[IDS road] the latest Snort3 and Snort2 installation detailed tutorial

Posted by t0ta11 on Wed, 19 Jan 2022 07:08:04 +0100

Welcome new students
... ...
If you are nameless, you can concentrate on practicing sword

I am not a salted fish, but a dead fish!

I have seen many installation tutorials of snort3 and snort2 on the Internet, especially the installation of snort3. Bloggers seriously doubt whether they have really installed successfully, People really want to deduct jio. Snort3 has always had problems according to the information given by other bloggers. It is either unable to catch up or reported an error, or it is written in a mess and has no desire to read. Moreover, the installation of snort3 and snort2 is very different. Bloggers only tried the complete installation of snort3 and recorded it. Snort2 is very detailed on the Internet and sorted it out on the way. If necessary, take it yourself #0x01 Snort2 installation tutorial

Dependencies required to install Snort2

apt-get install gcc					: compiler,If an error is reported,apt-get install g++
apt-get install flex				: DAQ Required parser
apt-get install bison				: DAQ Required parser
apt-get install zlib1g-dev			: Snort Required compression library
apt-get install libpcap-dev    		: Snort Required network traffic capture header Library
apt-get install libdnet-dev			: Not necessary,just snort It provides a simplified portable interface for several network processes
apt-get install luajit   			: lua Header file library headers
apt-get install liblua5.1-0-dev
apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev
apt-get install build-essential		: Provides build tools for compiling software
apt-get install libpcre3-dev		: Snort Required pcre3 Header file for
apt-get install libdumbnet-dev		: with libdnet
apt-get install openssl libssl-dev	: ssl Encryption component for,provide SHA and MD5 File signature
apt-cache search lua

apt-get update
apt-get upgrade
apt-get install gcc
apt-get install flex
apt-get install bison
apt-get install zlib1g-dev
apt-get install libpcap-dev
apt-get install libdnet-dev
apt-get install luajit
apt-get install liblua5.1-0-dev
apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev
apt-get install build-essential
apt-get install libpcre3-dev
apt-get install libdumbnet-dev
apt-get install openssl libssl-dev
apt-cache search lua

Download some source tarball s and other files and store them in a folder for easy management

mkdir ~/snort_src
cd ~/snort_src

Install libpcap

cd ~/snort_src
wget https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz
tar -zxvf libpcap-1.10.1.tar.gz
cd libpcap-1.10.1
./configure && make && make install

Installing nghttp2

wget https://github.com/nghttp2/nghttp2/releases/download/v1.46.0/nghttp2-1.46.0.tar.gz
tar -zxvf nghttp2-1.46.0.tar.gz
cd nghttp2-1.46.0
./configure && make && make install

Installing LuaJIT

wget https://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT-2.0.5.tar.gz
make && make install (ps:nothing./configure)

Install pcre

wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
tar -zxvf pcre-8.45.tar.gz
cd pcre-8.45
./configure && make && make install

Installing daq

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar xvzf daq-2.0.7.tar.gz              
cd daq-2.0.7
./configure && make && sudo make install

Install Snort2

wget https://www.snort.org/downloads/snort/snort-2.9.19.tar.gz
tar xvzf snort-2.9.19.tar.gz             
cd snort-2.9.19
./configure --enable-sourcefire && make && sudo make install

sudo ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V

1.1 configuration snort file

Create some necessary files

# Snort installation directory
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
			 
# Store filtering rules and server black and white list
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/local.rules
			 
# Create log directory
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
			 
# Adjust permissions
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
			 
# Change folder ownership
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules


			classification.config	: Described Snort Understand the types of attack classification (grouping rules into these types of classification), such as Trojan horse activity or system call detection. The classification list can be Snort Section 3 of the manual.4.6 Found in section
			file_magic.conf			: Describes the rules used to identify file types
			reference.config		: Contains the information referenced in the rule that provides more information about alerts URL
			snort.conf				: yes Snort The configuration file that tells Snort The location of the resource and how to output alerts, etc
			threshold.conf			: Allows you to control the number of events required to generate alerts, which helps suppress noisy alerts
			gen-msg.map				: tell Snort Which rule uses which preprocessor,More information is here.
			unicode.map				: provide Unicode Mapping between language and identifier,nSnort This file is required to start.

Copy the file to our / etc/snort. The path here must be the decompression path of your snort

cp ~/snort-2.9.12/etc/*.conf* /etc/snort
cp ~/snort-2.9.12/etc/*.map /etc/snort
cp ~/snort-2.9.12/etc/*.dtd /etc/snort
cp ~/snort-2.9.12/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

Modify default configuration

	edit snort.conf (ps:Now your snort.conf stay/etc/snort/lower)
			gedit /etc/snort/snort.conf
		1. Modify the path of some files,You can search RULE_PATH,Then change the following paths as follows
			var RULE_PATH /etc/snort/rules
			var SO_RULE_PATH /etc/snort/so_rules
			var PREPROC_RULE_PATH /etc/snort/preproc_rules

			# If you are using reputation preprocessor set these
			var WHITE_LIST_PATH /etc/snort/rules/iplists/
			var BLACK_LIST_PATH /etc/snort/rules/iplists/
		2. Open file filter rule contains,Remove the beginning#number
			include $RULE_PATH/local.rules
		3. Modify the configuration file to make the black-and-white list effective
			whitelist $WHITE_LIST_PATH/default.whitelist, \
			blacklist $BLACK_LIST_PATH/default.blacklist

Install rules package

wget https://www.snort.org/downloads/registered/snortrules-snapshot-29190.tar.gz
tar zxvf snortrules-snapshot-29190.tar.gz -C /etc/snort
cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/

To start the test, please ignore the WARNING. Don't worry, it won't affect our installation

sudo snort -T -c /etc/snort/snort.conf 

......
Snort successfully validated the configuration!
Snort exiting

Snort2 installation tutorial
https://blog.csdn.net/weixin_46763552/article/details/116350545
Snort2 rule configuration tutorial
https://blog.csdn.net/weixin_46763552/article/details/116350908

Reference link:

https://blog.csdn.net/qq_38990949/article/details/85568020

0x02 Snort3 installation

2.1 installation dependencies and prerequisites

sudo apt-get update && sudo apt-get dist-upgrade -y

sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev zlib1g-dev

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

2.2 adjustment time

sudo dpkg-reconfigure tzdata

2.3 download some source tarball s and other files and store them in a folder for easy management

mkdir ~/snort_src
cd ~/snort_src

2.4 download and install safec for runtime boundary checking on some legacy C library calls

cd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v02092020/libsafec-02092020.tar.gz
tar -xzvf libsafec-02092020.tar.gz
cd libsafec-02092020.0-g6d921f
./configure
make
sudo make install

2.5 installing Hyperscan

Snort 3 uses hyperscan for fast pattern matching. You can install an old version of hyperscan from the Ubuntu repository, but hyperscan is crucial to snort's operation and performance. It is best to compile the latest stable version of hyperscan. Hyperscan has a number of requirements, including PCRE, gper tools, ragel and Boost libraries.

First install PCRE:Perl compatible regular expressions. Do not use the Ubuntu repository because it has an older version:

cd ~/snort_src/
wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.45/pcre-8.45.tar.gz
tar -xzvf pcre-8.45.tar.gz
cd pcre-8.45
./configure
make
sudo make install

Installing gpertools

cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
tar -xzvf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1
./configure
make
sudo make install

Installing Ragel

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install

Download (but do not install) the Boost C + + library

cd ~/snort_src
wget https://boostorg.jfrog.io/artifactory/main/release/1.78.0/source/boost_1_78_0.tar.gz
tar -xvzf boost_1_78_0.tar.gz

Install Hyperscan 5.3 from the source code and refer to the location of the Boost source directory

cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/refs/tags/v5.4.0.tar.gz
tar -xvzf v5.4.0.tar.gz
mkdir ~/snort_src/hyperscan-5.4.0-build
cd hyperscan-5.4.0-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_78_0/ ../hyperscan-5.4.0
make
sudo make install

2.6 installing flatbuffers

cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/refs/tags/v2.0.0.tar.gz -O flatbuffers-v2.0.0.tar.gz
tar -xzvf flatbuffers-v2.0.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-2.0.0
make
sudo make install

2.7 installation of DAQ

Install data acquisition Library (DAQ). The data acquisition card used by Snort3 is different from Snort 2.9.0 series

cd ~/snort_src
# You can download the latest library according to yourself
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.5.tar.gz
tar -xzvf libdaq-3.0.5.tar.gz
cd libdaq-3.0.5
./bootstrap
./configure
make
sudo make install

Update shared library

sudo ldconfig

2.8 finally install Snort 3 from the source code

If you are interested in enabling other compile time features, such as the ability to handle large (more than 2GB) PCAP files, or a new command line shell: run/ configure cmake.sh – help lists all optional features and attaches them to the following/ configure\u cmake.sh command. Check out the updated version of Snort3 on the Snort website

cd ~/snort_src
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.20.0.tar.gz
tar -xzvf snort3-3.1.20.0.tar.gz
cd snort3-3.1.20.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install

Snort is now installed under / usr/local /. Finally, verify whether snort runs correctly (version is capital V)

/usr/local/bin/snort -V

[external chain picture transfer failed. The source station may have anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-OnqQTyL8-1642406613444)(/upload/2022/01/%E5%9B%BE%E7%89%87-6e885edf2fee4c0f9afe40cbc4b9a6ae.png)]

If the output is the same as above, Snort is installed and working

2.9 test Snort rules

Now let's test Snort with the default configuration file

snort -c /usr/local/etc/snort/snort.lua

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-xowxju0n-1642406613446) (/ upload / 2022 / 01 /% E5% 9b% be% E7% 89% 87-a710fd1d2ba2424ca8558bc908b52bc02. PNG)]

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-AD4KgD7G-1642406613446)(/upload/2022/01/%E5%9B%BE%E7%89%87-2e2943e462904edb9539f44c5920ab7a.png)]

In order to reduce the truncated packets on IDS, the configuration is as follows

# Check the status of large-receive-o load (LRO) and generic receive offload (GRO) of these interfaces, and use ethtool to check the status
sudo ethtool -k eth0 | grep receive-offload

##Content, enter the following information and replace ens3 with the interface name:
[Unit]
Description=Ethtool Configration for Network Interface
[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K ens3 gro off
ExecStart=/sbin/ethtool -K ens3 lro off
[Install]
WantedBy=multi-user.target

After creating the file, run the following command to start the service

sudo systemctl enable ethtool
sudo service ethtool start

Check again to see if both are set to "off"

sudo ethtool -k eth0 | grep receive-offload

[the external chain image transfer fails, and the source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-9nZoGgBU-1642406613446)(/upload/2022/01/%E5%9B%BE%E7%89%87-800d7c4b68b84db78aee1c8660a086ee.png)]

2.10 configuring rule sets

Create some necessary files

sudo mkdir /usr/local/etc/rules
sudo mkdir /usr/local/etc/so_rules/
sudo mkdir /usr/local/etc/lists/
sudo touch /usr/local/etc/rules/snort.rules
sudo touch /usr/local/etc/rules/local.rules
sudo touch /usr/local/etc/lists/default.blocklist
sudo mkdir /var/log/snort

The local. XML file created above Create a rule in the rules file

sudo vi /usr/local/etc/rules/local.rules

local.rules file content

alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )

PS: this rule will detect ICMP transactions, which is very useful for testing whether Snort works properly and generating alerts. Paste the following line into local Rules file (ensure that this line is copied accurately, there must be a space in each semicolon in this file to correctly parse the alert)

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-v1lpjZBl-1642406613448)(/upload/2022/01/%E5%9B%BE%E7%89%87-a41fc2965ee14526ba3fa92b35df8cee.png)]

Now run Snort and let it load local Rules file (with - R flag) to ensure that these rules are loaded correctly (verify that the rules are in the correct format)

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Now run Snort in detect mode on the interface (change eth0 below to match the interface name) and print all alerts to the console

sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules \
-i eth0 -A alert_fast -s 65535 -k none

Sign meaning

Flag	describe
-c /usr/local/etc/snort/snort.lua	snort.lua profile
R /usr/local/etc/rules/local.rules	The path to the rule file that contains an ICMP rule
-i eth0	Interface to listen on
-A alert_fast	Using alert_ The fast quick output plug-in writes alerts to the console
-s 65535	Set snaplen so that Snort will not truncate and discard too large packets
-k none	Ignore the wrong checksum, otherwise snort will discard the packet with the wrong checksum

This means that snort is currently listening for all traffic on the interface and comparing it to the loaded rules. When the traffic matches the rule, Snort writes alerts to the console. Now, from another window on the computer (open a new terminal window or a second ssh session), use the ping command to generate a packet passing through the interface being listened to (Ping the IP address to the interface if connected from another computer; Ping only the external IP address if on the same computer). See the alarm printed on the screen:

###Alarm information
1 2 / 15 −2 1: 0 2: 2 6. 97 6 073 [ * * ] [ 1 : 1 0 0 0 0 0 0 1 : 0 ] " ICMP T r a f f i c De tec te d " [ * * ] [ P r i o r i t y : 0 ] { ICMP } 1 0 . 1 0 . 1 0 . 1 −> 1 0 . 1 0 . 1 0 . 8 8
1 2 / 15 −2 1: 0 2: 2 6. 9 7 6 15 7 [ * * ] [ 1 : 1 0 0 0 0 0 0 1 : 0 ] " ICMP T r a f f i c De tec te d " [ * * ] [ P r i o r i t y : 0 ] { ICMP } 1 0 . 1 0 . 1 0 . 8 8 −> 1 0 . 1 0 . 1 0 . 1

Use ctrl-c to stop Snort, which is a good rule to test Snort, but it may be a little noisy in the actual production and use, so you can annotate it with hash(#) symbol if you like.

Next, edit Snort Lua file, which is the configuration file we passed to Snort at startup

sudo vi /usr/local/etc/snort/snort.lua

Next, we will enable the decoder and checker alerts (the malicious traffic detected by Snort is not the rule, because the format is more complex), and we will tell the ips module the location of the rule file (PulledPork will create this file for us later)

Scroll down to line 169 and find the section titled ips. Here, we start with enable_ builtin_ Uncomment in rules = true (remove the first two dashes) and enable the pulledpork rule. Note that lua indents these lines with four spaces instead of tabs (this is required). This section should be as follows (delete the note, about line 166):

ips =
{
    enable_builtin_rules = true,
    include = RULE_PATH .. "/local.rules",
    variables = default_variables
 }

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-0CTzXcLO-1642406613448)(/upload/2022/01/%E5%9B%BE%E7%89%87-431478cfb6364407b50d998607e09b64.png)]

Test profile

snort -c /usr/local/etc/snort/snort.lua

[the external chain picture transfer fails, and the source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-wriswen-1642406613449) (/ upload / 2022 / 01 /% E5% 9b% be% E7% 89% 87-38989029ba874ad7a203e7aa84939542. PNG)]

Snort can now be run as described above, but local. Is not explicitly passed on the command line Rules file, because it has been included in snort In the ips section of the Lua file:

sudo snort -c /usr/local/etc/snort/snort.lua -i eth0 -A alert_fast -s 65535 -k none

PS: Ping the interface as described above, and you will see the alarm written to the console again

2.11 installation of PulledWork

PulledWork is the script we use to download and merge Snort rule sets. To download the main free ruleset from Snort, you need an oinkcode. Register on the Snort website and save the oinkcode before continuing, because the most popular free rule set requires oinkcode

Dependent installation

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Download the latest version of PulledPork and install it by copying the perl file to / usr/local/bin and the required configuration file to / usr/local/etc/PulledPork

cd ~/snort_src
wget https://github.com/shirkdog/pulledpork/archive/refs/tags/v0.7.4.tar.gz -O pulledpork-v0.7.4.tar.gz
tar -xzvf pulledpork-v0.7.4.tar.gz
cd pulledpork-0.7.4
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo mkdir /usr/local/etc/pulledpork
sudo cp etc/*.conf /usr/local/etc/pulledpork

Test for successful installation

/usr/local/bin/pulledpork.pl -V

Make sure that PulledWork is running and configure it:

sudo vi /usr/local/etc/pulledpork/pulledpork.conf

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-dTRpK4cx-1642406613450)(/upload/2022/01/%E5%9B%BE%E7%89%87-a90ebb75eaf9458babddcb139121cafa.png)]

Line 19, you need to change the URL, and then use it in snort Replace the oinkcode obtained when registering the com website. This will tell polledpork where to download the rules

rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<oinkcode>

Line 24: evaluate the community rules. These are not required because they are included in the registration rule set we included above:

#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Line 72: point to the correct snort Rules file, PulledWork will be saved from local All rules downloaded and included in the rules file:

rule_path=/usr/local/etc/rules/snort.rules

Line 87: tell polledpork local Where do rules files copy rules from (and into snort.rules):

local_rules=/usr/local/etc/rules/local.rules

Line 94: tell polledpork to use the newer Sid_ Output metadata about rules in MSG format:

sid_msg_version=2

Line 110: tell polledpork where to save the compiled rules:

sorule_path=/usr/local/etc/so_rules/

Line 134, change the distribution to Ubuntu-18-4 (even if you're running Ubuntu 20). This will tell polledwork which version of the Compilation Rules are compatible with our system:

distro=Ubuntu-18-4

Line 142: this tells polledpork where to save the block list (known malicious IP addresses should be blocked):

block_list=/usr/local/etc/lists/default.blocklist

Line 151: tell the PulledPork block and the default location of the Allow list

IPRVersion=/usr/local/etc/lists

Line 186: tell the PulledPork Snort daemon where to save the currently running PID so that PulledPork can send a message to Snort after installing the new rule so that Snort can load the new rule:

pid_path=/var/log/snort/snort.pid

Line 209: uncomment this line to enable all rules in the downloaded rules file. These rules are divided into different rule sets, depending on the attack you want to detect trafic. If you run in IPS mode (blocking rather than detecting transmission), you may consider using the "ballasted" rule set instead of "security", because the "security" rule set is more aggressive in detecting traffic that may be malicious or normal:

ips_policy=security

Run PulledPork, pass the configuration file to it, and perform additional logging. This will download the latest rule sets and compare them with local Merge any rules in the rules file and save all the rules to snort Rules, and save the blacklist entries in defautl In the blocklist file:

sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP

[external chain picture transfer failed. The source station may have anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-lHucQc9T-1642406613451)(/upload/2022/01/%E5%9B%BE%E7%89%87-9d46faa834cb421c8e2d6fc1d98a57b4.png)]

Use the following flags:

Flag	describe
-c /usr/local/etc/pulledpork/pulledpork.conf	PulledWork profile
-l	Log important information to syslog
-P	Process rules even if new rules are not downloaded
-E	Allow write exclusion only
H SIGHUP	Make Snort reload the configuration by passing the SIGHUP signal

The next step is to convert this command to a scheduled task so that the ruleset can be updated daily

sudo crontab -e

Check snort Rules file, you should see some new rules

Modify snort Lua to load snort Rules instead of local Rules file (the rules in local.rules are automatically added to snort.rules file through PulledPork and used together with all downloaded rules. You can see any rules in local.rules at the end of snort.rules file)

#Line 167
ips =
{
    enable_builtin_rules = true,
    include = RULE_PATH .. "/snort.rules",
    variables = default_variables
}

Test Snort to see if these rules load correctly:

snort -c /usr/local/etc/snort/snort.lua

2.12 configure Snort plug-in

In snort Some features are enabled in Lua files:

sudo vi /usr/local/etc/snort/snort.lua

First, configure the HOME\u NET variable. This refers to the local subnet we are defending (the rule uses this information to determine whether the alerts match). Set local subnet information here to match subnets. The subnet below me is a 10.0.0.0 network with a 24 bit subnet mask

HOME_NET = '10.0.0.0/24'

Enable hyperscan (faster pattern matching): for more information, please put it after renaming the checker (before configuring the binding (there will be a warning after I configure it here, so I don't have it. Others can configure it if necessary))

reputation=
{
  blacklist = BLACK_LIST_PATH .. "/default.blocklist"
  --whitelist = 'whitelist file name with ip lists'
}

search_engine = { search_method = "hyperscan" }

detection = {
  hyperscan_literals = true,
  pcre_to_regex = true
}

2.13 configure the output warning plug-in

In order to easily import Snort 3 alarm log files into the selected SIEM (such as Splunk), you need to use the alert\u json output plug-in to write all alarms to a text file in json format. Enabling the json output plug-in is simple, just modify snort Lua file (approximately 230 lines in Section 7: configuration output):

sudo vi /usr/local/etc/snort/snort.lua

alert_json =
{
    file = true,
    limit = 100,
    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \
    eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \
    pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \
    target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',

}

In alert_ In the JSON plug-in, we specify three options:
- First, we use the file option to output the alert to a json formatted file (not the console)
- Next, we specify the limit option to tell Snort when to scroll to a new file. When the output file reaches 10 MB, a new file is created using the current unixtime in the file name. For testing, we set it to 100MB, but on the production system, we may want to increase this number, depending on how log management / rotation is performed
- Finally, we specify the fields option, which identifies which specific fields in the alert should be included in the json output. In this example, we selected all possible fields as output

PS: after the test, you can choose to delete some of the fields (vlan and mpls fields are unnecessary, b64_data contains the entire packet load. You can delete these packet loads to save space, although there are many good information in this field). Do not delete the second field and make sure it is always the first field listed. This will allow Splunk to handle events correctly

Now run Snort and generate some alerts. These alerts are written to / var/log/snort. Run the following command, and then ping the interface again (as we did before, generate traffic that matches the rules in the local.rules file)

sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 \
-k none -l /var/log/snort -i eth0 -m 0x1b

Several new flags have been added for this command:

Flag	describe
-l var/log/snort	Directory where log files should be written
-m 0x1b	033 Umask for file permissions (rw-r – R –)

After snort starts, we won't see any output on the screen because we have enabled alert_json output module (this module writes / var/log/snort as specified in the above command). Stop snort (ctrl-c) and check / var/log/snort

cat /var/log/snort/alert_json.txt

2.13 Snort script

Create a systemD script to automatically run snort at startup, and for security reasons, let snort run at startup as a regular (non root) user

Create snort users and groups

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Delete old log files (move them if you want to keep them):

sudo rm /var/log/snort/*

The "snort" user needs to be granted permissions on the log directory

sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /var/log/snort

Create systemD service file

sudo vi /lib/systemd/system/snort3.service

With the following (change Ethernet adapter eth0 to match the adapter)

[Unit]
Description=Snort3 NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 \
-k none -l /var/log/snort -D -u snort -g snort -i eth0 -m 0x1b --create-pidfile
[Install]
WantedBy=multi-user.target

Classification of all flags used in Snort

Flag	describe
/usr/local/bin/snort	This is the path to the snort binary. sudo is not used here because the script will start with elevated (root) privileges
-c /usr/local/etc/snort/snort.lua	snort.lua profile
-s 65535	Set snaplen so that Snort will not truncate and discard too large packets
-k none	Ignore the wrong checksum, otherwise snort will discard packets with the wrong checksum and will not calculate them
-l /var/log/snort	The path to the folder where Snort will store all the log files it outputs
-D	Run as a daemon
-u snort	After startup (and when performing any operation requiring elevation of permissions), switch to run as the "snort" user
-g snort	Once started, run as the snort group
-i eth0	Interface to listen on
-m 0x1b	Umask with file permission of 033
–create-pidfile	Create a PID file in the log directory (so that pulledpork can restart snort after loading new rules)

Enable the Snort systemD service and start it

sudo systemctl enable snort3
sudo service snort3 start

Check the status of the service:

service snort3 status

The output should be similar to the following, displaying "active (running)":

service snort3 status
    * snort3.service - Snort3 NIDS Daemon
    Loaded: loaded (/lib/systemd/system/snort3.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2018-12-11 16:48:44 EST; 2min 57s ago

If you have any problems, you can check the complete output of the service using the following command:

sudo journalctl -u snort3.service

2.14 installing Splunk

Download: https://www.splunk.com/en_us/download/splunk-enterprise.html

You need to register an account to download. After logging in, click the Linux tab, and then click The download Now button next to deb (Debian based Ubuntu system). If you use wget to download the installer, then click "download from the command line" (wget) to copy the wget string for download.

wget  htps://xxxxx

Once the Splunk installer is installed on your system, you need to install it. From the directory where you saved the installer:

sudo dpkg -i splunk-8.*.deb
sudo chown -R splunk:splunk /opt/splunk

Splunk is installed in / opt/Splunk. Note that the installed volume Splunk must have 5GB of free space, otherwise Splunk will not start. The index where Splunk stores all collected log data is located in a subfolder of the installation location, so make sure there is enough space on this volume to store all the data you want to collect.

The first time you start Splunk (accept the license and use all default options), you will be prompted to create a new administrative user and password for Splunk. Save these credentials because you will use them to log in to the web interface later:

sudo /opt/splunk/bin/splunk start --answer-yes --accept-license

Then configure Splunk to start automatically at boot time. It will also enable systemD for Splunk and start the service (instead of the uppercase "S" in the Splunk systemD service name).

sudo /opt/splunk/bin/splunk stop
sudo /opt/splunk/bin/splunk enable boot-start -systemd-managed 1
sudo chown -R splunk:splunk /opt/splunk
sudo service Splunkd start

Splunk server is now listening on port 8000 of this server( http://localhost:8000 (if you are connecting from a local computer or from another computer through the IP address of this system), the user name and password are set when Splunk is installed

Splunk currently runs with a free enterprise trial license, provides all enterprise functions for 60 days, and allows 5GB of log data to be indexed every day. The only feature we will lose once the trial license expires will affect this installation is to remove the authenticated login. After converting to a free license, you will not be prompted to log in to the Splunk web interface

Splunk Enterprise provides many functions, including automatically updating the deployment server of Splunk instances and their automatically running Splunk applications, multiple user accounts with configurable permissions, load balancing, and other functions

2.15 configuring Splunk

Now log in to the Splunk instance using the user name and password created during Splunk installation. Splunk server is listening on port 8000( http://localhost:8000 )

A Splunk plug-in (called add on) needs to be installed, which allows us to easily receive (collect) and normalize the logs created by Snort 3 (ensure that the field names are consistent with NIDS data, so that Splunk applications can easily display our data)

To install this application, on the homepage of Splunk instance, click the link titled + find more applications on the left side of Splunk web interface, which will enter Splunkbase, an online repository of Splunk plug-ins, which extends and enhances the functions of Splunk installation. Search Snort3 in Splunkbase and see a result: snort3json alert. Click the green Install button next to this add in

Enter the user name and password created with Splunk when registering to download Splunk (not for the local Splunk server instance). Accept the terms and conditions, and then click sign in and install. When the installation is complete, click finish.

Next, you install the CyberChef for Splunk plug-in, which allows you to add B64_ The data field is converted to readable text. As mentioned above, search for "cyberchef" in Splunkbase, click the green install button next to cyberchef to get Splunk, log in, and then install

Next, you need to configure the Snort 3 JSON Alerts plug-in to tell Splunk where the log files generated by snort 3 are stored so that Splunk can receive them. Use the configuration file to perform this operation from the command line

sudo mkdir /opt/splunk/etc/apps/TA_Snort3_json/local
sudo touch /opt/splunk/etc/apps/TA_Snort3_json/local/inputs.conf
sudo vi /opt/splunk/etc/apps/TA_Snort3_json/local/inputs.conf

Input here Enter the following text in the conf file

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

Restart Splunk

sudo service Splunkd restart

Now, when Splunk starts, it will scan the json files in the / var/log/snort directory, assign them to sourcetype of snort3: alert:json, and record them

Log in from the Splunk instance (because the server was restarted), click the Splunk > enterprise link in the upper left corner, and then click the Search and Reporting app link on the left. In the search field, enter the following text:

sourcetype="snort3:alert:json"

Then click the green magnifying glass icon to start the search, which will display all the events that the server is collecting. You may not see many events, especially if you delete the old json file created from the pcap file. If you don't see any alerts, you can use ping to create some new alerts (remember, the rule was created earlier). There is a slight delay between the events generated and those displayed in Splunk. If you still don't see any alerts, change the time range (the drop-down list next to the search icon is set to last 24 hours) to all times, and then run the search again. If you still don't see any events, check whether there are json files in the / var/log/snort folder

2.16 using Splunk

Here are some simple searches. To display all events in a table containing time, source, destination, and messages, run the following search:

sourcetype="snort3:alert:json"
| table _time src_ap dst_ap msg

Displays a count of all events by destination

sourcetype="snort3:alert:json"
| stats count by dest

To display all event sources on the map

sourcetype="snort3:alert:json"
| iplocation src_addr
| stats count by Country
| geom geo_countries featureIdField="Country"

(you may need to click the visualization tab, then click line chart and change it to Choropleth map)

For many events, there are base64 encoded payload data (b64_data) fields (http and SMTP are good examples). To convert this data so that we can read it, we use the "cyberchef" function to convert data (dynamically) for each event and add a new field named "decrypted" for each event

 sourcetype="snort3:alert:json" dest_port=80
| cyberchef infield='b64_data' outfield=decrypted operation="FromBase64"
| table src_addr, dst_addr, rule, msg, decrypted

Some of Splunk's excellent free resources include
EBook

https://www.splunk.com/en_us/form/exploring-splunk-search-processing-language-spl-primer-and-cookbook.html

Free Online Training

https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

2.17 Splunk trial version expires and replaced with free version

Splunk is currently running the free enterprise trial mode for only 60 days. At this time, the license is converted to the free mode, which is similar to the enterprise mode, but some functions are deleted. It is found that the missing function is to log in to the server with user name and password (anyone is allowed to log in), And lost some cluster related functions and the ability to deploy Splunk applications to other servers

To change the license, click settings in the upper right column, and then click license
Click Change license group. Select free license, click save, click restart now, and then click OK

PS: at this time, the spunkweb interface cannot be accessed from the remote computer. We will solve it through Splunk Web reverse proxy

2.18 reverse proxy Splunk Web

Splunk using a free license will not block access using a user name and password, and only allows access from the local computer (depending on whether it is connected locally when switching licenses). By setting a reverse proxy, Apache listens to port 80 of the server, needs a password, and redirects to the Splunk interface

Installing Apache and proxy modules

sudo apt-get install -y apache2 apache2-utils
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo systemctl restart apache2

Create a new user

sudo touch /etc/apache2/.htpasswd
sudo htpasswd /etc/apache2/.htpasswd <username>

Edit the apache configuration file to set up proxy listening on port 80

sudo vi /etc/apache2/sites-available/000-default.conf

Enter the following information in this file. If you already have a < virtualhost *: 80 > section, add the following settings to that section. Tell apache to listen on port 80, need authentication (user / password in htaccess file), and then forward all authorized connections to port 8000 (Splunk is listening)

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
</VirtualHost>

Verify apache configuration

sudo apachectl -t

PS: you may get an error about the server FQDN. Please ignore it

Restart apache to load the changes

sudo systemctl restart apache2

Configure Splunk to accept only connections from the local computer (redirected through proxy)

sudo vi /opt/splunk/etc/system/local/web.conf

Under the settings section, add a line: server socket_ Host = localhost (if the file is empty, just add the following two lines, otherwise add server.socket to the "Settings" section)

[settings]
server.socket_host = localhost

Restart splunk to register changes

sudo service Splunkd restart

Now try connecting to the splunk server on port 80, and you will be prompted for your user name and password. If you try to connect to port 8000, you cannot connect (unless you are connecting from the same computer).

2.19 openappid (optional)

OpenAppID allows you to identify application layer (layer 7) traffic, create rules that operate on application layer traffic (such as blocking facebook), and record traffic statistics for each type of traffic detected.

OpenAppID is an optional feature of Snort. If you want to detect or block traffic types (facebook, FTP, etc.), or collect data volume indicators of each traffic detected by Snort server, you should enable it

With the help of the community, the Snort team assembled a detector package, which can be downloaded and installed, called the application detector package

Download the OpenAppID detector package and extract the file

cd ~/snort_src/
wget https://snort.org/downloads/openappid/15607 -O OpenAppId-15607.tgz
tar -xzvf OpenAppId-15607.tgz
sudo cp -R odp /usr/local/lib/

PS: if you get an error that the file does not exist, the Snort team may have updated the rule set. Browse to https://snort.org/downloads#openappid , and download Snort openappid tar. gz

Next, download the Snort Extras repository, which contains additional inspectors and plug-ins, including appid_listener, which will allow appid statistics to be output in JSON format

cd ~/snort_src/
git clone https://github.com/snort3/snort3_extra.git
cd ./snort3_extra/
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
./configure_cmake.sh --prefix=/usr/local
cd build
make
sudo make install

Next, edit the Snort configuration file to point to the odp directory

sudo vi /usr/local/etc/snort/snort.lua

Find the following section and make the following configuration in the configure Inspection section (modify the appid section and add a new appid\u listener section)

appid =
{
    app_detector_dir = '/usr/local/lib',
}

appid_listener =
{
    json_logging = true,
    file = "/var/log/snort/appid-output.log",
}

PS: now that the changes have been made, please verify snort as described above Lua file

Use the new rule to modify local Rules file, which will detect facebook traffic

alert tcp any any -> any any ( msg:"Facebook Detected"; appids:"Facebook"; sid:10000002; metadata:policy security-ips alert; )

Test snort_ Whether the extras plug-in can be loaded (which requires additional command line opton) and whether the new rules are formatted correctly

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules \
--plugin-path=/usr/local/lib/snort_extra

Fix all errors before continuing, and the - pluginpath parameter tells snort to extract snort from_ Load other plug-ins in the extra package, including appid_listener plug-in

First, you need to pull work to recreate snort Rules file (including new rules), which will also reload snort

sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -H SIGHUP

Secondly, you need to modify the systemD Snort script so that it can load the appid_listener directory

sudo vi /lib/systemd/system/snort3.service

Add -- plugin path option

ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 \
-k none -l /var/log/snort -D -u snort -g snort -i ens3 -m 0x1b --create-pidfile \
--plugin-path=/usr/local/lib/snort_extra

Reload the systemd file and reload snort, and verify that the service is running

sudo systemctl enable snort3
sudo service snort3 restart
service snort3 status

Generate some facebook traffic (wget facebook.com) and you will see an alert written to splunk (and json log files)

sourcetype="snort3:alert:json" msg="Facebook Detected"

You will also see a new file in the log directory: / var / log / snort / appid output Log, which contains trafic statistics in json format

{ "session_num": "0.58", "pkt_time": "2020-12-19 09:51:46.540562", "pkt_num": 1665, "apps": { "service"
: "HTTPS", "client": "SSL client", "payload": "Facebook", "misc": null, "referred": null }, "proto"
: "TCP", "client_info": { "ip": "10.10.10.88", "port": 33942, "version": null }, "service_info": {
"ip": "185.60.216.35", "port": 443, "version": null, "vendor": null }, "user_info": { "id": 0, "
username": null, "login_status": "n/a" }, "tls_host": "www.facebook.com", "dns_host": null, "http":
{ "http2_stream": null, "host": null, "url": null, "user_agent": null, "response_code": null, "
referrer": null } }

The service field tells the service that has detected this traffic to configure splunk to read appid stats: next, you need to configure the Snort3 json alert plug-in to tell splunk where the openappid log file is stored, and use the configuration file to perform this operation from the command line

sudo vi /opt/splunk/etc/apps/TA_Snort3_json/local/inputs.conf

Add the following text to this inputs Conf file (do not delete other parts of the alert file)

[monitor:///var/log/snort/*appid-output.log*]
sourcetype = snort3:openappid:json

Restart Splunk

sudo service Splunkd restart

Now search for OpenAppID data in splunk

search sourcetype="snort3:openappid:json"