Click here for "Error Codes for Commercial Air Conditioners".

openSUSE ; Install SNORT

1.SNORT Install

Snort is a network-type IDS (intrusion detection system). It captures packets flowing on the network and detects suspicious packets.
The source file is used directly from https://snort.org/.

1.1 advance preparation

Install the required libraries

# zypper install wget bison flex libfl2 gcc libpcap-devel libpcap-devel-32bit libpcap1 automake libtool make glibc-devel-32bit zlib-devel zlib-devel-32bit libWN3 libdnet-devel libdnet1 efl efl-lang elua libXvMC1 libecore1 libector1 libedje1 libeet1 libpcrecpp0 libstdc++-devel libstdc++6-devel-gcc7 pcre-devel ethtool net-tools-deprecated net-tools net-tools-lang libopenssl-1_1-devel libtirpc-devel moonjit moonjit-devel

1.2 SNORT and daq download and installation

①Download and install daq

# cd /root/
# mkdir snort_src
# cd snort_src/
# wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
# tar xvzf daq-2.0.7.tar.gz
# cd daq-2.0.7
# ./configure
# make
# make install
Update the generated configuration file in the system with “autoreconf”.
# autoreconf -f -i
②SNORT installation
If you do not want to use the Lua programming interface, add the option “-disable-open-appid”.
# cd /root/snort_src/
# wget https://snort.org/downloads/snort/snort-2.9.19.tar.gz
# tar xvzf snort-2.9.19.tar.gz
# cd snort-2.9.19/
# ./configure –enable-sourcefire (–disable-open-appid)
# make
# make install
# ldconfig
Create a soft link between “/usr/sbin/snort” and the binary file “/usr/local/bin/snort”.
# ln -s /usr/local/bin/snort /usr/sbin/snort

1.3 Create users and groups

# groupadd snort
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

1.4 Directories, file creation, permissions

# mkdir -p /etc/snort/rules
# mkdir /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/local/lib/snort_dynamicrules

white_list.rules, black_list.rules , local.rules  creation

# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules
Copy all “*.conf” files and “*.map” files from the Snort source to the Snort system folder.
# cp ~/snort_src/snort-2.9.19/etc/*.conf* /etc/snort
# cp ~/snort_src/snort-2.9.19/etc/*.map /etc/snort

1.5 Download the rules

①Download the community rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory
# cd ../
# wget https://www.snort.org/rules/community -O ~/snort_src/community.tar.gz
# tar xvzf community.tar.gz
# cp community-rules/* /etc/snort/rules
Use the “sed” command to comment out the unnecessary lines in “snort.conf”.
If you do not want to install anything other than the community rules, you can use this command to comment out the rest
# sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf
②Install the Oinkmaster script
Download the Oinkmaster script.
# wget https://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-2.0.tar.gz –no-check-certificate
# tar xvzf oinkmaster-2.0.tar.gz
# cd oinkmaster-2.0/
Copy oinkmaster.pl to the “/usr/local/bin/” folder (the same folder where the “snort” binary was placed after the Snort source was compiled).
Create a soft link to the “/usr/sbin/oinkmaster.pl” directory.
# cp oinkmaster.pl /usr/local/bin/
# chmod 0755 /usr/local/bin/oinkmaster.pl
# ln -s /usr/local/bin/oinkmaster.pl /usr/sbin/oinkmaster.pl
# cp oinkmaster.conf /etc/snort/
Edit oinkmaster.conf
To update the rules, enter the URL containing the Oinkcode in “/etc/snort/etc/oinkmaster.conf”.
Enter your original oinkcode, which you can get for free by registering on the “snort.org” page.
Make sure the path “tmpdir = /tmp/” is valid.
# vi /etc/snort/oinkmaster.conf
●Edit by removing the comment out # at the beginning of the line around line 55
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-29190.tar.gz●Added around line 120
tmpdir = /tmp/
Create a script to update the Snort rules
# touch /etc/snort/update_rules.sh
# echo \#\!/bin/bash > /etc/snort/update_rules.sh
# echo “oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort/rules” >> /etc/snort/update_rules.sh
# chmod +x /etc/snort/update_rules.sh
Download snort rules
# /etc/snort/update_rules.sh

1.6 Editing the Snort configuration file

# vi /etc/snort/snort.conf
●Line 45.
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.0/24  ←adjust own server
●Line 48
# Set up the external network addresses. Leave as “any” in most situations
ipvar EXTERNAL_NET !$HOME_NET
●Line 104-106:Comment out and add below.
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
#var RULE_PATH ../rules
#var SO_RULE_PATH ../so_rules
#var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
●Line 116-117:Comment out and add below.
# Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
●Line 253:path check
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
●Line 256:path check
# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
●Line 259:path check
# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
●Line 528;add
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
output alert_unified2: filename alert.log, limit 128, nostamp, mpls_event_types, vlan_event_types
●Line 552:Comment out #delete and add community.rule
# unter “local.rules” tragen Sie bitte die “community.rules” ein.
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules

1.7Check your settings

①Check the configuration file.

# snort -T -c /etc/snort/snort.conf

If normal, the following message will appear

–== Initialization Complete ==–

,,_   -*> Snort! <*-
o” )~  Version 2.9.19 GRE (Build 85) x86_64
””   By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.45 2021-06-15
Using ZLIB version: 1.2.11

Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>

Total snort Fixed Memory Cost – MaxRss:58464
Snort successfully validated the configuration!
Snort exiting

②Preparing for operational testing

Open “local.rules” and enter the line “alert icmp any any -> $HOME_NET any (msg: “ICMP test”; sid:10000001; rev:001;)” for testing.

# vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000001; rev:001;)
③Test Snort in a terminal
Use the “ip addr” command to check the network interface first, and then start Snort from the console or terminal.
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
When pinging this server from a PC in the same network, the following message is displayed in the server’s console
Commencing packet processing (pid=84095)
01/17-10:32:02.677496 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60
01/17-10:32:02.677564 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20
01/17-10:32:03.680553 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60
01/17-10:32:03.680590 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20
01/17-10:32:04.687290 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60
01/17-10:32:04.687377 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20
01/17-10:32:05.703765 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.60
01/17-10:32:05.703853 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.60 -> 192.168.11.20

1.8Checking the log file

# ls -l /var/log/snort/
total 4
-rw——- 1 snort snort 744 Jan 10 19:02 snort.log.1641808940
# snort -r /var/log/snort/snort.log.1641808940

1.9 Creating “snort.service”

# vi /usr/lib/systemd/system/snort.service
Set the network interface “eth0” to the following according to your environment.
[Unit] Description=Snort NIDS Daemon
After=syslog.target network.target

[Service] Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install] WantedBy=multi-user.target

Finally, start, stop and status of Snort service.

# systemctl daemon-reload
# systemctl start snort
# systemctl status snort
タイトルとURLをコピーしました