder event only 14/8/2023 -- 21:37:02 - <Notice> - Configuration provided was successfully loaded. Exiting. 14/8/2023 -- 21:37:02 - <Info> - cleaning up signature grouping structure... complete |
Restart Suricat service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 08/14/2023-21:38:07.983993 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 08/14/2023-21:38:07.984065 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
To get logs in JSON format, install jq on your system
|
1 |
# dnf install jq |
|
1 |
# systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2023-08-14T21:40:02.169602+0900", "flow_id": 644391670814338, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-08-14T21:40:02.169602+0900" } } { "timestamp": "2023-08-14T21:40:02.169659+0900", "flow_id": 644391670814338, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 1, "bytes_toserver": 74, "bytes_toclient": 74, "start": "2023-08-14T21:40:02.169602+0900" } } |
SNORT
Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.
It can perform "protocol analysis," "content search," and "matching" and can be used to detect a variety of attacks such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, semantic URL attacks, and server message block probes. detection.
1.advance preparation
①Install the necessary software
|
1 |
# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel |
Create working directory
|
1 |
# mkdir /var/src |
②DAQ install
|
1 2 3 4 5 6 7 8 |
# cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Lua install
|
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④Create fake release files
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Snort Download, Compile, Install
|
1 2 3 4 5 6 7 8 9 |
# cd /var/src # wget https://www.snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
Remove fake release files
|
1 |
# rm /etc/fedora-release |
3.Create groups and users, necessary directories and files
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules Create the following files # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Setup configuration files… Copy all files to the configuration directory.
|
1 2 |
# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort |
4.Use of Community Rules
①Get Community Rules
|
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②Extract rules and copy to configuration folder
|
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
There are various rule files that are not included in the community rules.
Use the "sed" command to comment out unnecessary lines.
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Retrieving Registered User Rules
Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Network and Rule Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# vi /etc/snort/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←adapt to each environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 : Comment out and add below # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per line 116 : Comment out and add below # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per line 526 : Add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Per line 550 : To make custom rules readable, local.rules must be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line immediately below the local.rules line include $RULE_PATH/community.rules |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:856668 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.0 (with TPACKET_V3) Using PCRE version: 8.44 2020-02-12 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:856668 Snort successfully validated the configuration! Snort exiting |
Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file
|
1 2 3 4 |
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules # cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/ |
8. Configuration Testing
①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
|
1 2 3 4 |
# vi /etc/snort/rules/local.rules Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. ens160) must be selected
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i ens160 -u snort -g snort -c /etc/snort/snort.conf With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running Commencing packet processing (pid=34156) 08/14-22:02:32.535685 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 08/14-22:02:32.535746 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 08/14-22:02:33.542721 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 08/14-22:02:33.542898 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 08/14-22:02:34.553596 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 08/14-22:02:34.553646 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 08/14-22:02:35.564696 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 08/14-22:02:35.564877 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
Snort logs alerts to a log under /var/log/snort/snort.log..
The log can be read with the command below.
|
1 |
# snort -r /var/log/snort/snort.log.<id_number> |
The log displays warnings for each ICMP call, including the source and destination IPs, the time and date, and some additional information, as shown in the following example.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. Acquiring network traffic from "/var/log/snort/snort.log.1692018146". --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.0 (with TPACKET_V3) Using PCRE version: 8.44 2020-02-12 Using ZLIB version: 1.2.11 Commencing packet processing (pid=34181) WARNING: No preprocessors configured for policy 0. 08/14-22:02:32.535685 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:6389 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:9 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:32.535746 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:54932 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:9 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:33.542721 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:6391 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:10 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:33.542898 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:55208 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:10 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:34.553596 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:6393 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:11 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:34.553646 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:55479 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:11 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:35.564696 192.168.11.22 -> 192.168.11.83 ICMP TTL:128 TOS:0x0 ID:6395 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:12 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/14-22:02:35.564877 192.168.11.83 -> 192.168.11.22 ICMP TTL:64 TOS:0x0 ID:55808 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:12 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.319 seconds Snort processed 8 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 8 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 790528 Bytes in mapped regions (hblkhd): 22941696 Total allocated space (uordblks): 683312 Total free space (fordblks): 107216 Topmost releasable block (keepcost): 105232 =============================================================================== Packet I/O Totals: Received: 8 Analyzed: 8 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 8 (100.000%) VLAN: 0 ( 0.000%) IP4: 8 (100.000%) Frag: 0 ( 0.000%) ICMP: 8 (100.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 8 =============================================================================== Memory Statistics for File at:Mon Aug 14 22:03:47 2023 Total buffers allocated: 0 Total buffers freed: 0 Total buffers released: 0 Total file mempool: 0 Total allocated file mempool: 0 Total freed file mempool: 0 Total released file mempool: 0 Heap Statistics of file: Total Statistics: Memory in use: 0 bytes No of allocs: 0 No of frees: 0 =============================================================================== Snort exiting |
9. Running Snort in the background
①Create a startup script for Snort
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160 [Install] WantedBy=multi-user.target |
②After defining the service, reload and run the systemctl daemon
|
1 2 |
# systemctl daemon-reload # systemctl start snort |