@efahl -
EDIT: I believe I have it running but snort isn't doing anything as far as I can tell
- I see very tiny CPU usage with show kernel threads.
- My rule to match ICMP ping isn't even getting tripped.
# cat /etc/snort/rules/test.rules
alert icmp any any <> any any (msg:"TEST ALERT"; icode:0; itype:8; sid:10000010; rev:001;)
System is RPi4. Internal NIC eth0 is LAN facing and USB NIC eth1 is WAN facing.
Running snort like this:
# snort -c /etc/snort/snort.lua --tweaks local
--------------------------------------------------
o")~ Snort++ 3.1.62.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading local.lua:
Finished local.lua:
snort
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
cip
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
process
back_orifice
classifications
dnp3
active
trace
ftp_client
decode
alerts
stream
references
daq
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading rules/snort.rules:
Finished rules/snort.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 40127 0 40127 /etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 40127
text rules: 40127
option chains: 40127
chain headers: 1694
flowbits: 694
flowbits not checked: 83
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 1786 380 457 288
src 1208 156 0 0
dst 5060 920 0 0
both 109 48 0 0
total 8163 1504 457 288
--------------------------------------------------
service rule counts to-srv to-cli
bgp: 5 1
dcerpc: 573 496
dhcp: 19 5
dnp3: 0 6
dns: 268 104
drda: 5 0
file: 275 284
ftp: 193 21
ftp-data: 561 8639
gopher: 0 1
http: 14058 11590
http2: 14058 11590
http3: 14058 11590
ident: 1 0
imap: 612 8889
irc: 40 14
ircd: 9 3
java_rmi: 51 3
kerberos: 34 6
ldap: 42 6
ldp: 1 0
modbus: 34 10
mysql: 67 7
netbios-dgm: 2 2
netbios-ns: 8 4
netbios-ssn: 809 541
netware: 2 0
nntp: 2 2
ntp: 36 7
openvpn: 16 16
pop3: 571 8893
postgresql: 8 0
printer: 3 0
radius: 3 2
rdp: 3 8
rtmp: 1 4
rtp: 1 1
rtsp: 17 2
sip: 338 44
smtp: 7875 513
snmp: 46 9
ssdp: 13 0
ssh: 10 4
ssl: 173 202
sunrpc: 118 9
syslog: 4 0
teamview: 1 2
telnet: 55 15
tftp: 11 6
vnc: 1 1
vnc-server: 12 10
total: 55103 63562
--------------------------------------------------
fast pattern groups
src: 486
dst: 1590
any: 8
to_server: 127
to_client: 92
--------------------------------------------------
search engine (ac_bnfa)
instances: 1261
patterns: 133885
pattern chars: 3092111
num states: 2337128
num match states: 346503
memory scale: MB
total memory: 76.6849
pattern memory: 8.05497
match list memory: 40.5348
transition memory: 27.9412
fast pattern only: 89388
appid: MaxRss diff: 0
appid: patterns loaded: 300
--------------------------------------------------
nfq DAQ configured to inline.
Commencing packet processing
++ [0] 4
/etc/snort/homenet.lua
HOME_NET = [[ 10.9.1.0/24 10.9.2.0/24 10.9.3.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
/etc/snort/local.lua
snort = {}
snort["-Q"] = true
ips = {
mode = inline,
variables = default_variables,
action_override = 'reject',
--action_override = 'drop',
include = RULE_PATH .. '/snort.rules',
}
daq = {
module_dirs = {
'/usr/lib/daq',
},
inputs = { '4' },
modules = {
{
name = 'nfq',
mode = 'inline',
variables = { 'device=eth1' } -- eth1 is wan interface
}
}
}
-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
file = true,
packet = false,
}
--search_engine = { search_method = "hyperscan" }
--detection = { hyperscan_literals = true, pcre_to_regex = true }
normalizer = {
tcp = {
ips = true,
}
}
file_policy = {
enable_type = true,
enable_signature = true,
rules = {
use = {
verdict = 'log', enable_file_type = true, enable_file_signature = true
}
}
}
My firewall setup was just this two liner:
Can you detail how to apply your suggestion?