How to configure Snort for intrusion prevention?

Hi everyone,

I tried snort in openwrt but its not working. Its giving error.

i did

opkg install snort

and configured . I added "include community.rules" too.

and at last executed

snort -c "snort.conf" -i "lo" --daq-dir /usr/lib/daq

and it showed this error.

HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 2688
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
ERROR: snort.conf(326) => Invalid keyword '}' for server configuration.
Fatal Error, Quitting..
root@OpenWrt:/etc/snort#

Any help would be appreciated..

Thanking you in advance.

Or if is there any alternate way tto Snort intrusion prevention then please tell.

Intrusion prevention like arpspoof attack, ddos attack, wifi deauth attack, ping, port scan etc.. I want to block all these on openwrt.

fwiw, unless your device has at least 512Mbyte you're going to run into memory issues.

2 Likes

sorry i dont have 512Mbytes. So is there any other tool for such detection/prevention on openwrt ?

What you're trying to accomplish is very performance intensive by the nature of it, even 512 MB RAM is borderline.

2 Likes

@evadon, wait..."intrusion prevention"...Snort has block capability in OpenWrt?

I thought it only alerts.

If so, can you tell us how?

What's on line 326 of the snort.conf file? Just a bracket?

I've ran Snort on a VM (pfSense) , perhaps I need to do more testing. I usually spin up router VMs with 256 MB. If the OP were to load a lot of rules, I'd definitely agree.

1 Like

Have a look at banip

1 Like

Banip ? ok I m looking into it.

there is no such package "banip"

banIP isn't even remotely close to Snort (or Suricata for that matter) as they do completely different things as @lleachii pointed out earlier.

Are you sure?

I know that banip is not Snort (or Suricata, but I think it is the best thing to use if you don't have a device with a lot of memmory. People mostly use Snort (or Suricata on X86 boxs I think.

1 Like

Has anyone been able to get snort running on openwrt 18.6.04, I have tried everything and nothing, it won't even recognize the snort.conf file at startup.
Here is a picture of the response, what am I doing wrong on the configuration?

Have you checked file permissions to the directory and file?

1 Like

Hello, I would like to ask... Btw, can you configure snort to block malicious packet?
I am finding the solution too. If you can do it, could you please tell me?

Hi, after two weeks of tweaking and some frustration, I did get to run snort in openwrt (19.07.2, on a Zyxel Armor Z2, it has 512MB of RAM, this is important as I'll explain later).

the command that you are trying to execute:

it only activates snort in IDS mode using DAQ in passive mode.

in order to activate snort in IPS mode (Intrusion Prevention) you need to be able to run it in inline mode, which in OpenWRT you only have "AFPACKET" to run it, BUT, this is pretty hard on the RAM, I only get about 25MB of free RAM on average when running snort in inline mode with all of my other configuration in place (VPN Server and client, DPI, are the next more intensive after snort, and dont come even close to the RAM demands of snort 6% and 8% respectively). Snort by itself is consuming 48% of my RAM, and that is after getting a lot of rules out just running with the bare minimum.

It is important to note, that even in IDS snort is pretty intensive, where it gobbles a hefty 41% of RAM with the same ruleset that is used in inline, the difference is due to the preprocessors that are the ones that do the trick for inline mode.

The command to execute snort in IPS (afpacket, in inline mode) if you have the resources is:

snort -de -Q -i eth0:eth1 --daq afpacket --daq-dir /usr/lib/daq -c "/etc/snort/snort.conf"

where:

"-Q" is for "inline mode";
"-i eth0:eth1" is for the pair of interfaces required for afpacket, depending on your configuration could be other interfaces but it is required always to be in pair.;
"--daq afpacket", indicates that the DAQ to use is "afpacket", "pcap", can only run in passive mode (IDS), and IPFW only supports IP4 traffic, and requires that you define the ports you want it to listen (so just keep it on afpacket if you have a mixed environment;
"--daq-dir /usr/lib/daq" is where the daq components are installed; and lastly,
"-c "/etc/snort/snort.conf" " is to indicates where ths snort configuration file is.

keep in mind that running this command if it works, then you need to make it the default mode when ever the router is started, you need to modify the snort file on "/etc/init.d/", in the "#start_snort_instance", the "procd_set_param command" line.

wrapping up, SNORT in openwrt, whether in IDS or IPS mode it requires a lot of memory, 512MB at minimum (256MB just wont work) for even a very stripped version, curiously it does not impact to much the processor, but there is a small caveat, it tends to "eat" some of the bandwidth, but is normal for an IPS, all that said, it is possible to run snort in IPS mode in openwrt, but just with the required hardware.

PS. keep in mind that you need to keep an eye on the logs, it can become a headache eating your precious space in the router, and It is not worth it to have snort run without the logs, because what is the purpose then? you could define a process to periodicaly download the log file, or just generate the log on a remote destination, probably syslog-ng could be useful for that matter, or if your router allows it, attach a usbstick, format it for use in openwrt and your all set.

hope this is useful.

VM.