Contents
1.SNORT install
Snort is a network-based IDS (Intrusion Detection System). It captures packets flowing over a network and detects suspicious packets.
The source file is used directly from https://snort.org/.
1.1 Advance preparation
Install required libraries
|
1 |
# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel moonjit moonjit-devel |
1.2 SNORT & daq Download,Install
①daq
|
1 2 3 4 |
# cd /root/ # mkdir snort_src # cd snort_src/ # wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz |
|
1 2 3 4 5 |
# tar xvzf daq-2.0.7.tar.gz # cd daq-2.0.7 # ./configure # make # make install |
Update the configuration file in the system with the tool "autoreconf".
|
1 |
# autoreconf -f -i |
②SNORT
If you do not use the Lua programming interface, add the option "-disable-open-appid"
|
1 2 3 4 5 6 7 8 |
# cd /root/snort_src/ # wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz # tar xvzf snort-2.9.20.tar.gz # cd snort-2.9.20/ # ./configure --enable-sourcefire --disable-open-appid # make # make install # ldconfig |
Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort"
|
1 |
# ln -s /usr/local/bin/snort /usr/sbin/snort |
1.3 User and Group Creation
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1.4 Directory, file creation, permissions
|
1 2 3 4 5 6 7 8 9 |
# mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules |
creating white_list.rules, black_list.rules ,local.rules
|
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Copy all "*.conf" and "*.map" files from the Snort source to Snort's system folder
|
1 2 |
# cp ~/snort_src/snort-2.9.19/etc/*.conf* /etc/snort # cp ~/snort_src/snort-2.9.19/etc/*.map /etc/snort |
1.5 Download Rules
①Download Community Rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere
|
1 2 3 4 |
# cd ../ # wget https://www.snort.org/rules/community -O ~/snort_src/community.tar.gz # tar xvzf community.tar.gz # cp community-rules/* /etc/snort/rules |
Use the "sed" command to comment out unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf |
②Install Oinkmaster Script
Download the Oinkmaster script.
|
1 2 3 |
# wget https://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz --no-check-certificate # tar xvzf oinkmaster-2.0.tar.gz # cd oinkmaster-2.0/ |
Copy oinkmaster.pl to the "/usr/local/bin/" folder (the same folder where the "snort" binary was placed after the Snort source was compiled).
Create a soft link to the "/usr/sbin/oinkmaster.pl" directory"
Create a soft link to the "/usr/sbin/oinkmaster.pl" directory"
|
1 2 3 4 |
# cp oinkmaster.pl /usr/local/bin/ # chmod 0755 /usr/local/bin/oinkmaster.pl # ln -s /usr/local/bin/oinkmaster.pl /usr/sbin/oinkmaster.pl # cp oinkmaster.conf /etc/snort/ |
Edit oinkmaster.conf
To update the rule, enter the URL containing the Oinkcode in "/etc/snort/oinkmaster.conf".
"Enter your original oinkcode, which you can get for free when you register at snort.org.
Enable the path "tmpdir = /tmp/".
To update the rule, enter the URL containing the Oinkcode in "/etc/snort/oinkmaster.conf".
"Enter your original oinkcode, which you can get for free when you register at snort.org.
Enable the path "tmpdir = /tmp/".
|
1 2 3 4 5 6 |
# vi /etc/snort/oinkmaster.conf ● Per Line 55 : Edit by removing comment out # at the beginning of the line url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-29190.tar.gz ● Per Line 120 : add tmpdir = /tmp/ |
Create script to update Snort rules
|
1 2 3 4 |
# touch /etc/snort/update_rules.sh # echo \#\!/bin/bash > /etc/snort/update_rules.sh # echo "oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules" >> /etc/snort/update_rules.sh # chmod +x /etc/snort/update_rules.sh |
Download snort rules
|
1 |
# /etc/snort/update_rules.sh |
1.6 Edit Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# vi /etc/snort/rules/snort.conf ● Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←self-server ● Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ● Line 104-106 : Comment out and add below #var RULE_PATH ../rules #var SO_RULE_PATH ../so_rules #var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ● Line 111-112 : Comment out and add below #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ● Per Line 246 : path confirmation # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor ● Per Line 249 : path confirmation # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ● Per Line 252 : path confirmation # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules ● Per Line 518 : add # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, output alert_unified2: filename alert.log, limit 128, nostamp, mpls_event_types, vlan_event_types ● Per Line 542 : Remove comment out # and add community.rule under it # unter "local.rules" tragen Sie bitte die "community.rules" ein. include $RULE_PATH/local.rules include $RULE_PATH/community.rules |
1.7 Check settings
①Check configuration files
|
1 |
# snort -T -c /etc/snort/snort.conf |
If all is well, you will see something like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
MaxRss at the end of detection rules:62820 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) x86_64 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:63084 Snort successfully validated the configuration! Snort exiting |
If you get an error like the above, copy the file in question as follows
|
1 2 3 4 |
# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
relevant line
decompress_swf { deflate lzma } \ Please comment.
# decompress_swf { deflate lzma } \
②Preparation for Operational Tests
Open "local.rules" and add the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing
|
1 2 |
# vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
③Test Snort in a terminal
Check the network interface first with the "ip addr" command and start Snort in a console or terminal
|
1 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/rules/snort.conf |
When pinging this server from a PC in the same network, the following is displayed in the server's console
|
1 2 3 4 5 6 7 8 9 |
Commencing packet processing (pid=58903) 09/15-16:03:22.708166 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 09/15-16:03:22.708241 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 09/15-16:03:23.722097 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 09/15-16:03:23.722133 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 09/15-16:03:24.727786 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 09/15-16:03:24.727866 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 09/15-16:03:25.748526 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83 09/15-16:03:25.748657 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20 |
1.8 Check log files
|
1 2 3 4 |
# ls -l /var/log/snort/ total 4 -rw------- 1 snort snort 744 Jan 10 19:02 snort.log.1641808940 # snort -r /var/log/snort/snort.log.1641808940 |
1.9 Creation of "snort.service"
|
1 |
# vi /usr/lib/systemd/system/snort.service |
The network interface "eth0" should be customized for each environment and should have the following contents
|
1 2 3 4 5 6 7 8 9 10 |
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
Finally, start, stop, and status of Snort services
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl daemon-reload # systemctl start snort # systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-09-15 16:08:49 JST; 6s ago Main PID: 59018 (snort) Tasks: 2 (limit: 2245) CGroup: /system.slice/snort.service mq 59018 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 Sep 15 16:08:49 Lepard systemd[1]: Started Snort NIDS Daemon. |