Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

OpenSUSE15.4; Snort Install

1.SNORT install

Snort is a network-based IDS (Intrusion Detection System). It captures packets flowing over a network and detects suspicious packets.
The source file is used directly from https://snort.org/.

1.1 Advance preparation

Install required libraries

1.2 SNORT & daq Download,Install

①daq

Update the configuration file in the system with the tool "autoreconf".

②SNORT
If you do not use the Lua programming interface, add the option "-disable-open-appid"

Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort"

1.3 User and Group Creation

1.4 Directory, file creation, permissions

creating white_list.rules, black_list.rules ,local.rules

Copy all "*.conf" and "*.map" files from the Snort source to Snort's system folder

1.5 Download Rules

①Download Community Rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere

Use the "sed" command to comment out unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest

②Install Oinkmaster Script
Download the Oinkmaster script.

Copy oinkmaster.pl to the "/usr/local/bin/" folder (the same folder where the "snort" binary was placed after the Snort source was compiled).
Create a soft link to the "/usr/sbin/oinkmaster.pl" directory"

Edit oinkmaster.conf
To update the rule, enter the URL containing the Oinkcode in "/etc/snort/oinkmaster.conf".
"Enter your original oinkcode, which you can get for free when you register at snort.org.
Enable the path "tmpdir = /tmp/".

Create script to update Snort rules

Download snort rules

1.6 Edit Snort configuration file

1.7 Check settings

①Check configuration files

If all is well, you will see something like this

ERROR: /etc/snort/rules/snort.conf(292) => Unable to open the IIS Unicode Map file '/etc/snort/rules/unicode.map'.
If you get an error like the above, copy the file in question as follows
Also, if you get the error "/etc/snort/rules/snort.conf(32) => Invalid keyword '}'" error
relevant line
decompress_swf { deflate lzma } \  Please comment.
# decompress_swf { deflate lzma } \

②Preparation for Operational Tests

Open "local.rules" and add the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing

③Test Snort in a terminal
Check the network interface first with the "ip addr" command and start Snort in a console or terminal

When pinging this server from a PC in the same network, the following is displayed in the server's console

1.8 Check log files

1.9 Creation of "snort.service"

The network interface "eth0" should be customized for each environment and should have the following contents

Finally, start, stop, and status of Snort services

タイトルとURLをコピーしました