sorry i dont have 512Mbytes. So is there any other tool for such detection/prevention on openwrt ?
What you're trying to accomplish is very performance intensive by the nature of it, even 512 MB RAM is borderline.
3 Likes
@evadon, wait..."intrusion prevention"...Snort has block capability in OpenWrt?
If so, can you tell us how?
What's on line 326 of the snort.conf file? Just a bracket?
I've ran Snort on a VM (pfSense) , perhaps I need to do more testing. I usually spin up router VMs with 256 MB. If the OP were to load a lot of rules, I'd definitely agree.
1 Like
Have a look at banip
1 Like
Banip ? ok I m looking into it.
there is no such package "banip"
banIP isn't even remotely close to Snort (or Suricata for that matter) as they do completely different things as @lleachii pointed out earlier.
Are you sure?
I know that banip is not Snort (or Suricata, but I think it is the best thing to use if you don't have a device with a lot of memmory. People mostly use Snort (or Suricata on X86 boxs I think.
1 Like
Has anyone been able to get snort running on openwrt 18.6.04, I have tried everything and nothing, it won't even recognize the snort.conf file at startup.
Here is a picture of the response, what am I doing wrong on the configuration?
Have you checked file permissions to the directory and file?
1 Like
Hello, I would like to ask... Btw, can you configure snort to block malicious packet?
I am finding the solution too. If you can do it, could you please tell me?
Hi, after two weeks of tweaking and some frustration, I did get to run snort in openwrt (19.07.2, on a Zyxel Armor Z2, it has 512MB of RAM, this is important as I'll explain later).
the command that you are trying to execute:
it only activates snort in IDS mode using DAQ in passive mode.
in order to activate snort in IPS mode (Intrusion Prevention) you need to be able to run it in inline mode, which in OpenWRT you only have "AFPACKET" to run it, BUT, this is pretty hard on the RAM, I only get about 25MB of free RAM on average when running snort in inline mode with all of my other configuration in place (VPN Server and client, DPI, are the next more intensive after snort, and dont come even close to the RAM demands of snort 6% and 8% respectively). Snort by itself is consuming 48% of my RAM, and that is after getting a lot of rules out just running with the bare minimum.
It is important to note, that even in IDS snort is pretty intensive, where it gobbles a hefty 41% of RAM with the same ruleset that is used in inline, the difference is due to the preprocessors that are the ones that do the trick for inline mode.
The command to execute snort in IPS (afpacket, in inline mode) if you have the resources is:
snort -de -Q -i eth0:eth1 --daq afpacket --daq-dir /usr/lib/daq -c "/etc/snort/snort.conf"
where:
"-Q" is for "inline mode";
"-i eth0:eth1" is for the pair of interfaces required for afpacket, depending on your configuration could be other interfaces but it is required always to be in pair.;
"--daq afpacket", indicates that the DAQ to use is "afpacket", "pcap", can only run in passive mode (IDS), and IPFW only supports IP4 traffic, and requires that you define the ports you want it to listen (so just keep it on afpacket if you have a mixed environment;
"--daq-dir /usr/lib/daq" is where the daq components are installed; and lastly,
"-c "/etc/snort/snort.conf" " is to indicates where ths snort configuration file is.
keep in mind that running this command if it works, then you need to make it the default mode when ever the router is started, you need to modify the snort file on "/etc/init.d/", in the "#start_snort_instance", the "procd_set_param command" line.
wrapping up, SNORT in openwrt, whether in IDS or IPS mode it requires a lot of memory, 512MB at minimum (256MB just wont work) for even a very stripped version, curiously it does not impact to much the processor, but there is a small caveat, it tends to "eat" some of the bandwidth, but is normal for an IPS, all that said, it is possible to run snort in IPS mode in openwrt, but just with the required hardware.
PS. keep in mind that you need to keep an eye on the logs, it can become a headache eating your precious space in the router, and It is not worth it to have snort run without the logs, because what is the purpose then? you could define a process to periodicaly download the log file, or just generate the log on a remote destination, probably syslog-ng could be useful for that matter, or if your router allows it, attach a usbstick, format it for use in openwrt and your all set.
hope this is useful.
VM.
3 Likes
Thx, I have it working on a mvebu espressobin board v7 :
snort -de -Q -i wan:br-lan --daq afpacket --daq-dir /usr/lib/daq -c /etc/snort/snort.conf
How can I test it is working well ?
I have installed community rules but do not snort at all... thanks for tips or any helpful advice or links !
Have you tried this ?
# Configure the snort decoder
# ============================
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
config detection: search-method lowmem
Take a look at : http://www.infosecwriters.com/text_resources/pdf/An_Inexpensive_and_Versatile_IDS.pdf
1 Like
Hello, I have this command for my XCY mini PC and it works well:
snort -de -Q -i eth0:eth1:eth2:eth3:eth4:eth5 --daq afpacket --daq-dir /usr/lib/daq -c "/etc/config/snort.conf"
But I am not sure how to set it correctly in procd_set_param_command. Any tips on how I should set it please?
Could I suggest in future that you start a new thread rather than bumping an old one with a lot of largely irrelevant information to read through?
/etc/config/snort
config snort 'lan'
option interface 'eth0:eth1:eth2:eth3:eth4:eth5'
option config_file '/etc/config/snort.conf'
/etc/init.d/snort
procd_set_param command $PROG "-de" "-Q" "-i" "$device" "--daq" "afpacket" "--daq-dir" "/usr/lib/daq/" "-c" "$config_file"
You could also create a new interface which is software bridge over all those ethernet interfaces and then use that single software bridge in the snort command instead. It will probably be more efficient.
2 Likes
Thank you so much. Much appreciated
Hello Snort Community Users, im a Snort Newbie / Rookie
my Snort installation seems to work, but Im not really sure, if its setup right, Im having a Mullvad wireguard VPN Tunnel, which I choosed as WAN interface for Snort, strange is, that it doesnt start by itself, I have to always execute manually, maybe somebody has hint, or Tip to solve it to start on reboot, and yes, its set to initscript is enabled...:
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq -Q
my output on starting snort with above command:
moo@vm-lede:~# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq -Q
--------------------------------------------------
o")~ Snort++ 3.1.61.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading /etc/snort/rules/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/rules/snort3-community-rules/snort3-community.rules:
Loading /etc/snort/rules/lightspd/rules/3.1.35.0/includes.rules:
Loading snort3-file-java.rules:
Finished snort3-file-java.rules:
Finished /etc/snort/rules/lightspd/rules/3.1.35.0/includes.rules:
Loading /etc/snort/rules/lightspd/rules/3.0.0.0/includes.rules:
Loading snort3-app-detect.rules:
Finished snort3-app-detect.rules:
Loading snort3-browser-chrome.rules:
Finished snort3-browser-chrome.rules:
Loading snort3-browser-firefox.rules:
Finished snort3-browser-firefox.rules:
Loading snort3-browser-ie.rules:
Finished snort3-browser-ie.rules:
Loading snort3-browser-other.rules:
Finished snort3-browser-other.rules:
Loading snort3-browser-plugins.rules:
Finished snort3-browser-plugins.rules:
Loading snort3-browser-webkit.rules:
Finished snort3-browser-webkit.rules:
Loading snort3-content-replace.rules:
Finished snort3-content-replace.rules:
Loading snort3-exploit-kit.rules:
Finished snort3-exploit-kit.rules:
Loading snort3-file-executable.rules:
Finished snort3-file-executable.rules:
Loading snort3-file-flash.rules:
Finished snort3-file-flash.rules:
Loading snort3-file-identify.rules:
Finished snort3-file-identify.rules:
Loading snort3-file-image.rules:
Finished snort3-file-image.rules:
Loading snort3-file-java.rules:
Finished snort3-file-java.rules:
Loading snort3-file-multimedia.rules:
Finished snort3-file-multimedia.rules:
Loading snort3-file-office.rules:
Finished snort3-file-office.rules:
Loading snort3-file-other.rules:
Finished snort3-file-other.rules:
Loading snort3-file-pdf.rules:
Finished snort3-file-pdf.rules:
Loading snort3-indicator-compromise.rules:
Finished snort3-indicator-compromise.rules:
Loading snort3-indicator-obfuscation.rules:
Finished snort3-indicator-obfuscation.rules:
Loading snort3-indicator-scan.rules:
Finished snort3-indicator-scan.rules:
Loading snort3-indicator-shellcode.rules:
Finished snort3-indicator-shellcode.rules:
Loading snort3-malware-backdoor.rules:
Finished snort3-malware-backdoor.rules:
Loading snort3-malware-cnc.rules:
Finished snort3-malware-cnc.rules:
Loading snort3-malware-other.rules:
Finished snort3-malware-other.rules:
Loading snort3-malware-tools.rules:
Finished snort3-malware-tools.rules:
Loading snort3-netbios.rules:
Finished snort3-netbios.rules:
Loading snort3-os-linux.rules:
Finished snort3-os-linux.rules:
Loading snort3-os-mobile.rules:
Finished snort3-os-mobile.rules:
Loading snort3-os-other.rules:
Finished snort3-os-other.rules:
Loading snort3-os-solaris.rules:
Finished snort3-os-solaris.rules:
Loading snort3-os-windows.rules:
Finished snort3-os-windows.rules:
Loading snort3-policy-multimedia.rules:
Finished snort3-policy-multimedia.rules:
Loading snort3-policy-other.rules:
Finished snort3-policy-other.rules:
Loading snort3-policy-social.rules:
Finished snort3-policy-social.rules:
Loading snort3-policy-spam.rules:
Finished snort3-policy-spam.rules:
Loading snort3-protocol-dns.rules:
Finished snort3-protocol-dns.rules:
Loading snort3-protocol-finger.rules:
Finished snort3-protocol-finger.rules:
Loading snort3-protocol-ftp.rules:
Finished snort3-protocol-ftp.rules:
Loading snort3-protocol-icmp.rules:
Finished snort3-protocol-icmp.rules:
Loading snort3-protocol-imap.rules:
Finished snort3-protocol-imap.rules:
Loading snort3-protocol-nntp.rules:
Finished snort3-protocol-nntp.rules:
Loading snort3-protocol-other.rules:
Finished snort3-protocol-other.rules:
Loading snort3-protocol-pop.rules:
Finished snort3-protocol-pop.rules:
Loading snort3-protocol-rpc.rules:
Finished snort3-protocol-rpc.rules:
Loading snort3-protocol-scada.rules:
Finished snort3-protocol-scada.rules:
Loading snort3-protocol-services.rules:
Finished snort3-protocol-services.rules:
Loading snort3-protocol-snmp.rules:
Finished snort3-protocol-snmp.rules:
Loading snort3-protocol-telnet.rules:
Finished snort3-protocol-telnet.rules:
Loading snort3-protocol-tftp.rules:
Finished snort3-protocol-tftp.rules:
Loading snort3-protocol-voip.rules:
Finished snort3-protocol-voip.rules:
Loading snort3-pua-adware.rules:
Finished snort3-pua-adware.rules:
Loading snort3-pua-other.rules:
Finished snort3-pua-other.rules:
Loading snort3-pua-p2p.rules:
Finished snort3-pua-p2p.rules:
Loading snort3-pua-toolbars.rules:
Finished snort3-pua-toolbars.rules:
Loading snort3-server-apache.rules:
Finished snort3-server-apache.rules:
Loading snort3-server-iis.rules:
Finished snort3-server-iis.rules:
Loading snort3-server-mail.rules:
Finished snort3-server-mail.rules:
Loading snort3-server-mssql.rules:
Finished snort3-server-mssql.rules:
Loading snort3-server-mysql.rules:
Finished snort3-server-mysql.rules:
Loading snort3-server-oracle.rules:
Finished snort3-server-oracle.rules:
Loading snort3-server-other.rules:
Finished snort3-server-other.rules:
Loading snort3-server-samba.rules:
Finished snort3-server-samba.rules:
Loading snort3-server-webapp.rules:
Finished snort3-server-webapp.rules:
Loading snort3-sql.rules:
Finished snort3-sql.rules:
Loading snort3-x11.rules:
Finished snort3-x11.rules:
Finished /etc/snort/rules/lightspd/rules/3.0.0.0/includes.rules:
Loading /etc/snort/rules/rules/includes.rules:
Loading snort3-app-detect.rules:
Finished snort3-app-detect.rules:
Loading snort3-browser-chrome.rules:
Finished snort3-browser-chrome.rules:
Loading snort3-browser-firefox.rules:
Finished snort3-browser-firefox.rules:
Loading snort3-browser-ie.rules:
Finished snort3-browser-ie.rules:
Loading snort3-browser-other.rules:
Finished snort3-browser-other.rules:
Loading snort3-browser-plugins.rules:
Finished snort3-browser-plugins.rules:
Loading snort3-browser-webkit.rules:
Finished snort3-browser-webkit.rules:
Loading snort3-content-replace.rules:
Finished snort3-content-replace.rules:
Loading snort3-exploit-kit.rules:
Finished snort3-exploit-kit.rules:
Loading snort3-file-executable.rules:
Finished snort3-file-executable.rules:
Loading snort3-file-flash.rules:
Finished snort3-file-flash.rules:
Loading snort3-file-identify.rules:
Finished snort3-file-identify.rules:
Loading snort3-file-image.rules:
Finished snort3-file-image.rules:
Loading snort3-file-java.rules:
Finished snort3-file-java.rules:
Loading snort3-file-multimedia.rules:
Finished snort3-file-multimedia.rules:
Loading snort3-file-office.rules:
Finished snort3-file-office.rules:
Loading snort3-file-other.rules:
Finished snort3-file-other.rules:
Loading snort3-file-pdf.rules:
Finished snort3-file-pdf.rules:
Loading snort3-indicator-compromise.rules:
Finished snort3-indicator-compromise.rules:
Loading snort3-indicator-obfuscation.rules:
Finished snort3-indicator-obfuscation.rules:
Loading snort3-indicator-scan.rules:
Finished snort3-indicator-scan.rules:
Loading snort3-indicator-shellcode.rules:
Finished snort3-indicator-shellcode.rules:
Loading snort3-malware-backdoor.rules:
Finished snort3-malware-backdoor.rules:
Loading snort3-malware-cnc.rules:
Finished snort3-malware-cnc.rules:
Loading snort3-malware-other.rules:
Finished snort3-malware-other.rules:
Loading snort3-malware-tools.rules:
Finished snort3-malware-tools.rules:
Loading snort3-netbios.rules:
Finished snort3-netbios.rules:
Loading snort3-os-linux.rules:
Finished snort3-os-linux.rules:
Loading snort3-os-mobile.rules:
Finished snort3-os-mobile.rules:
Loading snort3-os-other.rules:
Finished snort3-os-other.rules:
Loading snort3-os-solaris.rules:
Finished snort3-os-solaris.rules:
Loading snort3-os-windows.rules:
Finished snort3-os-windows.rules:
Loading snort3-policy-multimedia.rules:
Finished snort3-policy-multimedia.rules:
Loading snort3-policy-other.rules:
Finished snort3-policy-other.rules:
Loading snort3-policy-social.rules:
Finished snort3-policy-social.rules:
Loading snort3-policy-spam.rules:
Finished snort3-policy-spam.rules:
Loading snort3-protocol-dns.rules:
Finished snort3-protocol-dns.rules:
Loading snort3-protocol-finger.rules:
Finished snort3-protocol-finger.rules:
Loading snort3-protocol-ftp.rules:
Finished snort3-protocol-ftp.rules:
Loading snort3-protocol-icmp.rules:
Finished snort3-protocol-icmp.rules:
Loading snort3-protocol-imap.rules:
Finished snort3-protocol-imap.rules:
Loading snort3-protocol-nntp.rules:
Finished snort3-protocol-nntp.rules:
Loading snort3-protocol-other.rules:
Finished snort3-protocol-other.rules:
Loading snort3-protocol-pop.rules:
Finished snort3-protocol-pop.rules:
Loading snort3-protocol-rpc.rules:
Finished snort3-protocol-rpc.rules:
Loading snort3-protocol-scada.rules:
Finished snort3-protocol-scada.rules:
Loading snort3-protocol-services.rules:
Finished snort3-protocol-services.rules:
Loading snort3-protocol-snmp.rules:
Finished snort3-protocol-snmp.rules:
Loading snort3-protocol-telnet.rules:
Finished snort3-protocol-telnet.rules:
Loading snort3-protocol-tftp.rules:
Finished snort3-protocol-tftp.rules:
Loading snort3-protocol-voip.rules:
Finished snort3-protocol-voip.rules:
Loading snort3-pua-adware.rules:
Finished snort3-pua-adware.rules:
Loading snort3-pua-other.rules:
Finished snort3-pua-other.rules:
Loading snort3-pua-p2p.rules:
Finished snort3-pua-p2p.rules:
Loading snort3-pua-toolbars.rules:
Finished snort3-pua-toolbars.rules:
Loading snort3-server-apache.rules:
Finished snort3-server-apache.rules:
Loading snort3-server-iis.rules:
Finished snort3-server-iis.rules:
Loading snort3-server-mail.rules:
Finished snort3-server-mail.rules:
Loading snort3-server-mssql.rules:
Finished snort3-server-mssql.rules:
Loading snort3-server-mysql.rules:
Finished snort3-server-mysql.rules:
Loading snort3-server-oracle.rules:
Finished snort3-server-oracle.rules:
Loading snort3-server-other.rules:
Finished snort3-server-other.rules:
Loading snort3-server-samba.rules:
Finished snort3-server-samba.rules:
Loading snort3-server-webapp.rules:
Finished snort3-server-webapp.rules:
Loading snort3-sql.rules:
Finished snort3-sql.rules:
Loading snort3-x11.rules:
Finished snort3-x11.rules:
Finished /etc/snort/rules/rules/includes.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 45423 49239 45423 /etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 45423
duplicate rules: 49239
text rules: 45423
option chains: 45423
chain headers: 94455
flowbits: 710
flowbits not checked: 68
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 1813 389 469 296
src 1356 169 0 0
dst 5376 1026 0 0
both 109 54 0 0
total 8654 1638 469 296
--------------------------------------------------
service rule counts to-srv to-cli
bgp: 5 1
dcerpc: 679 583
dhcp: 36 10
dnp3: 0 6
dns: 276 115
drda: 5 0
file: 546 557
file_id: 208 208
ftp: 196 22
ftp-data: 631 10569
gopher: 0 1
http: 14441 13951
http2: 14441 13951
http3: 14441 13951
ident: 1 0
igmp: 1 1
imap: 677 10818
irc: 40 14
ircd: 9 3
java_rmi: 51 3
kerberos: 34 6
ldap: 47 6
ldp: 1 0
modbus: 34 10
mysql: 67 7
netbios-dgm: 11 11
netbios-ns: 15 5
netbios-ssn: 1083 647
netware: 2 0
nntp: 2 2
ntp: 36 7
openvpn: 16 16
pop3: 636 10822
postgresql: 8 0
printer: 6 0
radius: 3 2
rdp: 10 20
rtmp: 1 4
rtp: 1 1
rtsp: 17 2
sip: 338 44
smtp: 9714 582
snmp: 48 10
ssdp: 13 0
ssh: 10 4
ssl: 203 221
sunrpc: 122 9
syslog: 4 0
teamview: 1 2
telnet: 61 15
tftp: 11 6
vnc: 1 1
vnc-server: 12 10
wins: 3 0
total: 59255 77236
--------------------------------------------------
fast pattern groups
src: 506
dst: 1624
any: 8
to_server: 131
to_client: 98
--------------------------------------------------
search engine (ac_bnfa)
instances: 1298
patterns: 152718
pattern chars: 3695967
num states: 2816956
num match states: 409255
memory scale: MB
total memory: 91.7641
pattern memory: 9.34924
match list memory: 48.7885
transition memory: 33.4679
fast pattern only: 102936
appid: MaxRss diff: 412
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to inline.
Commencing packet processing
++ [0] lo