Install and
Configure Snort 3 on Ubuntu 20.04
Ubuntu comes with built in SNORT, Check the version by using
the following command
apt show snort
Mostly you will see version 2.9
In order to install and configure Snort 3 on Ubuntu 20.04,
you need to build it from the source.
Firstly run system package cache update
Sudo apt update
Sudo apt upgrade
Install
Required Build Tools
For a successful build and installation of Snort 3 on Ubuntu
20.04, there are a number of build tools and dependencies that needs to be
installed prior to the build process as outlined on the Dependencies page.
sudo apt install build-essential libpcap-dev libpcre3-dev
libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex
liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest
libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev
autotools-dev libluajit-5.1-dev libunwind-dev
Download and install latest version of the
Snort DAQ (Data Acquisition library) . DAQ is not
available on the default Ubuntu repos and hence, you need to build and install
it from the source.
mkdir snort-source-files
cd snort-source-files
git clone https://github.com/snort3/libdaq.git
Run the command again
cd libdaq
./bootstrap
./configure
make
sudo make install
Download and install google’s thread-caching malloc,
Tcmalloc, a memory allocator optimized for high concurrency situations which
will provide better speed for the trade-off of higher memory usage. This is an
optional dependency but highly recommended.
cd ../
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz
tar xzf gperftools-2.8.tar.gz
cd gperftools-2.8/
./configure
make
sudo make install
Install
Snort 3 from Source Code on Ubuntu 20.04
Now that we have all required dependencies in place,
download and install Snort 3 on Ubuntu 20.04;
Clone Snort 3 Github source code;
cd ../
git clone git://github.com/snortadmin/snort3.git
Navigate to Snort 3 source directory, compile and install
it;
cd snort3/
./configure_cmake.sh
--prefix=/usr/local --enable-tcmalloc
Navigate to the build directory and compile and install
Snort 3 on Ubuntu 20.04;
cd build
make (this will take time to
complete. Be patient)
make install
Once the installation completes, update shared libraries;
ldconfig
Verify Snort 3 Installation by checking the version;
snort -V
The above confirms that Snort 3 installation is successful
and is working fine.
Configuring
Snort 3 NIDS on Ubuntu 20.04
Configure
Network Interface Cards
First off, put the interface on which Snort is listening for network
traffic on promiscuous mode so that it can be able to see all of the
network traffic sent to it rather than seeing only the traffic originating from
within the Snort 3 server alone.
ip link set dev ens33 promisc
on
Verify
Disable Interface Offloading to prevent Snort from truncating large
packets larger than 1518 bytes. You can check if this feature is enabled;
ethtool -k ens33 | grep
receive-offload ( need to install ethtool )
generic-receive-offload: on
large-receive-offload: off [fixed]
GRO is enabled while LRO is fixed and hence cannot be changed.
Then disable;
ethtool -K ens33 gro off lro
off
The two NIC changes are temporary. To ensure the changes persists across
system reboot, create and enable a systemd service unit to implement the
changes;
sudo vim
/etc/systemd/system/snort3-nic.service ( Need to install vim - sudo apt install vim)
Add
the below in the newly opened file.
[Unit]
Description=Set Snort 3 NIC in
promiscuous mode and Disable GRO, LRO on boot
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link
set dev ens33 promisc on
ExecStart=/usr/sbin/ethtool -K
ens33 gro off lro off
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
Reload systemd configuration settings;
systemctl daemon-reload (
Enter the password)
Start and enable the service on boot;
systemctl enable --now
snort3-nic.service ( Enter the password)
Install Snort 3 Rulesets on Ubuntu 20.04
Rulesets is the main artery for Snorts intrusion detection engine.
There are three types of Snort Rules:
·
Community Rules
·
Registered Rules
·
Subscriber Rules
In this tutorial, we will install the community Snort rules;
Create Snort Rules directory. In
the /usr/local/etc/snort/snort_defaults.lua config file, the default
rules path (RULE_PATH), is defined as /usr/local/etc/rules.
mkdir /usr/local/etc/rules
Download Snort 3 community rules from Snort 3 downloads page;
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
Extract the rules and store them on Snort rules directory;
tar xzf
snort3-community-rules.tar.gz -C /usr/local/etc/rules/
ls
/usr/local/etc/rules/snort3-community-rules/
AUTHORS LICENSE
sid-msg.map snort3-community.rules VRT-License.txt
Now that we have the rules to get us started in place, you need to
configure Snort 3. Open the main configuration file for editing;
sudo vim
/usr/local/etc/snort/snort.lua
Set the networks to protect against attacks as the value for the HOME_NET variable.
For simplicity, i just set this to the subnet of Snort 3 interface.
The EXTERNAL_NET is anything other than our HOME_NET;i
...
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = '192.168.57.3/32'
-- set up the external network addresses.
-- (leave as "any" in most situations)
-- EXTERNAL_NET = 'any'
EXTERNAL_NET = '!$HOME_NET'
...
You can edit
Snort defaults in the /usr/local/etc/snort/snort_defaults.lua configuration
file.
Under IPS
section, define the location to your rules;
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
include = '/usr/local/etc/rules/snort3-community-rules/snort3-community.rules'
}
...
Save and exit the configuration file.
Create Snorts Log directory;
mkdir
/var/log/snort
Next, run syntax checking;
snort -c
/usr/local/etc/snort/snort.lua
Create Custom local rules for the purposes of testing our Snort setup.
vim
/usr/local/etc/rules/local.rules
Create a rule to detect ping tests;
alert icmp any
any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001;
rev:1;)
Save and exit the local rules file. Check the syntax;
snort -c
/usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules
Next, run the test by executing the command below;
snort -c
/usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens33 -A
alert_fast -s 65535 -k none
On another terminal, ping your Snort server. While the ping runs, you
should see the alert lines written to standard output;
Challenge Task
write your own rules to detect SSH, Telnet, FTP, HTTP traffic
Write a rule to detect Facebook Traffic like below
Finished.