Contents
1.SNORT Install
Snort is a network-type IDS (intrusion detection system). It captures packets flowing on the network and detects suspicious packets.
The source file is used directly from https://snort.org/.
1.1 advance preparation
Install the required libraries
|
1 |
# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel moonjit moonjit-devel |
1.2 SNORT and daq download and installation
①Download and install daq
|
1 2 3 4 |
# cd /root/ # mkdir snort_src # cd snort_src/ # wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz |
|
1 2 3 4 5 |
# tar xvzf daq-2.0.7.tar.gz # cd daq-2.0.7 # ./configure # make # make install |
Update the generated configuration file in the system with "autoreconf".
|
1 |
# autoreconf -f -i |
②SNORT installation
If you do not want to use the Lua programming interface, add the option "-disable-open-appid".
|
1 2 3 4 5 6 7 8 |
# cd /root/snort_src/ # wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz # tar xvzf snort-2.9.20.tar.gz # cd snort-2.9./ # ./configure --enable-sourcefire (--disable-open-appid) # make # make install # ldconfig |
Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort".
|
1 |
# ln -s /usr/local/bin/snort /usr/sbin/snort |
1.3 Create users and groups
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1.4 Directories, file creation, permissions
|
1 2 3 4 5 6 7 8 9 |
# mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules |
white_list.rules, black_list.rules , local.rules creation
|
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Copy all "*.conf" files and "*.map" files from the Snort source to the Snort system folder.
|
1 2 |
# cp ~/snort_src/snort-2.9.19/etc/*.conf* /etc/snort # cp ~/snort_src/snort-2.9.19/etc/*.map /etc/snort |
1.5 Download the rules
①Download the community rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory
Go to the root/ folder, unzip and copy the rules to the correct system directory
|
1 2 3 4 |
# cd ../ # wget https://www.snort.org/rules/community -O ~/snort_src/community.tar.gz # tar xvzf community.tar.gz # cp community-rules/* /etc/snort/rules |
Use the "sed" command to comment out the unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf |
②Install the Oinkmaster script
Download the Oinkmaster script.
|
1 2 3 |
# wget https://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz --no-check-certificate # tar xvzf oinkmaster-2.0.tar.gz # cd oinkmaster-2.0/ |
Copy oinkmaster.pl to the "/usr/local/bin/" folder (the same folder where the "snort" binary was placed after the Snort source was compiled).
Create a soft link to the "/usr/sbin/oinkmaster.pl" directory.
Create a soft link to the "/usr/sbin/oinkmaster.pl" directory.
|
1 2 3 4 |
# cp oinkmaster.pl /usr/local/bin/ # chmod 0755 /usr/local/bin/oinkmaster.pl # ln -s /usr/local/bin/oinkmaster.pl /usr/sbin/oinkmaster.pl # cp oinkmaster.conf /etc/snort/ |
Edit oinkmaster.conf
To update the rules, enter the URL containing the Oinkcode in "/etc/snort/etc/oinkmaster.conf".
Enter your original oinkcode, which you can get for free by registering on the "snort.org" page.
Make sure the path "tmpdir = /tmp/" is valid.
To update the rules, enter the URL containing the Oinkcode in "/etc/snort/etc/oinkmaster.conf".
Enter your original oinkcode, which you can get for free by registering on the "snort.org" page.
Make sure the path "tmpdir = /tmp/" is valid.
|
1 2 3 4 5 |
# vi /etc/snort/oinkmaster.conf ●Edit by removing the comment out # at the beginning of the line around line 55 url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-29190.tar.gz.gz ●Added around line 120 tmpdir = /tmp/ |
Create a script to update the Snort rules
|
1 2 3 4 |
# touch /etc/snort/update_rules.sh # echo \#\!/bin/bash > /etc/snort/update_rules.sh # echo "oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules" >> /etc/snort/update_rules.sh # chmod +x /etc/snort/update_rules.sh |
Download snort rules
|
1 |
# /etc/snort/update_rules.sh |
1.6 Editing the Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
# vi /etc/snort/rules/snort.conf ●45行目 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←自サーバーに合わす ●48行目 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●104-106行目コメントアウトして下に追加 # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules #var RULE_PATH ../rules #var SO_RULE_PATH ../so_rules #var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●116-117行目コメントアウトして下に追加 # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●253行目パス確認 # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib64/snort_dynamicpreprocessor ●256行目パス確認 # path to base preprocessor engine dynamicengine /usr/local/lib64/snort_dynamicengine/libsf_engine.so ●259行目パス確認 # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules ●528行目あたりに追加 # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, output alert_unified2: filename alert.log, limit 128, nostamp, mpls_event_types, vlan_event_types ●552行目コメントアウト#削除してcommunity.rule追加 # unter "local.rules" tragen Sie bitte die "community.rules" ein. include $RULE_PATH/local.rules include $RULE_PATH/community.rules |
1.7Check your settings
①Check the configuration file.
|
1 |
# snort -T -c /etc/snort/snort.conf |
If normal, the following message will appear
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
MaxRss at the end of detection rules:62820 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) x86_64 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:63084 Snort successfully validated the configuration! Snort exiting |
If you get an error like the above, copy the file in question as follows
|
1 2 3 4 |
# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
relevant line
decompress_swf { deflate lzma } \
# decompress_swf { deflate lzma } \ Comment out
②Preparing for operational testing
Open "local.rules" and enter the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing.
|
1 2 |
# vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
③Test Snort in a terminal
Use the "ip addr" command to check the network interface first, and then start Snort from the console or terminal.
|
1 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/rules/snort.conf |
When pinging this server from a PC in the same network, the following message is displayed in the server's console
|
1 2 3 4 5 6 7 8 9 |
Commencing packet processing (pid=84095) 01/17-10:32:02.677496 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60 01/17-10:32:02.677564 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20 01/17-10:32:03.680553 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60 01/17-10:32:03.680590 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20 01/17-10:32:04.687290 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60 01/17-10:32:04.687377 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20 01/17-10:32:05.703765 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60 01/17-10:32:05.703853 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20 |
1.8Checking the log file
|
1 2 3 4 |
# ls -l /var/log/snort/ total 4 -rw------- 1 snort snort 744 Jan 10 19:02 snort.log.1641808940 # snort -r /var/log/snort/snort.log.1641808940 |
1.9 Creating "snort.service"
|
1 |
# vi /usr/lib/systemd/system/snort.service |
Set the network interface "eth0" to the following according to your environment.
|
1 2 3 4 5 6 7 8 9 10 |
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
Finally, start, stop and status of Snort service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl daemon-reload # systemctl start snort # systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-15 16:08:49 JST; 6s ago Main PID: 59018 (snort) Tasks: 2 (limit: 2245) CGroup: /system.slice/snort.service mq 59018 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 Sep 15 16:08:49 Lepard systemd[1]: Started Snort NIDS Daemon. |