Contents
1.SNORT2
Snort is a network-based IDS (Intrusion Detection System). It captures packets flowing over a network and detects suspicious packets.
The source file is used directly from https://snort.org/.
1.1 Advance preparation
Install required libraries
|
1 |
# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel |
1.2 SNORT & daq Download,Install
①daq Download,Install
Create a working directory and download in that directory
|
1 2 3 |
# mkdir /root/snort_src # cd /root/snort_src # wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz |
|
1 2 3 4 5 6 |
# tar xvzf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
➁Lua Install
|
1 2 3 4 5 6 |
# cd ../ # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
➂Create fake release files
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
④SNORT Install
If you do not use the Lua programming interface, add the option "-disable-open-appid"
|
1 2 3 4 5 6 7 8 |
# cd /root/snort_src/ # wget https://snort.org/downloads/snort/snort-2.9.20.tar.gz # tar xvzf snort-2.9.20.tar.gz # cd snort-2.9.20/ # ./configure --enable-sourcefire [--disable-open-appid] # make # make install # ldconfig |
Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort"
|
1 |
# ln -s /usr/local/bin/snort /usr/sbin/snort |
1.3 User and Group Creation
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
1.4 Directory, file creation, permissions
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules |
creating white_list.rules, black_list.rules ,local.rules
|
1 2 3 |
# touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Copy all "*.conf" and "*.map" files from the Snort source to Snort's system folder
|
1 2 |
# cp ~/snort_src/snort-2.9.20/etc/*.conf* /etc/snort # cp ~/snort_src/snort-2.9.20/etc/*.map /etc/snort |
1.5 Download Rules
①Download Community Rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere
|
1 2 3 4 |
# cd ../ # wget https://www.snort.org/rules/community -O ~/community.tar.gz # tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
Use the "sed" command to comment out unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/rules/snort.conf |
②Retrieve registered user rules
Once registered on the Snort website, you can download registered user rules using an Oink code; the Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
1.6 Edit Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# vi /etc/snort/rules/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←self-server ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106 : Comment out and add below #var RULE_PATH ../rules #var SO_RULE_PATH ../so_rules #var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Line 111-112 : Comment out and add below #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ● Per Line 246 : path confirmation # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor ●Per Line 249 : path confirmation # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ●Per Line 252 : path confirmation # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules ●Per Line 525 :add # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, output alert_unified2: filename alert.log, limit 128 ●Per Line 549 : Remove comment out # and add community.rule under it include $RULE_PATH/local.rules include $RULE_PATH/community.rules |
1.7 Check settings
①Check configuration files
|
1 |
# snort -T -c /etc/snort/snort.conf |
If all is well, you will see something like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
MaxRss at the end of detection rules:62820 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.20 GRE (Build 82) x86_64 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.10.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Total snort Fixed Memory Cost - MaxRss:63084 Snort successfully validated the configuration! Snort exiting |
ERROR: /etc/snort/rules/classification.config(0) Unable to open rules file "/etc/snort/rules/classification.config": No such file or directory.
If you get an error like the above, copy the file in question as follows
|
1 2 3 4 |
# cp /root/snort_src/snort-2.9.20/etc/classification.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/reference.config /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/threshold.conf /etc/snort/rules/ # cp /root/snort_src/snort-2.9.20/etc/unicode.map /etc/snort/rules/ |
②Preparation for Operational Tests
Open "local.rules" and add the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing
|
1 2 |
# vi /etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
③Test Snort in a terminal
Check the network interface first with the "ip addr" command and start Snort in a console or terminal
|
1 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf |
ERROR: /etc/snort/rules/snort.conf(325) => Invalid keyword 'preprocessor' for server configuration.
Fatal Error, Quitting..
If you get an error like the above
in /etc/snort/rules/snort.conf
decompress_swf { deflate lzma } \
decompress_pdf { deflate }
↓
Comment out the following
#decompress_swf { deflate lzma } \
decompress_pdf { deflate }
When pinging this server from a PC in the same network, the following is displayed in the server's console
|
1 2 3 4 5 6 7 8 9 10 |
Commencing packet processing (pid=92999) 06/14-14:58:14.161344 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/14-14:58:14.161396 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/14-14:58:15.173203 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/14-14:58:15.173241 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/14-14:58:16.186886 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/14-14:58:16.186922 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 06/14-14:58:17.199909 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 06/14-14:58:17.199944 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 6/14-14:58:14.161344 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192 |
1.8 Check log files
|
1 2 3 4 |
# ls -l /var/log/snort/ total 4 -rw------- 1 snort snort 744 Jun 14 14:58 snort.log.1686722287 # snort -r /var/log/snort/snort.log.1686722287 |
1.9 Creation of "snort.service"
|
1 |
# vi /usr/lib/systemd/system/snort.service |
The network interface "eth0" should be customized for each environment and should have the following contents
|
1 2 3 4 5 6 7 8 9 10 |
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/rules/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
Finally, start, stop, and status of Snort services
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# systemctl daemon-reload # systemctl start snort # systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor pr> Active: active (running) since Wed 2023-06-14 15:05:05 JST; 7s ago Main PID: 93068 (snort) Tasks: 2 (limit: 2254) CGroup: /system.slice/snort.service mq 93068 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/r> Jun 14 15:05:05 Lepard systemd[1]: Started Snort NIDS Daemon |