Snort3 インストール
RockyLinux8はSnortリポジトリがありませんので、ソースコードからSnort3をビルド、コンパイルしてインストールします
事前準備
①ビルドとインストールに必要なビルドツールと依存関係のあるライブラリーをインストール。
EPELをインストールし、Powertoolsリポジトリを有効にします。
# dnf config-manager --set-enabled powertools
libpcap-devel pcre-devel openssl-devel libdnet-devel
libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel
luajit-devel xz-devel libnfnetlink-devel libmnl-devel
libnetfilter_queue-devel uuid-devel libsafec-devel -y
# cd libdaq
# ./bootstrap
# ./configure
# make
# make install
# wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
# tar xzf gperftools-2.9.1.tar.gz
# cd gperftools-2.9.1/
# ./configure
# make
# make install
Snort3 ダウンロード、インストール
# wget https://github.com/snort3/snort3/archive/refs/tags/3.1.31.0.tar.gz
# tar xzf 3.1.31.0.tar.gz
# cd snort3-3.1.31.0
# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
# cd build
# make
# make install
# ln -s /usr/local/lib/libdaq.so.3 /lib/
# ldconfig
Snort3を構成する
①ネットワークインターフェイスカードを構成
# ip add sh ens160
2: ens160: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:3f:48:ad brd ff:ff:ff:ff:ff:ff
inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
現状の確認
generic-receive-offload: on
large-receive-offload: on
After=network.target [Service] Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens160 promisc on
ExecStart=/usr/sbin/ethtool -K ens160 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes [Install] WantedBy=default.target
# systemctl enable --now snort3-promisc.service
今回はコミュニティールールをセットします
# ls -1 /usr/local/etc/rules/snort3-community-rules/
AUTHORS
LICENSE
sid-msg.map
snort3-community.rules
VRT-License.txt
# 24行目 : 自ネットワークに変更
HOME_NET = '192.168.11.0/24'
# 24行目 : 変更
EXTERNAL_NET = '!$HOME_NET'
# 193行目あたり : 追記
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include $RULE_PATH/snort3-community-rules/snort3-community.rules
]]
}
⑥SnortOpenAppIDのインストール
# tar -xzvf OpenAppId-23020.tgz
# cp -R odp /usr/local/lib/
# vi /usr/local/etc/snort/snort.lua
# 101行目あたり : 追記
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
⑦ログディレクトリー作成
--------------------------------------------------
o")~ Snort++ 3.1.28.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ips
network
binder
wizard
appid
file_id
stream_udp
http2_inspect
http_inspect
ftp_data
search_engine
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
netflow
iec104
cip
telnet
ssl
sip
rpc_decode
modbus
host_tracker
stream_user
stream_ip
process
back_orifice
classifications
dnp3
active
trace
ftp_client
decode
alerts
stream
daq
references
arp_spoof
output
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4024 0 4024 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4024
text rules: 4024
option chains: 4024
chain headers: 324
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 473 58 147 22
src 177 17 0 0
dst 787 154 0 0
both 6 11 0 0
total 1443 240 147 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 7 4
dhcp: 2 2
dns: 28 7
ftp: 90 4
ftp-data: 1 97
http: 2077 256
http2: 2077 256
imap: 35 118
irc: 5 2
kerberos: 7 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 73 17
nntp: 2 0
pop3: 23 118
rdp: 5 0
sip: 5 5
smtp: 130 2
snmp: 18 7
ssdp: 3 0
ssl: 18 40
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 4696 950
--------------------------------------------------
fast pattern groups
src: 59
dst: 158
any: 4
to_server: 47
to_client: 34
--------------------------------------------------
search engine
instances: 302
patterns: 7518
pattern chars: 121768
num states: 82296
num match states: 7149
memory scale: MB
total memory: 2.58334
pattern memory: 0.402628
match list memory: 0.914368
transition memory: 1.22948
fast pattern only: 4963
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
⑨ローカルルールを作成
以下を記入
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
06/20-17:58:56.092420 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.20 -> 192.168.11.83
06/20-17:58:56.092462 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.20
06/20-17:58:57.104416 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.20 -> 192.168.11.83
06/20-17:58:57.104442 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.20
06/20-17:58:58.109416 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.20 -> 192.168.11.83
06/20-17:58:58.109443 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.20
06/20-17:58:59.115335 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.20 -> 192.168.11.83
06/20-17:58:59.115376 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.11.83 -> 192.168.11.20
# 255行目 : コメント解除して追記
-- event logging
-- you can enable with defaults from the command line with -A
-- uncomment below to set non-default configs
--alert_csv = { }
alert_fast = {
file = true,
packet = false,
limit = 10,
}
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
ログディレクトリを確認すると、 alert_fast.txt ファイルが作成されました
alert_fast.txt ファイルを確認するには
# 197行目 : 追記
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables,
rules = [[
include $RULE_PATH/snort3-community-rules/snort3-community.rules
include $RULE_PATH/local.rules
]] }
バックグラウンドでSnortを実行
①Snortの非ログインシステムユーザーアカウントを作成
After=syslog.target network.target [Service] Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens160 -m 0x1b -u snort -g snort --daq-dir /usr/local/lib/daq
ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target
再起動
# chown -R snort:snort /var/log/snort
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /etc/systemd/system/snort3.service.
● snort3.service - Snort Daemon
Loaded: loaded (/etc/systemd/system/snort3.service; enabled; vendor preset>
Active: active (running) since Mon 2022-06-20 11:05:53 JST; 26s ago
Main PID: 3220 (snort)
Tasks: 2 (limit: 4538)
Memory: 234.6M
CPU: 910ms
CGroup: /system.slice/snort3.service
mq3220 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 6>Jun 20 11:05:53 ubuntu22 systemd[1]: Started Snort Daemon.