IDS (INTRUSION DETECTION SYSTEM) [Snort 3]
~: sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev
~: sudo pacman -S flatbuffers-2.0.6-1 gperftools-2.9.1-1 hwloc-2.7.1-1 hyperscan-5.4.0-3 libdnet-1.12-13
after installing package done you can create new dir where ever you want
~: mkdir snort
~: cd snort
Then clone libDAQ (Data AcQuisition Library) from github for network interface or network data plane
~: git clone https://github.com/snort3/libdaq
install both of liblary and modules
~: ./bootstrap
~: ./configure
~: make
~: sudo make install
Then if you done building go back to main dir
~: wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
then unziping from tar
~: tar xzf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1
Then configure it
~: ./configure
If you done then build it
~: make
~: sudo make install
go back to main directory then
~: git clone https://github.com/snort3/snort3
then go inside snort 3 directory (im set to /usr/local)
~: cd snort3/
~: ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
then go to directory build
~: cd build
~: make
~: sudo make install
after building complete then update shared liblaries if error pls you must root first (sudo ldconfig)
~: ldconfig
check your snort 3 installasion with version
~: snort -V
put your interface on which snort is listenng to network traaffic mode promiscuous so that can able to see all network traffic (Interface that im use is wlan0)
~: ip link set dev wlan0 promisc on
Disabling interface offload to prevert snort from truncating large packets (im using tools that name ethool this tools are ready on package debian and arch) this to see interface is on or off
~: ethtool -k wlan0 | grep receive-offload
in my output console is
generic-receive-offload : on
large-receive-offload : off [FIXED]
so i will disable it
~: ethtool -k wlan0 gro off
and this change make INC temporary then i create and enable a systemd service unit to implement the changes (i use text editor vim)
~: sudo vim /etc/systemd/system/snort3-inc.service
then i add this to new open file
[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev wlan0 promisc on
ExecStart=/usr/sbin/ethtool -K wlan0 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
after that reload your system init and this im using systemd
~: systemctl daemon-reload
then enable the snort service
~: systemctl enable snort3-nic.service
Create snort rules in this directory
~: sudo mkdir
after that you can download the rules
~: wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
extract the rules on snort rules directory
~: tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/
after extract the rules you can configuration file in
~: sudo vim /usr/local/etc/snort/snort.lua
and you will see in your opening file in this file you can set HOME_NET variable as network to protect against attack
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'YOUR(IP)'
-- set up the external network addresses.
-- (leave as "any" in most situations)
-- EXTERNAL_NET = 'any' (default)
EXTERNAL_NET = '!$HOME_NET'
after configuring your snort.lua you can edit snort default configuration
~: /usr/local/etc/snort/snort_defaults.lua
and i set this under default_gtp so approxiately like this
default_gtp = {
{ version = 0, messages = gtp_v0_msg, infos = gtp_v0_info },
{ version = 1, messages = gtp_v1_msg, infos = gtp_v1_info },
{ version = 2, messages = gtp_v2_msg, infos = gtp_v2_info },
}
-- this IPS you add it
ips = {
include = '/usr/local/etc/rules/snort3-community-rules/snort3-community.rules'
}
then save it, then you create snort for log directory
~: mkdir /var/log/snort
after all finished you can check if anyting wrong on your sintax
~: snort -c /usr/local/etc/snort/snort.lua
then create rules to perform testing in this directory
~: sudo vim /usr/local/etc/rules/my.rules
so create rule to detect the response
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET any (content:"facebook.com";msg:"FB test"; sid:1000002; rev:2;)
alert = action or if you want to see with log just type (log tcp any any -> )
tcp or icmp = protocol that we used
first any on (tcp any) = is source ip or you can fill it example (tcp $HOME_NET)
then the second is any (tcp any any) = source port you can use 21 or anything example (tcp any 21)
and this symbol like -> mean operator direction from source to destination (->),(<-),(<>) for traffic bidirectional between 2 number
then third any destination IP (tcp any any -> any) exaample (tcp any any -> 192.168.0.232 )
fourth any meaning port destination (tcp any any -> any any) you can fill that value like 80 or something example (tcp any any -> any 80)
then inside (content:"facebook.com";msg:"FB test"; sid:1000002; rev:2;)
content = its mean what content you will fisit it like instagram.com or facebook.com
msg = meaning to tell admin something
sid = is rule ID start from 1000002
rev = its revision number will allow option for easier rule maintenance
after you know that you can save the file configuration and cek the sintax
~: snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/my.rules
if its ok run it
~: snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/my.rules -i wlan0 -A alert_fast -s 65535 -k none
https://www.snort.org/
https://www.snort.org/documents/snort-users-manual
https://bbs.archlinux.org/viewtopic.php?id=274346
https://wiki.archlinux.org/title/Snort
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwil3YzCoPP2AhV6RmwGHa0QAiwQFnoECB4QAQ&url=https%3A%2F%2Fwww.snort.org%2Fdocuments%2Fsnort-3-1-0-0-on-centos-stream&usg=AOvVaw0FUBScYNsa2HbU2Dae0IdW
Author : JayByu
Created : 07/04/2022