Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic. Its basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.Suricata Install
①Install required packages
|
1 2 |
# apt -y install libpcre2-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip # apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 |
➁Suricata install
Please visit the official website to check the latest version. As of Apr 22, 2025, the latest stable version of Srikata is 7.0.10
Download and Extract
|
1 2 |
# wget https://www.openinfosecfoundation.org/download/suricata-7.0.10.tar.gz # tar xzf suricata-7.0.10.tar.gz |
configuration and installation
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# cd suricata-7.0.10 # ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var # make && make install-full You can now start suricata by running as root something like: /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 If a library like libhtp.so is not found, you can run suricata with: LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 The Emerging Threats Open rules are now installed. Rules can be updated and managed with the suricata-update tool. For more information please see: https://docs.suricata.io/en/latest/rule-management/index.html make[1]: Leaving directory '/root/suricata-7.0.10' |
Version Check
|
1 2 |
# suricata -V This is Suricata version 7.0.10 RELEASE |
2.Configure Suricata
①Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::xxx:xxxx:xxxx:xxxx/64 |
Edit /etc/suricata/suricata.yaml file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/suricata/suricata.yaml # Line 18 : change HOME_NET: "[192.168.11.0/24]" # Kine 136 : change community-id: false → community-id: true # Line 623 : change af-packet: - interface: eth0 ↓ af-packet: - interface: ens33 ←Change to your own interface name |
➁suricata Update
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata-update -o /etc/suricata/rules -------omission------- 22/4/2025 -- 11:00:45 - <Info> -- Loaded 58476 rules. 22/4/2025 -- 11:00:45 - <Info> -- Disabled 13 rules. 22/4/2025 -- 11:00:45 - <Info> -- Enabled 0 rules. 22/4/2025 -- 11:00:45 - <Info> -- Modified 0 rules. 22/4/2025 -- 11:00:45 - <Info> -- Dropped 0 rules. 22/4/2025 -- 11:00:45 - <Info> -- Enabled 136 rules for flowbit dependencies. 22/4/2025 -- 11:00:45 - <Info> -- Backing up current rules. 22/4/2025 -- 11:00:47 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 58476; enabled: 42960; added: 0; removed 0; modified: 0 22/4/2025 -- 11:00:48 - <Info> -- Writing /etc/suricata/rules/classification.config 22/4/2025 -- 11:00:48 - <Info> -- No changes detected, exiting. |
It also shows the number of rules processed, in this example 58476 were added, of which 42960 were activated.
➂Check configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 1 rule files processed. 42960 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 42963 signatures processed. 1228 are IP-only rules, 4340 are inspecting packet payload, 37178 inspect application layer, 109 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
④Confirm that the service starts
Enter the name of each network interface (ens33 in this case)
|
1 |
# suricata -c /etc/suricata/suricata.yaml -i ens33 |
The following appears
|
1 2 |
i: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started |
3.Automatic startup of Suricata services
①Create systemd service
|
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/systemd/system/suricata.service [Unit] Description=Suricata IDS/IPS After=network.target [Service] ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens33 [Install] WantedBy=default.target |
➁Enable Suricata
|
1 2 |
# systemctl enable suricata Created symlink /etc/systemd/system/default.target.wants/suricata.service → /etc/systemd/system/suricata.service |
➂Start Suricata
|
1 2 |
# systemctl daemon-reload # systemctl start suricata |
④Check Suricata's status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# systemctl status suricata ● suricata.service - Suricata IDS/IPS Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Tue 2025-04-22 10:56:46 JST; 12min ago Invocation: aff14b70f02747b0bd0f9662276fff1c Main PID: 43417 (Suricata-Main) Tasks: 8 (limit: 3926) Memory: 929.1M (peak: 1009.5M) CPU: 11.693s CGroup: /system.slice/suricata.service mq43417 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens33 Apr 22 10:56:46 Lepard systemd[1]: Started suricata.service - Suricata IDS/IPS. Apr 22 10:56:46 Lepard suricata[43417]: i: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode Apr 22 10:56:50 Lepard suricata[43417]: W: af-packet: ens33: AF_PACKET tpacket-v3 is recommended for non-inline operation Apr 22 10:56:51 Lepard suricata[43417]: i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started. |
4.Testing the Suricata Rule
①Test ET Open rule number 2100498
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
Check log file by specifying rule number
|
1 2 |
# grep 2100498 /var/log/suricata/fast.log 04/22/2025-11:09:40.001808 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 54.239.168.87:80 -> 192.168.11.83:60624 |
➁Check events in /var/log/suricata/eve.log
Install jq
|
1 |
# apt install jq |
Filter EVE Log events by searching for 2100498 signatures
Display alert objects with signature_id keys that match the values in 2100498
|
1 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json |
The following appears
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
{ "timestamp": "2025-04-22T11:09:40.001808+0900", "flow_id": 1074912196849457, "in_iface": "ens33", "event_type": "alert", "src_ip": "54.239.168.87", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 60624, "proto": "TCP", "pkt_src": "wire/pcap", "community_id": "1:/MX49rQyE+6Xk+7JqBVwqLiJtdM=", "tx_id": 0, "tx_guessed": true, "alert": { "action": "allowed", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "http": { "hostname": "testmynids.org", "url": "/uid/index.html", "http_user_agent": "curl/8.12.1", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 39 }, "files": [ { "filename": "/uid/index.html", "gaps": false, "state": "CLOSED", "stored": false, "size": 39, "tx_id": 0 } ], "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 5, "pkts_toclient": 4, "bytes_toserver": 430, "bytes_toclient": 809, "start": "2025-04-22T11:09:39.971168+0900", "src_ip": "192.168.11.83", "dest_ip": "54.239.168.87", "src_port": 60624, "dest_port": 80 } } |
5.Creating and Applying Custom Rules
①Create custom signatures for Custom Rules files
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:10001; rev:1;) |
➁Edit configuration file (define path for local.rules above)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 2192 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 42961 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 42964 signatures processed. 1229 are IP-only rules, 4340 are inspecting packet payload, 37178 inspect application layer, 109 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
④Suricat service restart
|
1 |
# systemctl restart suricata |
⑤Testing the application of Custom Rules
Run ping on another PC on the same local network to see if it was logged
|
1 2 3 |
# cat /var/log/suricata/fast.log 04/22/2025-12:32:35.182183 [**] [1:10001:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.8:8 -> 192.168.11.83:0 04/22/2025-12:32:35.182243 [**] [1:10001:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.8:0 |
⑥Obtain logs in JSON format
Install jq
|
1 2 |
# apt install jq # systemctl restart suricata |
Ping another PC on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2025-04-22T12:34:32.139065+0900", "flow_id": 34330668434395, "in_iface": "ens33", "event_type": "alert", "src_ip": "192.168.11.8", "dest_ip": "192.168.11.83", "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "pkt_src": "wire/pcap", "community_id": "1:mKJ/Lpl+6WAMs3qQEpwBo0q/ifU=", "alert": { "action": "allowed", "gid": 1, "signature_id": 10001, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "direction": "to_server", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2025-04-22T12:34:32.139065+0900", "src_ip": "192.168.11.8", "dest_ip": "192.168.11.83" } } { "timestamp": "2025-04-22T12:34:32.139123+0900", "flow_id": 34330668434395, "in_iface": "ens33", "event_type": "alert", "src_ip": "192.168.11.83", "dest_ip": "192.168.11.8", "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "pkt_src": "wire/pcap", "community_id": "1:mKJ/Lpl+6WAMs3qQEpwBo0q/ifU=", "alert": { "action": "allowed", "gid": 1, "signature_id": 10001, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "direction": "to_client", "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2025-04-22T12:34:32.139065+0900", "src_ip": "192.168.11.8", "dest_ip": "192.168.11.83" } } |
6.Adding a Rule Set Provider
①List Default Provider List
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
If you include the tgreen/hunting ruleset as an example
|
1 2 3 4 5 6 7 8 9 10 11 |
# suricata-update enable-source tgreen/hunting 22/4/2025 -- 12:35:41 - <Info> -- Using data-directory /var/lib/suricata. 22/4/2025 -- 12:35:41 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 22/4/2025 -- 12:35:41 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 22/4/2025 -- 12:35:41 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata. 22/4/2025 -- 12:35:41 - <Warning> -- Source index does not exist, will use bundled one. 22/4/2025 -- 12:35:41 - <Warning> -- Please run suricata-update update-sources. 22/4/2025 -- 12:35:41 - <Info> -- Creating directory /var/lib/suricata/update/sources 22/4/2025 -- 12:35:41 - <Info> -- Enabling default source et/open 22/4/2025 -- 12:35:41 - <Info> -- Source tgreen/hunting enabled |
Perform update
|
1 |
# suricata-update -o /etc/suricata/rules |
Snort3
1.Install required packages
|
1 |
# apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y |
2. Install DAQ library
Download and install DAQ library
|
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq/ ~/libdaq# ./bootstrap ~/libdaq# ./configure ~/libdaq# make ~/libdaq# make install |
3. Install Gperftools
Profiler tool used to improve the performance of a particular application or service by improving memory handling in multiple instances
|
1 2 3 4 5 6 7 |
# cd # wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.13/gperftools-2.13.tar.gz # tar xzf gperftools-2.13.tar.gz # cd gperftools-2.13 ~/gperftools-2.13# ./configure ~/gperftools-2.13# make ~/gperftools-2.13# make install |
4. SNORT3 Install
①Download and deploy SNORT3
|
1 2 3 4 5 |
# cd # wget https://github.com/snort3/snort3/archive/refs/heads/master.zip # apt install unzip # unzip master.zip # cd snort3-master |
➁configuration
|
1 |
# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc |
➂Install
|
1 2 3 |
# cd build # make # make install |
④Update shared libraries
|
1 |
# ldconfig |
⑤Check version
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.7.3.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.19 Using libpcap version 1.10.5 (with TPACKET_V3) Using LuaJIT version 2.1.1737090214 Using LZMA version 5.6.4 Using OpenSSL 3.4.1 11 Feb 2025 Using PCRE2 version 10.45 2025-02-05 Using ZLIB version 1.3.1 |
⑥Test default settings
|
1 |
# snort -c /usr/local/etc/snort/snort.lua |
If it is normal, it will be displayed as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
-------------------------------------------------- o")~ Snort++ 3.7.3.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: stream_udp stream_user references binder back_orifice dns js_norm normalizer ssh ssl telnet ftp_client dce_smb smtp trace dce_tcp gtp_inspect active alerts daq decode host_cache host_tracker hosts network packets search_engine so_proxy imap netflow sip cip dnp3 iec104 mms modbus s7commplus output dce_udp dce_http_proxy dce_http_server port_scan ftp_server ftp_data http_inspect http2_inspect rpc_decode pop file_policy appid wizard arp_spoof stream_file stream_tcp stream_icmp stream_ip stream ips file_id classifications process Finished /usr/local/etc/snort/snort.lua: Loading file_id.rules_file: Loading file_magic.rules: Finished file_magic.rules: Finished file_id.rules_file: -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 219 0 219 /usr/local/etc/snort/snort.lua -------------------------------------------------- rule counts total rules loaded: 219 text rules: 219 option chains: 219 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 219 219 total: 219 219 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 438 pattern chars: 2602 num states: 1832 num match states: 392 memory scale: KB total memory: 71.2812 pattern memory: 19.6484 match list memory: 28.4375 transition memory: 22.9453 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
5. Identify and configure network interfaces
①Check network interface
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:1c:f2:f6 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.11.83/24 brd 192.168.11.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe1c:f2f6/64 scope link valid_lft forever preferred_lft forever |
he network interface name is ens33
➁Set network interface to promiscuous mode
|
1 |
# ip link set dev ens33 promisc on |
|
1 2 |
# ip addr | grep ens33 | grep mtu 2: ens33: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
➂Set Large Receive Offload (LRO) and Generic Receive Offload (GRO) to off state
Check current status
|
1 2 3 |
# ethtool -k ens33 | grep receive-offload generic-receive-offload: on large-receive-offload: off [fixed] |
Set LRO and GRO offload status to off state
|
1 |
# ethtool -K ens33 gro off lro off |
6. Create systemd service for network interface
|
1 2 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service |
Contents of snort3-nic.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens33 promisc on ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
Reload the systemd daemon and apply the changes
|
1 |
# systemctl daemon-reload |
Start and enable snort3-nic.service
|
1 2 3 |
# systemctl start snort3-nic.service # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service |
Check the status of snort3-nic.service
|
1 2 3 4 5 6 7 8 9 10 11 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: enabled) Active: active (exited) since Tue 2025-04-22 13:06:56 JST; 18s ago Invocation: dc74b1eb6e0f4e1d97625e28cf1d6acc Main PID: 81175 (code=exited, status=0/SUCCESS) Mem peak: 2.1M CPU: 13ms Apr 22 13:06:56 Lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on> Apr 22 13:06:56 Lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on |
7. Adding Snort Rules
7.1 Community rule sets added
①Create a folder for Snort rules and download the community ruleset from the Snort website
|
1 2 |
# mkdir /usr/local/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/snort/rules/ |
➁ Edit Snort main configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# vi /usr/local/etc/snort/snort.lua # Line 24 : Change to own network HOME_NET = '192.168.11.0/24' # Line 29 : change EXTERNAL_NET = '!$HOME_NET' # Per Line 200 : add ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂Test main configuration changes
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# snort -c /usr/local/etc/snort/snort.lua If all is well, the following is displayed ... -------------------------------------------------- -------------------------------------------------- search engine (ac_bnfa) instances: 334 patterns: 10776 pattern chars: 175132 num states: 123161 num match states: 10499 memory scale: MB total memory: 3.67914 pattern memory: 0.577772 match list memory: 1.3346 transition memory: 1.726 fast pattern only: 7094 appid: MaxRss diff: 3344 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
7.2 Add custom rules
①Create a file in the Snort rules directory
|
1 2 3 4 |
# touch /usr/local/etc/snort/rules/local.rules # vi /usr/local/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
➁Edit Snort Main Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/etc/snort/snort.lua # Add per line 200 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/local.rules include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂Test main configuration changes
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua If all is well, the following is displayed ... -------------------------------------------------- search engine (ac_bnfa) instances: 334 patterns: 10776 pattern chars: 175132 num states: 123161 num match states: 10499 memory scale: MB total memory: 3.67914 pattern memory: 0.577772 match list memory: 1.3346 transition memory: 1.726 fast pattern only: 7094 appid: MaxRss diff: 3200 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
8. OpenAppID Installation
Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level
①Download and deploy OpenAppID
|
1 2 |
# wget https://www.snort.org/downloads/openappid/33380 -O OpenAppId-33380.tgz # tar -xzvf OpenAppId-33380.tgz |
➁Copy the extracted folder (odp) to the following directory
|
1 |
# cp -R odp /usr/local/lib/ |
➂Edit the main configuration file and define the location of the OpenAppID folder
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vi /usr/local/etc/snort/snort.lua Add per line 101 appid = { -- appid requires this to use appids in rules app_detector_dir = '/usr/local/lib', log_stats = true, } Add per line 105 appid_listener = { json_logging = true, file = "/var/log/snort/appid-output.log", } |
④Test main configuration changes
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua If all is well, the following is displayed ... -------------------------------------------------- search engine (ac_bnfa) instances: 334 patterns: 10776 pattern chars: 175132 num states: 123161 num match states: 10499 memory scale: MB total memory: 3.67914 pattern memory: 0.577772 match list memory: 1.3346 transition memory: 1.726 fast pattern only: 7094 appid: MaxRss diff: 228736 appid: patterns loaded: 11537 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
9. Create systemd service for Snort
9.1 Check all setups
Snort on network interface using local.rules
|
1 |
# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i ens33 -A alert_fast -s 65535 -k none |
Sending a ping command to the Ubuntu server IP address from another PC on the same network
You will see the following alert log in the console window of the host server
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
04/22-13:15:46.264759 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:46.264759 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:46.264859 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:47.289866 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:47.289866 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:47.290020 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:47.290097 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:48.312000 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:48.312000 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:48.312068 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:48.312142 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:49.337162 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:49.337163 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.8 -> 192.168.11.83 04/22-13:15:49.337206 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 04/22-13:15:49.337278 [**] [1:1000001:1] "Incoming ICMP" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.8 |
9.2 Create systemd service for Snort
①①Create user (snort) for Snort service
|
1 |
# useradd -r -s /usr/sbin/nologin -M snort |
➁Create log folder and set permissions
|
1 2 3 |
# mkdir /var/log/snort # chmod -R 5775 /var/log/snort # chown -R snort:snort /var/log/snort |
➂Create SNORT systemd service file
|
1 2 |
# touch /etc/systemd/system/snort3.service # vi /etc/systemd/system/snort3.service |
Contents of snort3.service
|
1 2 3 4 5 6 7 8 9 10 11 |
[Unit] Description=Snort3 IDS Daemon Service After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens33 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target |
④Reload and enable Snort service
|
1 2 3 |
# systemctl daemon-reload # systemctl enable --now snort3 Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service. |
⑤Start Snort service and check status
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# systemctl start snort3 # systemctl status snort3 ● snort3.service - Snort3 IDS Daemon Service Loaded: loaded (/etc/systemd/system/snort3.service; enabled; preset: enabled) Active: active (running) since Tue 2025-04-22 13:18:13 JST; 11s ago Invocation: c6e3c8f6198844029d0b361b0f9ed783 Main PID: 81470 (snort3) Tasks: 2 (limit: 3926) Memory: 273.2M (peak: 273.6M) CPU: 889ms CGroup: /system.slice/snort3.service mq81470 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens33 -> Apr 22 13:18:14 Lepard snort[81470]: to_server: 69 Apr 22 13:18:14 Lepard snort[81470]: to_client: 48 Apr 22 13:18:14 Lepard snort[81470]: -------------------------------------------------- Apr 22 13:18:14 Lepard snort[81470]: search engine (ac_bnfa) Apr 22 13:18:14 Lepard snort[81470]: instances: 334 Apr 22 13:18:14 Lepard snort[81470]: patterns: 10776 Apr 22 13:18:14 Lepard snort[81470]: pattern chars: 175132 Apr 22 13:18:14 Lepard snort[81470]: num states: 123161 Apr 22 13:18:14 Lepard snort[81470]: num match states: 10499 Apr 22 13:18:14 Lepard snort[81470]: memory scale: MB |
10. Snort JSON logging configuration
①Edit Snort configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# vi /usr/local/etc/snort/snort.lua Add to end of line 256 7. configure outputs section --------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- --------------- -- additional logs --packet_capture = { } --file_log = { } alert_json = { file = true, limit = 50, fields = 'timestamp msg pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data' } |
➁Restart Snort
|
1 |
# systemctl restart snort3 |
➂Checking the configuration
Ping command from another PC on the same network to the Ubuntu host server
A log is recorded and saved in the Snort alert_json.txt file. Check the log file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# tail -f /var/log/snort/alert_json.txt { "timestamp" : "04/22-13:21:02.568973", "msg" : "Incoming ICMP", "pkt_num" : 688098, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.8", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:02.568973", "msg" : "Incoming ICMP", "pkt_num" : 688099, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.8", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:02.569019", "msg" : "Incoming ICMP", "pkt_num" : 688100, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.8", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:02.569084", "msg" : "Incoming ICMP", "pkt_num" : 688101, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.8", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:03.592738", "msg" : "Incoming ICMP", "pkt_num" : 761001, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.8", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:03.592787", "msg" : "Incoming ICMP", "pkt_num" : 761008, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.8", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:04.616631", "msg" : "Incoming ICMP", "pkt_num" : 843952, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.8", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:04.616631", "msg" : "Incoming ICMP", "pkt_num" : 843953, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "C2S", "src_addr" : "192.168.11.8", "dst_addr" : "192.168.11.83", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:04.616679", "msg" : "Incoming ICMP", "pkt_num" : 843956, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.8", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } { "timestamp" : "04/22-13:21:04.616750", "msg" : "Incoming ICMP", "pkt_num" : 843957, "proto" : "ICMP", "pkt_gen" : "raw", "pkt_len" : 60, "dir" : "S2C", "src_addr" : "192.168.11.83", "dst_addr" : "192.168.11.8", "service" : "unknown", "rule" : "1:1000001:1", "priority" : 0, "class" : "none", "action" : "allow", "b64_data" : "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dndhYmNkZWZnaGk=" } |