Snort is an open-source network intrusion detection and prevention system (IDS/IPS). It is designed to monitor network traffic in real-time and look for malicious activity, such as attacks or exploits.
Make sure your system has the correct time and the correct time zone. This will be important later when we start processing. The command below will allow you to choose your time zone:
cd~/snort_src
wgethttps://github.com/snort3/snort3/archive/refs/tags/3.1.17.0.tar.gz-Osnort3-3.1.17.0.tar.gz
tar-xzvfsnort3-3.1.17.0.tar.gz
cdsnort3-3.1.17.0
./configure_cmake.sh--prefix=/usr/local--enable-tcmalloc
cdbuild
make
sudomakeinstall
Snort should now be installed under /usr/local/. Finally, verify that Snort runs correctly. To do this, we pass the snort executable the -V flag
(uppercase V for version)
defender@work:/usr/local/etc/snort$/usr/local/bin/snort-V
,,_-*>Snort++<*-
o" )~ Version 3.1.17.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.5 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1f 31 Mar 2020 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.2.11 Using FlatBuffers 2.0.0 Using Hyperscan version 5.4.0 2024-09-11 Using LZMA version 5.2.4
Part 3: Snort Configuration - snort.lua File (10 minutes)¶
The snort.lua file is the heart of Snort’s configuration. It tells Snort how to behave, what rules to use, and what network interfaces to monitor.
This rule will detect ICMP traffic, and is really good for testing that Snort is working correctly and generating alerts. Paste the following line
into the local.rules
alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )
Now run Snort and have it load the local.rules file (with the -R flag) to make sure it loads these rules correctly (verifying the rules are correctly
formatted):
The output should end with “Snort successfully validated the configuration”. You should not have any warnings or errors. If you scroll up
through the output, you should see this rule loaded successfully (under the rule counts section)
/usr/local/etc/snort/snort.lua The snort.lua configuration file.
-R
/usr/local/etc/rules/local.rules The path to the rules file containing our one ICMP rule.
-i
eth0 The interface to listen on.
-A
alert_fast Use the alert_fast output plugin to write alerts to the console.
-s
65535 Set the snaplen so Snort doesn’t truncate and drop oversized packets.
-k
none Ignore bad checksums, otherwise snort will drop packets with bad checksums
Now from another window on that computer (open a new terminal window or a second ssh
session), use the ping command to generate packets that traverse the interface you are listening on ping to that interface’s IP address if
you’re connecting from another computer, or just ping an external ip address if you’re on the same machine. You should see alerts print on
the screen
Next let’s edit the snort.lua file. This file is the configuration file we pass to Snort at startup
Next, we want to enable decoder and inspector alerts, and we want to tell the ips module where our rules file will be (PulledPork will create this for us later)Scroll down to line 170, and look for the section titled ips. Here we un-comment (remove the leading two dashes) from enable_builtin_rules=true, and enable our pulledpork rules. Note that lua uses four spaces, not tabs to indent these lines (this is required).
This section should look like this (comments removed):
ips={-- use this to enable decoder and inspector alertsenable_builtin_rules=true,include=RULE_PATH.."/local.rules",-- use include for rules files; be sure to set your path-- note that rules files can include other rules files-- (see also related path vars at the top of snort_defaults.lua)variables=default_variables}
Now we can run snort as above, however we don’t explictly pass the local.rules file on the command line, as we’ve included it in the ips
section in the snort.lua file:
PulledPork is a tool that we will use to download rulesets, which are the latest rules files that snort/talos releases to ensure that your system
can detect the latest attacks.
Start by obtaining the latest version of PulledPork3:
This configuration file is broken up into sections, and there are a number of options. We’ll opt for a simple configuration. We will download
the community_ruleset ruleset by setting it to true. Using a throwaway Email, register an account on snort.org to get a oinkcode.
PulledPork needs to know where your snort binary is located. Set the snort_path to point to the snort binary path (and make sure to
un-comment this line):
Once PulledPork3 finishes execution, there are multiple files created for you: /usr/local/etc/rules/pulledpork.rules will contain all the
rules from the downloaded ruleset, along with the rules from your local.rules file. Compiled rules, also called .so rules (referenced by some
of the rules in pulledpork.rules) will be saved in /usr/local/etc/so_rules/.
We need to modify our snort.lua file to load the new pulledpork.rules files.
Since you’ve modified the snort.lua, you should test it. We need to add an additional parameter here, to tell Snort3 where the .so rules are
located. The pulledpork.rules file contains a number of rules that reference the compiled .so rules, and if it can’t find the actual compiled
files (in /usr/local/etc/so_rules) you’ll get an error.