Snort

From upstream's description: Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Snort can operate in several modes:

  1. Alert/logging only, so-called Intrusion Detection System (IDS)
  2. Alert/logging + blocking, so-called Intrusion Prevention System (IPS)

Packages for both Snort 2.x as well as Snort 3.x are currently available. This page is focused exclusively on the 3.x series.

To install snort:

opkg update
opkg install snort3

At a minimum, grab a copy of the freely available community rules and place snort3-community.rules in a directory of your choosing, for example on external media, for example, /mnt/mmcblk0p3/snort/

In addition to this rule set, users may optionally register for a free account at snort.org which grants access to more rule sets to augment the free ones described above. Follow the instructions to download your snortrules-snapshot tarball.

Here is a simple helper script:

#!/bin/sh
shortver=$(snort -V | grep Version | cut -c20-28 | sed 's/\.//g')
snort=/mnt/mmcblk0p3/snort/
oinkcode=your-unique-hash
 
wget "https://www.snort.org/rules/snortrules-snapshot-$shortver.tar.gz?oinkcode=$oinkcode" -O /tmp/new.tar.gz || exit 1
tar zxf /tmp/new.tar.gz -C "$snort" || exit 1

The IDS configuration will:

  • Only requires a single NIC
  • Only alert users to rule matches but take no action to prevent them (ie will not drop or reject)

There are several config files:

  • /etc/config/snort is the OpenWrt daemon config file holding some runtime options.
  • /etc/snort/snort.lua is the main configuration, allowing the implementation and configuration of Snort inspectors (preprocessors), rules files inclusion, event filters, output, etc.
  • /etc/snort/snort_defaults.lua file contains default values such as paths to rules, AppID, intelligence lists, and network variables.

1. Define which interface on which to listen in /etc/config/snort (default is eth0).

2. Edit /etc/snort/snort_defaults.lua defining the path to the directory holding the contents of the tarball. In the example below, we are using attached storage but any path will work:

RULE_PATH = '/mnt/mmcblk0p3/snort/rules/'
BUILTIN_RULE_PATH = '/mnt/mmcblk0p3/snort/builtin_rules'
PLUGIN_RULE_PATH = '/mnt/mmcblk0p3/snort/so_rules'

3. Edit the main config file, /etc/snort/snort.lua for the initial setup. At a minimum, we need to define three sections:

  • HOME_NET (define the network/networks to protect by IP range, note that multiple ranges can be defined as shown below)
  • EXTERNAL_NET (define everything but HOME_NET)
  • ips section (setup run mode [listen and alert only or listen, alert, and drop] and define the .rules file/files to read)
HOME_NET = [[ 10.1.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"

Snort can operate in three different modes namely tap (passive), inline, and inline-test.

  1. To have snort act as an IDS, only alerting to rule matches, use mode = tap,
  2. To have snort act as an IPS, both alerting to rule matches AND triggering corresponding drop rules, use mode = inline,
  3. A third mode is available which simulates the inline mode to allow users to evaluation the behavior of inline without affecting traffic. Use mode = inline-test, for this behavior.
ips =
{
    mode = tap,
    variables = default_variables,
    
    rules = [[ 
    include $RULE_PATH/snort3-community.rules
    include $RULE_PATH/snort3-malware-backdoor.rules
    include $RULE_PATH/snort3-policy-multimedia.rules
    include $RULE_PATH/snort3-protocol-services.rules
    include $RULE_PATH/snort3-policy-social.rules
    ]]
}

4. Validate the config file by running the following:

snort -c "/etc/snort/snort.lua" --daq-dir /usr/lib/daq -T

Memory and CPU usage will proportionally increase as the number of rules increases. Be sure to check system usage with a utility like top or htop.

For the ability to drop or reject a rule match, users will need to:

  • Have two NICs on the device, one LAN facing and a second one WAN facing
  • Have completed the configuration step for IDS mode

1. Define the interface pair or device pair on which to listen in /etc/config/snort (for example eth0:eth1).

2. Change the alert action in all of the .rules files to drop:

cd /mnt/mmcblk0p3/snort/rules
for i in *.rules; do sed -i s'/^alert/drop/' "$i"; done

3. Change mode = tap in the ips = section of /etc/snort/snort.lua to mode = inline,.

4. Add the following under the ips = section of /etc/snort/snort.lua:

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
      variables = {
        'fanout_type=hash'
      }
    }
  }
}

5. Edit /etc/init.d/snort and append a -Q to the <html>procd_set_param command</code> like so to enable Inline mode which will trigger drop rules:

procd_set_param command $PROG -q --daq-dir /usr/lib/daq/ -i "$interface" -c "$config_name" -A "$alert_module" -Q

Start the daemon and optionally enable it to run at boot:

/etc/init.d/snort start
/etc/init.d/snort enable

The OpenWrt package writes alerts to the syslog by default. Query like so:

# logread -e snort
Mon Nov 28 09:55:23 2022 auth.info snort: [1:254:16] "PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority" [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 1.1.1.1:53 -> 10.1.8.202:55572
Mon Nov 28 13:09:16 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} 10.9.1.235 -> 0.0.0.15
Mon Nov 28 13:09:17 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} 10.9.1.235 -> 0.0.0.15
Mon Nov 28 13:09:18 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} 10.9.1.235 -> 0.0.0.15
Mon Nov 28 13:09:19 2022 auth.info snort: [1:29456:3] "PROTOCOL-ICMP Unusual PING detected" [Classification: Information Leak] [Priority: 2] {ICMP} 10.9.1.235 -> 0.0.0.15
  • Look up log entries by keyword in the snort database.
  • Linux installation/configuration guide written by Yaser Mansour. It is targeted at Oracle Linux 8 but concepts are not distro-specific.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/12/02 04:43
  • by darksky2