Contents
Snort3 Install
The default universe repository for Ubuntu22.04,23.04 is snort2.9 as shown below, so build, compile and install Snort3 from the source code
|
1 2 3 4 5 6 7 |
# apt-cache policy snort snort: Installed: (none) Candidate: 2.9.15.1-6build1 Version table: 2.9.15.1-6build1 500 500 http://jp.archive.ubuntu.com/ubuntu lunar/universe amd64 Packages |
advance preparation
①Make sure your Ubuntu server is up-to-date and has the latest package list
|
1 |
# apt update && apt dist-upgrade -y |
①Build tools and dependency libraries required for build and installation.
|
1 |
# apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y |
②SNORT3 installation working directory creation
|
1 |
# mkdir snort_src && cd snort_src |
③Download and install DAQ
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq # ./bootstrap # ./configure # make # make install |
④Installed gperftools to improve speed when memory usage increases
|
1 2 3 4 5 6 7 |
# cd ../ # wget wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz # tar xzf gperftools-2.9.1.tar.gz # cd gperftools-2.9.1/ # ./configure # make # make install |
Snort3 Download , Install
①Download and install Snort3
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# cd../ # wget https://github.com/snort3/snort3/archive/refs/heads/master.zip # apt install unzip # unzip master.zip # cd snort3-master # ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc ------------------------------------------------------- snort version 3.1.71.0 Install options: prefix: /usr/local includes: /usr/local/include/snort plugins: /usr/local/lib/snort Compiler options: CC: /usr/bin/cc CXX: /usr/bin/c++ CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG EXE_LDFLAGS: MODULE_LDFLAGS: Feature options: DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace) libatomic: System-provided Hyperscan: OFF ICONV: ON Libunwind: ON LZMA: ON RPC DB: Built-in SafeC: OFF TCMalloc: ON JEMalloc: OFF UUID: ON NUMA: ON ------------------------------------------------------- -- Configuring done -- Generating done -- Build files have been written to: /root/snort_src/snort3-master/build |
|
1 2 3 |
# cd build # make # make install |
②Update shared libraries
|
1 |
# ldconfig |
④Ensure Snort is executed correctly
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.71.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.12 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 3.0.8 7 Feb 2023 Using libpcap version 1.10.3 (with TPACKET_V3) Using PCRE version 8.39 2016-06-14 Using ZLIB version 1.2.13 Using LZMA version 5.4.1 |
⑤Test Snort installation with default configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
# snort -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.71.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: active alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy stream stream_ip stream_icmp stream_tcp stream_udp stream_user stream_file arp_spoof back_orifice dns imap netflow normalizer rpc_decode sip ssh cip dnp3 iec104 mms modbus s7commplus dce_smb dce_tcp dce_udp dce_http_proxy dce_http_server port_scan smtp ftp_server ftp_client ftp_data http_inspect http2_inspect output file_policy js_norm wizard ips references binder appid file_id gtp_inspect telnet ssl pop trace classifications Finished /usr/local/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 208 0 208 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 208 text rules: 208 option chains: 208 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 208 208 total: 208 208 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 416 pattern chars: 2508 num states: 1778 num match states: 370 memory scale: KB total memory: 68.5879 pattern memory: 18.6973 match list memory: 27.3281 transition memory: 22.3125 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
Configure Snort3
①Check the name of the interface Snort listens on
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:7d:32:c2 brd ff:ff:ff:ff:ff:ff inet 192.168.11.83/24 brd 192.168.11.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe7d:32c2/64 scope link valid_lft forever preferred_lft forever |
The WAN interface f on which Snort is executed is enp0s3
➁Configure network interface card
Disable interface offloading so that Snort does not truncate packets larger than 1518 bytes
Check current status
|
1 2 3 |
# ethtool -k enp0s3 | grep receive-offload generic-receive-offload: on large-receive-offload: off [fixed] |
Disable GRO since it is on.
|
1 |
# ethtool -K enp0s3 gro off lro off |
Create and enable systemd service so that changes will take effect after system reboot
|
1 |
# vi /etc/systemd/system/snort3-promisc.service |
Contents of snort3-promisc.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev enp0s3 promisc on ExecStart=/usr/sbin/ethtool -K enp0s3 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
Reload configuration, start and enable services on startup
|
1 2 |
# systemctl daemon-reload # systemctl enable --now snort3-promisc.service |
Configure rule sets
This time we will set community rules and local rules.
①Create folders and files needed for Snort rules
|
1 2 3 4 5 6 |
# mkdir /usr/local/etc/rules # mkdir /usr/local/etc/so_rules/ # mkdir /usr/local/etc/lists/ # touch /usr/local/etc/rules/local.rules # touch /usr/local/etc/lists/default.blocklist # mkdir /var/log/snort |
Create local rules
①To add a rule to detect ICMP traffic, put it in the local.rules file
|
1 2 3 |
# vi /usr/local/etc/rules/local.rules Fill in the following alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; ) |
➁test run
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules |
If normal, the output ends with the following line
|
1 2 |
Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
➂Run Snort in detection mode on the interface (replace enp0s3 with the interface name) and log all alarms to the console by entering the following command
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -A alert_fast -s 65535 -k none |
When pinging the server from another PC in the same network, the following appears on the console screen
|
1 2 3 4 5 6 7 8 9 10 11 |
++ [0] enp0s3 10/06-15:07:23.324577 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:23.326369 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:24.327428 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:24.327498 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:25.331815 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:25.331890 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:26.336476 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 10/06-15:07:26.336549 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 10/06-15:07:32.801404 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} fe80::9296:f3ff:fe21:9900 -> ff02::1 10/06-15:07:59.929473 [**] [1:10000001:0] "ICMP Traffic Detected" [**] [Priority: 0] {ICMP} fe80::9296:f3ff:fe21:9900 -> ff02::1 |
Ctrl-C to stop Snort
④Edit snort.lua file to include local rules in snort.lua
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vi /usr/local/etc/snort/snort.lua Line 183 in the ips section Line 186 uncommented enable_builtin_rules = true, Line 187 : Postscript(include = RULE_PATH .. "/local.rules",) ips = { -- use this to enable decoder and inspector alerts enable_builtin_rules = true, include = RULE_PATH .. "/local.rules", -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables } |
⑤Run Snort
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -i enp0s3 -A alert_fast -s 65535 -k none |
Pinging the server from another PC in the same network rewrites the alarm to the console.
Create community rules
①Download Snort3 Community Rules and save them in the rules directory
|
1 2 3 4 5 6 7 |
# wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/rules/ # ls -1 /usr/local/etc/rules/snort3-community-rules/ AUTHORS LICENSE sid-msg.map snort3-community.rules VRT-License.txt |
➁Edit configuration file
|
1 2 3 4 5 |
# vi /usr/local/etc/snort/snort.lua # Line 24 : Change to own network HOME_NET = '192.168.11.0/24' # Line 28 : Change EXTERNAL_NET = '!$HOME_NET' |
➂Update path to rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /usr/local/etc/snort/snort.lua Line 183, ips block. Around line 188 : postscript(include= RULE_PATH .. "/snort3-community-rules/snort3-community.rules") ips = { -- use this to enable decoder and inspector alerts enable_builtin_rules = true, include = RULE_PATH .. "/local.rules", include= RULE_PATH .. "/snort3-community-rules/snort3-community.rules", -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables } |
Installing SnortOpenAppID
①Download OpenAppID Detector Package
|
1 2 3 |
# wget https://snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz # cp -R odp /usr/local/lib/ |
➁Edit Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 |
# vi /usr/local/etc/snort/snort.lua # Around line 101 : postscript appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } |
➂Configuration check
|
1 |
# snort -c /usr/local/etc/snort/snort.lua |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
-------------------------------------------------- o")~ Snort++ 3.1.71.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: active alerts daq decode host_cache host_tracker hosts network process so_proxy stream stream_ip stream_icmp stream_tcp stream_udp stream_user stream_file arp_spoof back_orifice dns imap netflow normalizer ssl mms dce_smb dce_http_server smtp ftp_server ftp_client ftp_data http_inspect http2_inspect file_policy js_norm appid wizard binder alert_fast ips classifications references file_id port_scan gtp_inspect dce_http_proxy dce_udp dce_tcp s7commplus modbus trace iec104 dnp3 cip telnet ssh sip rpc_decode pop output search_engine packets Finished /usr/local/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: Loading ../rules/snort3-community-rules/snort3-community.rules: Finished ../rules/snort3-community-rules/snort3-community.rules: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 4851 0 4851 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 4851 text rules: 4230 builtin rules: 621 option chains: 4851 chain headers: 324 flowbits: 48 flowbits not checked: 23 -------------------------------------------------- port rule counts tcp udp icmp ip any 1094 58 147 22 src 170 15 0 0 dst 776 151 0 0 both 6 11 0 0 total 2046 235 147 22 -------------------------------------------------- service rule counts to-srv to-cli dcerpc: 72 20 dhcp: 2 2 dns: 28 7 file_id: 208 208 ftp: 90 4 ftp-data: 1 97 http: 2083 256 http2: 2083 256 http3: 2083 256 imap: 35 118 irc: 5 2 kerberos: 5 0 ldap: 0 1 mysql: 3 0 netbios-dgm: 1 1 netbios-ns: 4 3 netbios-ssn: 69 17 nntp: 2 0 pop3: 23 118 rdp: 5 0 sip: 5 5 smtp: 130 2 snmp: 18 7 ssdp: 3 0 ssl: 20 42 sunrpc: 68 4 telnet: 12 6 tftp: 1 0 wins: 1 0 total: 7060 1432 -------------------------------------------------- fast pattern groups src: 114 dst: 312 any: 8 to_server: 72 to_client: 49 -------------------------------------------------- search engine (ac_bnfa) instances: 338 patterns: 10780 pattern chars: 175085 num states: 123102 num match states: 10499 memory scale: MB total memory: 3.68259 pattern memory: 0.577876 match list memory: 1.3343 transition memory: 1.72915 fast pattern only: 7103 appid: MaxRss diff: 227584 appid: patterns loaded: 11537 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
④Add the following line to Snort's local.rules file to add a new rule to detect Facebook traffic
|
1 2 3 4 5 |
# vi /usr/local/etc/rules/local.rules alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; ) Add the following alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook"; sid:10000002; metadata:policy security-ips alert; ) |
⑤Check the syntax of the local.rules file
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules |
⑥Run Snort
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -A alert_fast -s 65535 -k none |
When I open a new separate console screen and connect to Facebook, the following appears on the original console screen
|
1 |
# wget facebook.com |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183468 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.183703 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188908 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.188851 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.189135 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194283 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194226 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.194384 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.198755 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.200553 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 10/07-09:47:04.206301 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:54052 10/07-09:47:04.206314 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:54052 -> 157.240.209.35:443 |
Snort Log Settings
①Edit snort.lua configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /usr/local/etc/snort/snort.lua Line 249 -- 7. Within the configure outputs section Rewrite alert_fast alert_fast = { file = true, packet = false, limit = 10, } |
➁Check syntax
|
1 |
# snort -c /usr/local/etc/snort/snort.lua |
➂オSnort with option -A alert_fast none, option -l /var/log/snort to specify log directory
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s3 -l /var/log/snort -s 65535 -k none |
The following alert appears in the /var/log/snort/alert_fast.txt file
|
1 |
# tail -f /var/log/snort/alert_fast.txt |
|
1 2 3 4 5 6 7 8 |
10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366241 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.366466 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 10/07-10:51:15.374852 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.376510 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 10/07-10:51:15.381214 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 157.240.209.35:443 -> 192.168.11.83:46804 10/07-10:51:15.381276 [**] [1:10000002:0] "Facebook Detected" [**] [Priority: 0] [AppID: Facebook] {TCP} 192.168.11.83:46804 -> 157.240.209.35:443 |
Run Snort in the background
①Create a non-logging system user account for Snort
|
1 |
# useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort |
②Create systemd service unit
|
1 |
# vi /etc/systemd/system/snort3.service |
Contents of snort3.service
|
1 2 3 4 5 6 7 8 9 10 11 |
[Unit] Description=Snort Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s3 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
restart
|
1 |
# systemctl daemon-reload |
Set log file ownership and permissions
|
1 2 |
# chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
③Start Snort and allow it to run at system startup
|
1 2 3 4 |
# systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. # systemctl start snort3 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
● snort3.service - Snort Daemon Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: enabled) Active: active (running) since Sat 2023-10-07 11:05:01 JST; 1min 25s ago Main PID: 2145 (snort) Tasks: 2 (limit: 2201) Memory: 272.1M CPU: 5.008s CGroup: /system.slice/snort3.service mq2145 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i enp0s3 -m 0x1> Oct 07 11:05:01 lepard snort[2145]: num match states: 10499 Oct 07 11:05:01 lepard snort[2145]: memory scale: MB Oct 07 11:05:01 lepard snort[2145]: total memory: 3.68259 Oct 07 11:05:01 lepard snort[2145]: pattern memory: 0.577876 Oct 07 11:05:01 lepard snort[2145]: match list memory: 1.3343 Oct 07 11:05:01 lepard snort[2145]: transition memory: 1.72915 Oct 07 11:05:01 lepard snort[2145]: fast pattern only: 7103 Oct 07 11:05:01 lepard snort[2145]: appid: MaxRss diff: 225408 Oct 07 11:05:01 lepard snort[2145]: appid: patterns loaded: 11537 Oct 07 11:05:01 lepard snort[2145]: -------------------------------------------------- |