How to configure Snort for intrusion prevention?

Hi everyone,

I tried snort in openwrt but its not working. Its giving error.

i did

opkg install snort

and configured . I added "include community.rules" too.

and at last executed

snort -c "snort.conf" -i "lo" --daq-dir /usr/lib/daq

and it showed this error.

HttpInspect Config:
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 2688
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
ERROR: snort.conf(326) => Invalid keyword '}' for server configuration.
Fatal Error, Quitting..

Any help would be appreciated..

Thanking you in advance.

Or if is there any alternate way tto Snort intrusion prevention then please tell.

Intrusion prevention like arpspoof attack, ddos attack, wifi deauth attack, ping, port scan etc.. I want to block all these on openwrt.

fwiw, unless your device has at least 512Mbyte you're going to run into memory issues.

1 Like

sorry i dont have 512Mbytes. So is there any other tool for such detection/prevention on openwrt ?

What you're trying to accomplish is very performance intensive by the nature of it, even 512 MB RAM is borderline.

1 Like

@evadon, wait..."intrusion prevention"...Snort has block capability in OpenWrt?

I thought it only alerts.

If so, can you tell us how?

What's on line 326 of the snort.conf file? Just a bracket?

I've ran Snort on a VM (pfSense) , perhaps I need to do more testing. I usually spin up router VMs with 256 MB. If the OP were to load a lot of rules, I'd definitely agree.

1 Like

Have a look at banip

1 Like

Banip ? ok I m looking into it.

there is no such package "banip"

banIP isn't even remotely close to Snort (or Suricata for that matter) as they do completely different things as @lleachii pointed out earlier.

Are you sure?

I know that banip is not Snort (or Suricata, but I think it is the best thing to use if you don't have a device with a lot of memmory. People mostly use Snort (or Suricata on X86 boxs I think.

1 Like

Has anyone been able to get snort running on openwrt 18.6.04, I have tried everything and nothing, it won't even recognize the snort.conf file at startup.
Here is a picture of the response, what am I doing wrong on the configuration?

Have you checked file permissions to the directory and file?

1 Like