How to configure Snort for intrusion prevention?

evadon · August 25, 2019, 1:26pm

Hi everyone,

I tried snort in openwrt but its not working. Its giving error.

i did

opkg install snort

and configured . I added "include community.rules" too.

and at last executed

snort -c "snort.conf" -i "lo" --daq-dir /usr/lib/daq

and it showed this error.

HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 2688
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
ERROR: snort.conf(326) => Invalid keyword '}' for server configuration.
Fatal Error, Quitting..
root@OpenWrt:/etc/snort#

Any help would be appreciated..

Thanking you in advance.

evadon · August 25, 2019, 1:47pm

Or if is there any alternate way tto Snort intrusion prevention then please tell.

Intrusion prevention like arpspoof attack, ddos attack, wifi deauth attack, ping, port scan etc.. I want to block all these on openwrt.

diizzy · August 25, 2019, 2:44pm

fwiw, unless your device has at least 512Mbyte you're going to run into memory issues.

evadon · August 25, 2019, 3:07pm

sorry i dont have 512Mbytes. So is there any other tool for such detection/prevention on openwrt ?

slh · August 25, 2019, 3:18pm

What you're trying to accomplish is very performance intensive by the nature of it, even 512 MB RAM is borderline.

lleachii · August 25, 2019, 10:19pm

@evadon, wait..."intrusion prevention"...Snort has block capability in OpenWrt?

I thought it only alerts.

If so, can you tell us how?

What's on line 326 of the snort.conf file? Just a bracket?

I've ran Snort on a VM (pfSense) , perhaps I need to do more testing. I usually spin up router VMs with 256 MB. If the OP were to load a lot of rules, I'd definitely agree.

tapper · August 25, 2019, 10:24pm

Have a look at banip

evadon · August 26, 2019, 3:32am

Banip ? ok I m looking into it.

evadon · August 27, 2019, 4:05am

there is no such package "banip"

tmomas · August 27, 2019, 5:31am

diizzy · August 27, 2019, 6:49am

banIP isn't even remotely close to Snort (or Suricata for that matter) as they do completely different things as @lleachii pointed out earlier.

tapper · August 27, 2019, 8:57am

Are you sure?

tapper · August 27, 2019, 9:23am

I know that banip is not Snort (or Suricata, but I think it is the best thing to use if you don't have a device with a lot of memmory. People mostly use Snort (or Suricata on X86 boxs I think.

coyote1abe · November 7, 2019, 2:59am

Has anyone been able to get snort running on openwrt 18.6.04, I have tried everything and nothing, it won't even recognize the snort.conf file at startup.
Here is a picture of the response, what am I doing wrong on the configuration?

lleachii · November 8, 2019, 5:11pm

Have you checked file permissions to the directory and file?

ltreborn · December 18, 2019, 3:43am

Hello, I would like to ask... Btw, can you configure snort to block malicious packet?
I am finding the solution too. If you can do it, could you please tell me?

fenix1o1 · March 31, 2020, 1:52pm

Hi, after two weeks of tweaking and some frustration, I did get to run snort in openwrt (19.07.2, on a Zyxel Armor Z2, it has 512MB of RAM, this is important as I'll explain later).

the command that you are trying to execute:

it only activates snort in IDS mode using DAQ in passive mode.

in order to activate snort in IPS mode (Intrusion Prevention) you need to be able to run it in inline mode, which in OpenWRT you only have "AFPACKET" to run it, BUT, this is pretty hard on the RAM, I only get about 25MB of free RAM on average when running snort in inline mode with all of my other configuration in place (VPN Server and client, DPI, are the next more intensive after snort, and dont come even close to the RAM demands of snort 6% and 8% respectively). Snort by itself is consuming 48% of my RAM, and that is after getting a lot of rules out just running with the bare minimum.

It is important to note, that even in IDS snort is pretty intensive, where it gobbles a hefty 41% of RAM with the same ruleset that is used in inline, the difference is due to the preprocessors that are the ones that do the trick for inline mode.

The command to execute snort in IPS (afpacket, in inline mode) if you have the resources is:

snort -de -Q -i eth0:eth1 --daq afpacket --daq-dir /usr/lib/daq -c "/etc/snort/snort.conf"

where:

"-Q" is for "inline mode";
"-i eth0:eth1" is for the pair of interfaces required for afpacket, depending on your configuration could be other interfaces but it is required always to be in pair.;
"--daq afpacket", indicates that the DAQ to use is "afpacket", "pcap", can only run in passive mode (IDS), and IPFW only supports IP4 traffic, and requires that you define the ports you want it to listen (so just keep it on afpacket if you have a mixed environment;
"--daq-dir /usr/lib/daq" is where the daq components are installed; and lastly,
"-c "/etc/snort/snort.conf" " is to indicates where ths snort configuration file is.

keep in mind that running this command if it works, then you need to make it the default mode when ever the router is started, you need to modify the snort file on "/etc/init.d/", in the "#start_snort_instance", the "procd_set_param command" line.

wrapping up, SNORT in openwrt, whether in IDS or IPS mode it requires a lot of memory, 512MB at minimum (256MB just wont work) for even a very stripped version, curiously it does not impact to much the processor, but there is a small caveat, it tends to "eat" some of the bandwidth, but is normal for an IPS, all that said, it is possible to run snort in IPS mode in openwrt, but just with the required hardware.

PS. keep in mind that you need to keep an eye on the logs, it can become a headache eating your precious space in the router, and It is not worth it to have snort run without the logs, because what is the purpose then? you could define a process to periodicaly download the log file, or just generate the log on a remote destination, probably syslog-ng could be useful for that matter, or if your router allows it, attach a usbstick, format it for use in openwrt and your all set.

hope this is useful.

VM.

erdoukki · August 31, 2020, 5:17pm

Thx, I have it working on a mvebu espressobin board v7 :

snort -de -Q -i wan:br-lan --daq afpacket --daq-dir /usr/lib/daq -c /etc/snort/snort.conf

How can I test it is working well ?
I have installed community rules but do not snort at all... thanks for tips or any helpful advice or links !

erdoukki · August 31, 2020, 5:33pm

Have you tried this ?

# Configure the snort decoder
# ============================
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
config detection: search-method lowmem

Take a look at : http://www.infosecwriters.com/text_resources/pdf/An_Inexpensive_and_Versatile_IDS.pdf

gimbleguy · March 11, 2021, 1:14am

Hello, I have this command for my XCY mini PC and it works well:

snort -de -Q -i eth0:eth1:eth2:eth3:eth4:eth5 --daq afpacket --daq-dir /usr/lib/daq -c "/etc/config/snort.conf"

But I am not sure how to set it correctly in procd_set_param_command. Any tips on how I should set it please?