Introduction
This article describes Snort IDS as a security measure dedicated for Linux.
Snort this is an open source networked IDS. It can be used free of charge under the GPL license. It is still under development, but you can download and use the latest rule set for free.
Build Snort
Snort is provided as a source, so you need to download the source and maik it.
Therefore, if the libraries that are highly dependent on the environment are not installed, you will get an error in configure and you will have to check and install the dependencies yourself. This article explains how to build Snort using CentOS 7 as an example. Versions such as Snort use the version at the time of writing this article.
Environment for this article: CentOS Linux 7.7
Snort part:
- Install Development Tools
[root@centos7 vagrant]# yum groupinstall "Development tools" -y- Install tcpdump
[root@centos7 vagrant]# yum install tcpdump -y- Change directory
[root@centos7 vagrant]# cd /usr/local/src/- Download snort
[root@centos7 src]# wget https://www.snort.org/downloads/snort/snort-2.9.16.1.tar.gz
--2020-08-11 18:43:25-- https://www.snort.org/downloads/snort/snort-2.9.16.1.tar.gz
Resolving www.snort.org (www.snort.org)... 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, ...
Connecting to www.snort.org (www.snort.org)|104.18.138.9|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/014/551/original/snort-2.9.16.1.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200811%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200811T184326Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=9b0ac9421d65f630f4e803c1200047d0fd081951159cf0ad2fde3297f4705f5d [following]
--2020-08-11 18:43:26-- https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/014/551/original/snort-2.9.16.1.tar.gz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200811%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200811T184326Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=9b0ac9421d65f630f4e803c1200047d0fd081951159cf0ad2fde3297f4705f5d
Resolving snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)... 52.216.236.35
Connecting to snort-org-site.s3.amazonaws.com (snort-org-site.s3.amazonaws.com)|52.216.236.35|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6947960 (6.6M) [binary/octet-stream]
Saving to: ‘snort-2.9.16.1.tar.gz’100%[==================================================================================================>] 6,947,960 3.48MB/s in 1.9s2020-08-11 18:43:29 (3.48 MB/s) - ‘snort-2.9.16.1.tar.gz’ saved [6947960/6947960]
- Extract
[root@centos7 src]# tar xzvf snort-2.9.16.1.tar.gz- Change directory
[root@centos7 src]# cd snort-2.9.16.1/- Configure snort
[root@centos7 snort-2.9.16.1]# ./configure⚠️ If we use CentOS 7 with minimal configuration will result in an error like this
checking for pfring_open in -lpcap... noERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)
not found, go get it from http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place. Also check if your libpcap depends on another
shared library that may be installed in an unusual place
Below I describes how to install the required libraries for errors that occur after execution in the Snort directory .
Missing libraries Libpcap
- Download libpcap
[root@centos7 snort-2.9.16.1]# wget http://www.tcpdump.org/release/libpcap-1.9.1.tar.gz
--2020-08-11 18:50:24-- http://www.tcpdump.org/release/libpcap-1.9.1.tar.gz
Resolving www.tcpdump.org (www.tcpdump.org)... 198.199.88.104, 192.139.46.66, 2604:a880:400:d0::2221:3001, ...
Connecting to www.tcpdump.org (www.tcpdump.org)|198.199.88.104|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 861228 (841K) [application/octet-stream]
Saving to: ‘libpcap-1.9.1.tar.gz’100%[==================================================================================================>] 861,228 953KB/s in 0.9s2020-08-11 18:50:26 (953 KB/s) - ‘libpcap-1.9.1.tar.gz’ saved [861228/861228]
- Extract
[root@centos7 snort-2.9.16.1]# tar xzvf libpcap-1.9.1.tar.gz- Change directory
[root@centos7 snort-2.9.16.1]# cd libpcap-1.9.1/- Configure, make and make install
[root@centos7 libpcap-1.9.1]# ./configure && make && make install⚠️ If we try again configure snort then we will see error like this:
checking for pcap_lib_version... yes
./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... noERROR! Libpcre header not found.
Get it from http://www.pcre.org
Missing libraries Libpcre
- Download libpcre
[root@centos7 snort-2.9.16.1]# wget ftp://ftp.pcre.org/pub/pcre/pcre2-10.34.tar.gz- Extract
[root@centos7 snort-2.9.16.1]# tar xzvf pcre2-10.34.tar.gz- Change directory
[root@centos7 snort-2.9.16.1]# cd pcre2-10.34/- Configure, make and make install
[root@centos7 pcre2-10.34]# ./configure && make && make install⚠️ If we try again configure snort then we will see error like this:
./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... noERROR! Libpcre header not found.
Get it from http://www.pcre.org
Missing libraries pcre-devel
- Install pcre-devel
[root@centos7 snort-2.9.16.1]# yum install -y pcre-devel⚠️ If we try again configure snort then we will see error like this:
checking for dnet.h... no
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... noERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place
Missing libraries libdnet and libdnet-devel
- Install libdnet and libdnet-devel
[root@centos7 snort-2.9.16.1]# yum install -y libdnet libdnet-devel⚠️ If we try again configure snort then we will see error like this:
checking for eth_set in -ldumbnet... no
checking for dlsym in -ldl... yes
./configure: line 16267: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... noERROR! daq_static library not found, go get it from
http://www.snort.org/.
Missing libraries daq
- Download daq
[root@centos7 snort-2.9.16.1]# wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz- Extract
[root@centos7 snort-2.9.16.1]# tar xvzf daq-2.0.7.tar.gz- Change directory
[root@centos7 snort-2.9.16.1]# cd daq-2.0.7- Configure and make
[root@centos7 daq-2.0.7]# ./configure && make && sudo make install⚠️ Since an error occurred in make,
/usr/local/src/daq-2.0.7 /missing: Line 81: aclocal-1.15: command not found
WARNING: 'aclocal-1.15' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
<http://www.gnu.org/software/autoconf>
<http://www.gnu.org/software/m4/>
<http://www.perl.org/>We must executeautoreconf and build again, we must also export PATH
[root@centos7 daq-2.0.7]# autoreconf && ./configure && make && make install && export PATH=$PATH:/usr/local/bin⚠️ If we try again configure snort then we will see error like this:
checking zlib.h usability... no
checking zlib.h presence... no
checking for zlib.h... no
ERROR! zlib header not found, go get it from
http://www.zlib.netMissing libraries zlib
- Install zlib
[root@centos7 snort-2.9.16.1]# yum install -y zlib zlib-devel⚠️ If we try again configure snort then we will see error like this:
checking for luajit... no
ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"Missing libraries luajit-devel
- Install luajit-devel
[root@centos7 snort-2.9.16.1]# yum install -y luajit-devel.x86_64⚠️ If we try again configure snort then we will see error like this:
checking openssl/x509.h usability... no
checking openssl/x509.h presence... no
checking for openssl/x509.h... no
ERROR! openssl/x509.h or openssl library not found.
Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"Missing libraries openssl-devel
- Install openssl-devel
[root@centos7 snort-2.9.16.1]# yum install openssl-devel.x86_64 -yIt was the last one missing dependencies, finally Snort configurefinished normally. The following is run in the Snort directory.
- Configure Snort
[root@centos7 snort-2.9.16.1]# ./configure && make && make installSnort settings
After installing Snort, some settings are required to setup.
- User created
[root@centos7 snort-2.9.16.1]# useradd snort- Copy snort configuration
[root@centos7 snort-2.9.16.1]# cp rpm/snort.sysconfig /etc/sysconfig/snort- Now we can edit snort config and change the value of INTERFACE to the value of your interface.
[root@centos7 snort-2.9.16.1]# nano /etc/sysconfig/snortChange < INTERFACE=enp0s8
---
> INTERFACE=eth0
- Creating a startup script
The default start script execution path is /usr/sbin/snort. Create a symbolic link because it is different from the installed path.
Creating a startup script and then creating a symbolic link
[root@centos7 snort-2.9.16.1]# cp rpm/snortd /etc/init.d/
[root@centos7 snort-2.9.16.1]# chmod 755 /etc/init.d/snortd
[root@centos7 snort-2.9.16.1]# ln -s /usr/local/bin/snort /usr/sbin/snort- Setup Snort rules
Generally, in security software and IDS, the characteristic access pattern of an attacker is called a signature. Snort detects malicious packets by referring to the signature described in the ruleset (rule file). The official site community version of the ruleset is free to use.
[root@centos7 snort-2.9.16.1]# cd /tmp
[root@centos7 tmp]# wget https://www.snort.org/downloads/community/community-rules.tar.gz
[root@centos7 tmp]# tar xzvf community-rules.tar.gz
[root@centos7 tmp]# cd community-rules
[root@centos7 community-rules]# mkdir -p /etc/snort/rules
[root@centos7 community-rules]# cp sid-msg.map /etc/snort/
[root@centos7 community-rules]# cp community.rules /etc/snort/rules/
[root@centos7 community-rules]# chown -R snort.snort /etc/snort- Setup Logs
[root@centos7 community-rules]# mkdir /var/log/snort
[root@centos7 community-rules]# chown -R snort.snort /var/log/snort
[root@centos7 community-rules]# cd /usr/local/src/snort-2.9.16.1
[root@centos7 snort-2.9.16.1]# cp rpm/snort.logrotate /etc/logrotate.d/snort- Edit /etc/snort/snort.conf
[root@centos7 snort-2.9.16.1]# cp etc/snort.conf /etc/snort/snort.conf
[root@centos7 snort-2.9.16.1]# nano /etc/snort/snort.confSimple configuration:
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.123.0/24# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128include $RULE_PATH/local.rules
Set promiscuous mode to receive packets addressed to other hosts. Add the setting value of PROMISC to the interface file .
[root@centos7 snort-2.9.16.1]# nano /etc/sysconfig/network-scripts/ifcfg-eth0Snort operation check
Create a rule for verification and check the operation. In this article, ping detection is performed as an example.
Edit Rule File
The rule file is /etc/snort/rulesstored under it. Describes the rule file.
The signature of the rule file consists of the rule header and the rule body.
Rule header: Rule access/Protocol/IP address/Port/Direction operator/IP address/Port/
Rule body: OptionalBelow there are the following types of rule actions.
- Edit local.rules and create example rule
[root@centos7 rules]# nano /etc/snort/rules/local.rules⚠️ You need to restart snort after editing the rules.
Snort start confirmation
The option -Dis specified in the default startup script, so if the startup script is executed, it will start in daemon mode.
- Start snort
[root@centos7 rules]# /etc/init.d/snortd start
Reloading systemd: [ OK ]
Starting snortd (via systemctl): [ OK ]Check the syslog to make sure there are no errors on boot.
If it has started normally, the following processes can be confirmed.
[root@centos7 rules]# ps aux | grep snort | grep -v grep
snort 2335 0.0 3.0 91532 30712 ? Ssl 10:36 0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snortYou can also start it as a sniffer as follows, but f you start it as a sniffer, it will take time to process, so I think that it will not be used basically except for operation check.
Validation of rules file (local.rules)
Start ping from another terminal. You can confirm that the ICMP packet is detected by looking at the following log.
[root@centos7 snort]# tail -f /var/log/snort/alertConclusion
Installation of Snot is a difficult , but when actually operating, tuning of the rule set occurs, and work such as checking abnormalities from huge logs occurs.
https://media.giphy.com/media/VHrFbmOtBwysbsYnka/giphy.gif
