Hello! I did create a router using rpi3 model B and openwrt is its os, i also did install snort and nmap, and made a scan of a port using nmap, now i want to know if snort has ever detected this scan, so i typed cat /var/log/snort/alert, turns out that snort do not exist under /var/log, so what can i do? is there any other way the know if the scan is detected, or to make this directory exist?
Look in /tmp or study the config.
1 Like
What version of snort are you running?
$ opkg info snort3
Package: snort3
Version: 3.1.81.0-2 <-- What is this number?
...
1 Like
here is the current version:
Sorry, I don't know anything about old snort 2, it was dropped from the repos a couple months ago and has no OpenWrt documentation. I'd suggest deleting it and installing snort3, which has ongoing support.
1 Like
i've tried to, but i couldn't, (even after running opkg update)
post the output from the ubus call system board command.
While this is not my thread/issue (and I don't use snort), I'm running 23.05.2 on a pi4 with the standard repos (nothing added or removed)... I also see snort 2.9.19-2:
root@openwrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "openwrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.1",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@openwrt:~# opkg list | grep snort
snort - 2.9.19-2 - Snort is an open source network intrusion detection and prevention system. It is capable of performing real-time traffic analysis, alerting, blocking and packet logging on IP networks. It utilizes a combination of protocol analysis and pattern matching in order to detect anomalies, misuse and attacks.
Maybe snort 3 is only in snapshot?
1 Like
Then something needs to be reconciled because OpenWrt 's Snort page has this to say:
Packages for both Snort 2.x as well as Snort 3.x are currently available. This page is focused exclusively on the 3.x series.
As of January 2024, Snort 2 was removed from SNAPSHOT. Snort 2 remains as a legacy package in 23.05 and earlier releases, but likely without any maintenance updates.
1 Like
Doesn’t that confirm exactly the observations. Snort 2 removed from snapshot in Jan 2024, but remains in 23.05.
I suppose I do not understand 'Snapshot' because I thought it meant the firmware was still a WIP and had little to do with packages that can be added?
Regardless: @MoonnMoon is having trouble getting it installed.
See the branch logic at the bottom of this page:
https://openwrt.org/about/history#branch_logic
It appears to me that snort 3 is not available on the 23.05 releases to date.
I know this is not your responsibility so my
was not meant to say 'go fix this'; just that it is confusing why @efahl appears to have Snort3 installed.
Sorry if I came across like I meant it was your fault in any way.
Although I don’t know for sure, I’ll posit a guess that @efahl is running snapshot.
Snort (really Snort 2.9xx), was introduced waaay back and removed from snapshot recently due to lack of maintenance (and it's pretty obsolete).
Snort3 was introduced in 19.07 (https://github.com/openwrt/packages/tree/openwrt-19.07/net/snort3) and should be present in all releases since then.
But... I see it in 19.07 through 22.03, but not in 23.05, yet it reappears in snapshot.
https://downloads.openwrt.org/releases/19.07.1/packages/x86_64/packages/snort3_3.1.0.0-3_x86_64.ipk
https://downloads.openwrt.org/releases/22.03.6/packages/x86_64/packages/snort3_3.1.18.0-1_x86_64.ipk
What is going on here? The 23.05 branch looks fine, and it has no failure log entry on that branch. The Makefile appears to be complete and correct (it's even getting backports on version updates).
https://github.com/openwrt/packages/blob/openwrt-23.05/net/snort3/Makefile
2 Likes
Is there any other package to detect a port scan on the network?
My fear is a device could be compromised and doing a port scan on my LAN. 
Are you worried about a port scan from a host inside your network with targets of the other hosts on the same network?
Yes. If one of my dmz servers gets infected, I'd like OpenWRT to detect a port scan on the local network 
That is not possible if they are on the same l2 network. The router is not involved unless the traffic is l3 (routed).