OracleLinux9.5 ; SNORT3 Install

SNORT3

Snort is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks。

It can perform “protocol analysis,” “content search,” and “matching,” and can be used to detect various attacks such as “buffer overflows,” “stealth port scans,” “CGI attacks,” “SMB probes,” “OS fingerprinting attempts,” “semantic URL attacks,” and “server message block probes. The system can be used to detect a variety of attacks, such as

1.advance preparation

1.1 Installing Required Packages

1.Installing openssl-devel

 2.Enabling codeready repositories

Check the repository

3.Installing cmake

1.2 Install required packages
1.3 Installing LibDAQ
1.4 Installing Optional Packages

1.Installation of LZMA and UUID

2.Installing Hyperscan

3.Installing Tcmalloc

2.  Installing Snort3

Running configure

Build, compile, and install

Version Check

test run

Network interface settings

Check network interface

The network interface name is ens160

Set the network interface to promiscuous mode. This way, the network device can capture and inspect all network packets.

Check settings

Check the offload status of the network interface.
If you need to monitor network traffic on an interface, you must disable offloading

If it is on and you want to set the LRO and GRO offload status to off state

Create systemd service for snort network interface

systemd daemon applies changes

Check Snort NIC Service Status

Added Snort Community Ruleset

1.Create a folder for Snort rules, download the community ruleset from the Snort website, and place it in the designated rules directory

2.Edit Snort main configuration file

3.Test Snort's main configuration changes

Add custom rule

1.Create a file in the Snort rules directory

2.Edit Snort main configuration file
Edit Snort main configuration file to include custom rules file directory in main configuration

3.Test Snort's main configuration changes

Install OpenAppID extension

Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level

1.OpenAppID Extension Download and Deployment

2.Copy the extracted folder (odp) to the following directory

3.Edit the Snort main configuration file to define the location of the OpenAppID folder

4.Test Snort's main configuration changes

Verify that all configurations are set up correctly

Send a ping command from a remote computer to the IP address of the server. This will cause an alert log to appear in the console window of the host server

Configure Snort systemd service

1.Creating Users for the Snort Service

2.Create log folder and set permissions
Create directory folder for Snort logs and set folder permissions

3.Create Systemd service file

Reload and activate the Snort service.

Launched Snort service

Check Status

Snort IDS Logging

1.Configure Snort JSON logging

2.Restart Snort

3.Check log files
Ping command from a remote computer to the server, stored in the Snort alert_json.txt file.

This completes the installation and configuration of Snort 3.

Copied title and URL