Skip to content

Instantly share code, notes, and snippets.

@gryan11

gryan11/snort_setup.md

Last active July 3, 2024 09:25
Show Gist options
  • Save gryan11/07593df2394bfe39c375d2f0b423b69f to your computer and use it in GitHub Desktop.
Save gryan11/07593df2394bfe39c375d2f0b423b69f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
snort_setup.md

Snort install on mac

  • install homebrew first if not installed
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"\
  < /dev/null 2> /dev/null

  • install snort brew install snort

  • make bpf readable for snort sudo chmod o+r /dev/bpf*

  • setup dirs

sudo mkdir -p /usr/local/lib/snort_dynamicrules /var/log/snort /usr/local/etc/snort/rules/iplists
sudo touch  /usr/local/etc/snort/rules/iplists/black_list.rules
sudo touch  /usr/local/etc/snort/rules/iplists/white_list.rules

conf file: sudo vim /usr/local/etc/snort/snort.conf

set following:

var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/etc/snort/rules/iplists
var BLACK_LIST_PATH /usr/local/etc/snort/rules/iplists

Snort setup on ubuntu

These directions are based on the ubuntu setup guide from snort.org (https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf)

  • install dependencies:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev \
  libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config \
  libhwloc-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev \
  libnghttp2-dev cmake wget
  • network card config: edit sudo vim /etc/network/interfaces and add the following line:
post-up ethtool -K eth0 gro off
post-up ethtool -K eth0 lro off
  • setup daq:
wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install
  • install snort:
wget https://www.snort.org/downloads/snort/snort-2.9.14.1.tar.gz
tar xvzf snort-2.9.14.1.tar.gz
cd snort-2.9.14.1
./configure --enable-sourcefire
make
sudo make install
sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
  • quick test: snort -V, view packets: sudo snort
  • configure for nids as service:
# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

pulledpork install:

mac

brew install pulledpork

copy over pulledpork config

cp /usr/local/Cellar/pulledpork/0.7.3_2/.bottle/etc/pulledpork/* /usr/local/etc/snort
  • install perl dependencies for pulledpork
perl -MCPAN -e 'shell'
install LWP
install LWP::Protocol::https
  • setup snort conf for mac sudo vim /usr/local/etc/snort/snort.conf set following:
var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules
var WHITE_LIST_PATH /usr/local/etc/snort/rules/iplists
var 

### ubuntu
```bash
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz
tar xzvf pulledpork-master.tar.gz
cd pulledpork-master/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

setup

  • register on snort.org and get your oinkcode
  • edit pulledpork config: sudo vim /usr/local/etc/snort/pulledpork.conf (note lines may be off slightly!)
Line 19: enter your oinkcode where appropriate (or comment out if no oinkcode)

Line 144: change to: black_list=/usr/local/etc/snort/rules/iplists/black_list.rules

  • you can also set IPS security level in conf file (high level means more alerts)

  • set up snort.rules:

sudo touch /usr/local/etc/snort/rules/snort.rules
  • run pulledpork
sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf -l
  • modify conf file to use pulledpork rules sudo vim /usr/local/etc/snort/snort.conf
include $RULE_PATH/snort.rules
  • comment out other rule includes in snort.conf

Pulledpork enabling rule categories (if you want lots of alerts!)

  • add the following line to your pulledpork.conf
enablesid=/usr/local/etc/snort/enablesid.conf
  • add the following to your /usr/local/etc/snort/enablesid.conf. These categories are good initial defaults that I found genere
#app-detect
blacklist
#browser-chrome
#browser-firefox
#browser-ie
#browser-other
#browser-plugins
#browser-webkit
#content-replace
#decoder
dos
#exploit-kit
#file-executable
#file-flash
#file-identify
#file-image
#file-java
#file-multimedia
#file-office
#file-other
#file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
#preprocessor
protocol-dns
#protocol-finger
#protocol-ftp
#protocol-icmp
#protocol-imap
#protocol-nntp
#protocol-pop
#protocol-rpc
#protocol-scada
#protocol-services
#protocol-snmp
#protocol-telnet
#protocol-tftp
#protocol-voip
#pua-adware
#pua-other
#pua-p2p
#pua-toolbars
#server-apache
#server-iis
#server-mail
#server-mssql
#server-mysql
#server-oracle
#server-other
#server-samba
#server-webapp
#sql
#x11
  • rereun pulledpork (must remove rule downloads in /tmp to rerun)
sudo rm /tmp/*.gz &&\
sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf -l

Running snort with logging

To run with logging use:

sudo /usr/local/bin/snort -A fast -c /usr/local/etc/snort/snort.conf -i en0 -k none

For real deployment set up snort with its own user and group, don't run with sudo!

You can observe new alerts in the log with:

tail -f /var/log/snort/alert

detecting portscans

  • download snort source
wget https://www.snort.org/downloads/snort/snort-2.9.14.1.tar.gz
tar xzvf snort-2.9.14.1.tar.gz; mv snort-2.9.14.1 snort

  • read port scanning docs less snort-2.9.14.1/doc/README.sfportscan

  • configure preprocessor sfportscan in the /etc/snort/snort.conf. Pick settings you think likely to detect port scans based on the README. Make sure to set logfile { alert } in the configuration line.

  • from another computer, run sudo nmap -T4 SNORT_MACHINE_IP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment