Contents
- Snort3
- 1.Install the required packages
- 2. Install the DAQ library
- 3. Install Gperftools
- 4. Installing SNORT3
- 5. Identify and configure network interfaces
- 6. Create a systemd service for the network interface
- 7. Adding Snort Rules
- 8. OpenAppID Installation
- 9. Create a systemd service for Snort
- 10. Snort JSON Logging Configuration
- 11.Automatic Rule File Updates
Snort3
1.Install the required packages
|
1 |
# apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y |
2. Install the DAQ library
Download and install the DAQ library
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq/ ~/libdaq# ./bootstrap ~/libdaq# ./configure ~/libdaq# make ~/libdaq# make install |
3. Install Gperftools
A profiler tool used to improve the performance of specific applications or services by optimizing memory handling across multiple instances.
|
1 2 3 4 5 6 7 |
# cd # wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.13/gperftools-2.13.tar.gz # tar xzf gperftools-2.13.tar.gz # cd gperftools-2.13 ~/gperftools-2.13# ./configure ~/gperftools-2.13# make ~/gperftools-2.13# make install |
4. Installing SNORT3
①Downloading and Extracting SNORT3
|
1 2 3 4 5 |
# cd # wget https://github.com/snort3/snort3/archive/refs/heads/master.zip # apt install unzip # unzip master.zip # cd snort3-master |
➁Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc ------------------------------------------------------- snort version 3.11.1.0 Install options: prefix: /usr/local includes: /usr/local/include/snort plugins: /usr/local/lib/snort Compiler options: CC: /usr/bin/cc CXX: /usr/bin/c++ CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG EXE_LDFLAGS: MODULE_LDFLAGS: Feature options: DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace) libatomic: System-provided Hyperscan: OFF ICONV: ON Libunwind: ON LZMA: ON RPC DB: Built-in SafeC: OFF TCMalloc: ON JEMalloc: OFF UUID: ON NUMA: ON LibML: OFF ------------------------------------------------------- -- Configuring done (3.8s) -- Generating done (0.2s) -- Build files have been written to: /root/snort3-master/buil |
If you see the message "ERROR! Libpcre2 library not found." as described above, install the libpcre2-dev package.
|
1 |
# apt -y install libpcre2-dev |
➂Install
|
1 2 3 |
# cd build # make # make install |
④Update shared libraries
|
1 |
# ldconfig |
⑤Check the version
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.11.1.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.25 Using libpcap version 1.10.4 (with TPACKET_V3) Using LuaJIT version 2.1.1703358377 Using LZMA version 5.4.5 Using OpenSSL 3.0.13 30 Jan 2024 Using PCRE2 version 10.42 2022-12-11 Using ZLIB version 1.3 |
⑥Testing Default Settings
|
1 |
# snort -c /usr/local/etc/snort/snort.lua |
If normal, it will be displayed as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
-------------------------------------------------- o")~ Snort++ 3.11.1.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: decode host_cache ----omission----- -------------------------------------------------- rule counts total rules loaded: 219 text rules: 219 option chains: 219 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 219 219 total: 219 219 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 438 pattern chars: 2602 num states: 1832 num match states: 392 memory scale: KB total memory: 71.2812 pattern memory: 19.6484 match list memory: 28.4375 transition memory: 22.9453 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
5. Identify and configure network interfaces
①Verify the network interface
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:f0:00:64 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.11.83/24 brd 192.168.11.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fef0:64/64 scope link valid_lft forever preferred_lft forever |
Network interface name: ens33
➁Set the network interface to promiscuous mode
|
1 |
# ip link set dev ens33 promisc on |
Confirm settings
|
1 2 |
# ip addr | grep ens33 | grep mtu 2: ens33: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 |
➂Large Receive Offload (LRO) and Generic Receive Offload (GRO) set to off state
Check the current status
|
1 2 3 |
# ethtool -k ens33 | grep receive-offload generic-receive-offload: on large-receive-offload: off [fixed |
Set the off-road status of LRO and GRO to off.
|
1 |
# ethtool -K ens33 gro off lro off |
6. Create a systemd service for the network interface
|
1 2 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service |
Content of snort3-nic.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens33 promisc on ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
Reload the systemd daemon to apply changes.
|
1 |
# systemctl daemon-reload |
Start and enable the snort3-nic.service.
|
1 2 3 |
# systemctl start snort3-nic.service # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service |
Check the status of snort3-nic.service
|
1 2 3 4 5 6 7 8 9 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: enabled) Active: active (exited) since Wed 2026-03-04 15:30:32 JST; 16s ago Main PID: 62096 (code=exited, status=0/SUCCESS) CPU: 8ms Mar 04 15:30:32 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... Mar 04 15:30:32 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
7. Adding Snort Rules
7.1 Add Community Ruleset
①Create a folder for Snort rules and download the community rule set from the Snort website.
|
1 2 |
# mkdir /usr/local/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/snort/rules/ |
➁ Edit the main configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# vi /usr/local/etc/snort/snort.lua # Line 24 : Change to own network HOME_NET = '192.168.11.0/24' # Line 28 : Change EXTERNAL_NET = '!$HOME_NET' Add around line 197 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂ Testing changes to the main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua If normal, it will display as follows: ... -------------------------------------------------- search engine (ac_bnfa) instances: 334 patterns: 10779 pattern chars: 175202 num states: 123205 num match states: 10502 memory scale: MB total memory: 3.68025 pattern memory: 0.577953 match list memory: 1.33503 transition memory: 1.7265 fast pattern only: 7097 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
7.2 Add custom rules
①Snort rulesCreate files in the directory
|
1 2 3 4 |
# touch /usr/local/etc/snort/rules/local.rules # vi /usr/local/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
➁SnortEdit Main Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/etc/snort/snort.lua Add around line 198 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/local.rules include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂ Testing changes to the main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua If normal, it will display as follows: ... -------------------------------------------------- search engine (ac_bnfa) instances: 338 patterns: 10778 pattern chars: 175278 num states: 123344 num match states: 10498 memory scale: MB total memory: 3.68713 pattern memory: 0.577984 match list memory: 1.33597 transition memory: 1.73192 fast pattern only: 7099 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
8. OpenAppID Installation
Installing the OpenAppID extension enables Snort to detect network threats at the application layer.
①Download OpenAppID and extract it.
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
➁Copy the extracted folder (odp) to the following directory:
|
1 |
# cp -R odp /usr/local/lib/ |
➂Edit the main configuration file and define the location of the OpenAppID folder.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /usr/local/etc/snort/snort.lua Add around line 104 appid = { -- appid requires this to use appids in rules app_detector_dir = '/usr/local/lib', log_stats = true, } appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } |
④ Testing changes to the main configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua If normal, it will display as follows: ... -------------------------------------------------- search engine (ac_bnfa) instances: 338 patterns: 10778 pattern chars: 175278 num states: 123344 num match states: 10498 memory scale: MB total memory: 3.68713 pattern memory: 0.577984 match list memory: 1.33597 transition memory: 1.73192 fast pattern only: 7099 appid: MaxRss diff: 225920 appid: patterns loaded: 11537 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
9. Create a systemd service for Snort
9.1 Confirmation of all setups
Using local.rules to run Snort on a network interface
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i ens33 -A alert_fast -s 65535 -k none |
Send a ping command to the Ubuntu server's IP address from another PC on the same network.
The following alert log appears in the host server's console window:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
03/05-10:21:57.153846 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:57.153846 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:57.153975 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:21:58.166597 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:58.166598 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:58.166780 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:21:58.167106 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:21:59.178071 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:59.178072 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:21:59.178233 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:21:59.178539 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:22:00.205383 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:22:00.205384 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.6 -> 192.168.11.83 03/05-10:22:00.205555 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 03/05-10:22:00.205848 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.6 |
9.2 Create a systemd service for Snort
①Create a user (snort) for the Snort service
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
➁Creating the Log Folder and Setting Permissions
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
➂Create SNORT systemd service file
|
1 2 |
# touch /etc/systemd/system/snort3.service # vi /etc/systemd/system/snort3.service |
Content of snort3.service
|
1 2 3 4 5 6 7 8 9 10 11 |
[Unit] Description=Snort3 IDS Daemon Service After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens33 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
④Reload and enable the Snort service
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
⑤Start the Snort service and check its status.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# systemctl start snort3 # systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: enabled) Active: active (running) since Thu 2026-03-05 10:24:58 JST; 15s ago Main PID: 42205 (snort3) Tasks: 2 (limit: 4543) Memory: 213.1M (peak: 213.5M) CPU: 841ms CGroup: /system.slice/snort3.service └─42205 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -> Mar 05 10:24:59 Lepard snort[42205]: any: 8 Mar 05 10:24:59 Lepard snort[42205]: to_server: 69 Mar 05 10:24:59 Lepard snort[42205]: to_client: 48 Mar 05 10:24:59 Lepard snort[42205]: -------------------------------------------------- Mar 05 10:24:59 Lepard snort[42205]: search engine (ac_bnfa) Mar 05 10:24:59 Lepard snort[42205]: instances: 334 Mar 05 10:24:59 Lepard snort[42205]: patterns: 10779 Mar 05 10:24:59 Lepard snort[42205]: pattern chars: 175202 Mar 05 10:24:59 Lepard snort[42205]: num states: 123205 Mar 05 10:24:59 Lepard snort[42205]: num match states: 10502 |
10. Snort JSON Logging Configuration
①Edit the Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# vi /usr/local/etc/snort/snort.lua Line 261 : 7. Add to the end of the configure outputs section --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- --------------- -- additional logs --packet_capture = { } --file_log = { } alert_json = { file = true, limit = 50, fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data' } |
➁Restart Snort
|
1 |
# systemctl restart snort3 |
➂Confirming Settings
Execute the ping command from another PC on the same network to the Ubuntu host server.
The log is recorded and saved in the Snort alert_json.txt file. Check the log file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# tail -f /var/log/snort/alert_json.txt The following log results are displayed: { "timestamp" : "03/05-10:27:26.491212", "msg" : "Incoming ICMP", "pkt_num" : 359, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:26.491292", "msg" : "Incoming ICMP", "pkt_num" : 360, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:27.500890", "msg" : "Incoming ICMP", "pkt_num" : 369, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:27.500890", "msg" : "Incoming ICMP", "pkt_num" : 370, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:27.500971", "msg" : "Incoming ICMP", "pkt_num" : 371, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:27.501067", "msg" : "Incoming ICMP", "pkt_num" : 372, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:28.509713", "msg" : "Incoming ICMP", "pkt_num" : 377, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:28.509714", "msg" : "Incoming ICMP", "pkt_num" : 378, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.6", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:28.509761", "msg" : "Incoming ICMP", "pkt_num" : 379, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "03/05-10:27:28.509830", "msg" : "Incoming ICMP", "pkt_num" : 380, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.6", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } |
11.Automatic Rule File Updates
Install oinkmaster to automatically update the rule files Snort references for detecting unauthorized access.
11.1 Oinkmaster Installation
|
1 2 3 4 5 6 7 |
# wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz # tar zxvf oinkmaster-2.0.tar.gz Copy the following files to the specified directory. # cp oinkmaster-2.0/oinkmaster.pl /usr/local/bin/ # cp oinkmaster-2.0/oinkmaster.conf /etc/ # cp oinkmaster-2.0/oinkmaster.1 /usr/share/man/man1/ |
Delete the following files and directories
|
1 2 |
# rm -rf oinkmaster-2.0 # rm -f oinkmaster-2.0.tar.gz |
11.2 Obtaining the Oink Code
To download Snort rule files (Sourcefire VRT Certified Rules), you need an "Oink Code," so obtain an "Oink Code."
First, access the SNORT official website and register as a user. After signing in with your registered account and password, display the "Oinkcode" and copy it.
11.3 Oinkmaster Settings
Edit the Oinkmaster configuration file
Paste the acquired Oinkcode
|
1 2 3 4 5 6 |
# vi /etc/oinkmaster.conf Per Line56 : Add the following Replace <file_name> with the latest snortrules-snapshot-xxxxx.tar.gz file matching your SNORT version after signing in to SNORT. Paste the obtained oinkcode into the <oinkcode> section. url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<file_name> |
11.4 Download (Run Oinkmaster)
|
1 |
# oinkmaster.pl -o /usr/local/etc/snort/rules/ |
It will be displayed as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
[***] Results from Oinkmaster started 20260305 12:47:58 [***] [*] Rules modifications: [*] None. [*] Non-rule line modifications: [*] None. [+] Added files (consider updating your snort.conf to include them if needed): [+] -> includes.rules -> snort3-app-detect.rules -> snort3-browser-chrome.rules -> snort3-browser-firefox.rules -> snort3-browser-ie.rules -> snort3-browser-other.rules -> snort3-browser-plugins.rules -> snort3-browser-webkit.rules -> snort3-content-replace.rules -> snort3-exploit-kit.rules -> snort3-file-executable.rules -> snort3-file-flash.rules -> snort3-file-identify.rules -> snort3-file-image.rules -> snort3-file-java.rules -> snort3-file-multimedia.rules -> snort3-file-office.rules -> snort3-file-other.rules -> snort3-file-pdf.rules -> snort3-indicator-compromise.rules -> snort3-indicator-obfuscation.rules -> snort3-indicator-scan.rules -> snort3-indicator-shellcode.rules -> snort3-malware-backdoor.rules -> snort3-malware-cnc.rules -> snort3-malware-other.rules -> snort3-malware-tools.rules -> snort3-netbios.rules -> snort3-os-linux.rules -> snort3-os-mobile.rules -> snort3-os-other.rules -> snort3-os-solaris.rules -> snort3-os-windows.rules -> snort3-policy-multimedia.rules -> snort3-policy-other.rules -> snort3-policy-social.rules -> snort3-policy-spam.rules -> snort3-protocol-dns.rules -> snort3-protocol-finger.rules -> snort3-protocol-ftp.rules -> snort3-protocol-icmp.rules -> snort3-protocol-imap.rules -> snort3-protocol-nntp.rules -> snort3-protocol-other.rules -> snort3-protocol-pop.rules -> snort3-protocol-rpc.rules -> snort3-protocol-scada.rules -> snort3-protocol-services.rules -> snort3-protocol-snmp.rules -> snort3-protocol-telnet.rules -> snort3-protocol-tftp.rules -> snort3-protocol-voip.rules -> snort3-pua-adware.rules -> snort3-pua-other.rules -> snort3-pua-p2p.rules -> snort3-pua-toolbars.rules -> snort3-server-apache.rules -> snort3-server-iis.rules -> snort3-server-mail.rules -> snort3-server-mssql.rules -> snort3-server-mysql.rules -> snort3-server-oracle.rules -> snort3-server-other.rules -> snort3-server-samba.rules -> snort3-server-webapp.rules -> snort3-sql.rules -> snort3-x11.rules -> VRT-License.txt |
11.5 Oinkmaster Scheduled Automatic Execution Settings
Oinkmaster Scheduled Automated Script Creation
|
1 2 3 4 5 |
# vi /etc/cron.daily/snort-rule-update #!/bin/bash /usr/local/bin/oinkmaster.pl -o /usr/local/etc/snort/rules/ 2>&1 | logger -t oinkmaster systemctl restart snort3 > /dev/null |
Script execution permissions
|
1 |
# chmod +x /etc/cron.daily/snort-rule-update |
