Questions and suggestions about snort documentation

Hello,

I have OpenWrt 23.05.3 on a VM. The idea with which I put it is to check how mwan3 + snort is.
Regarding the snort documentation, there are a few things that could be added and/or fixed.

Version of snort at this time: Snort++ 3.1.82.0

According to the documentation https://openwrt.org/docs/guide-user/services/snort I should use the Auto-Configuration section.

uci set snort.snort.home_net="any" - I may be mistaken here, I need to lan the network example: 192.168.1.0/24 - according to the documentation above.
uci set snort.snort.interface="$(uci get network.wan.device)" - if there is no WAN, as in my case. I have 2 delivery and my interfaces are eth0.2 and eth0.270.
As enumeration is done with ":"
uci set snort.snort.interface="eth0.2:eth0.270"

The snort-rules and snort-mgr commands are not in the base package, I found them here:

Having done the following:
I downloaded snort-rules and snort-mgr in /usr/bin and made them executable, but for them to work nftables.uc, snort.uc, main.uc must also be downloaded
mkdir -p /usr/share/snort/templates
main.uc > /usr/share/snort/main.uc
nftables.uc > /usr/share/snort/templates/nftables.uc
snort.uc > /usr/share/snort/templates/snort.uc

Additionally, download the init.d script as well as the snort config file.

After that the snort-rules and snort-mgr commands are now working.

I have an oinkcode where I have a problem.
If I enter oinkcode I can't use snort3-community-rules.
how can i get snort3-community-rules and other rules in builtin_rules and so_rules

Regards,

I believe the community-rules with the member rules are redundant. You do not need them. If you wanted to you could simply concatenate the various rules files together... this is how I do it:

#!/bin/zsh

livedir=/mnt/data/snort
shortver=31470
snort=/tmp/snort-$(date "+%Y%m%d")
oinkcode='xxx'

wget -q "https://www.snort.org/rules/snortrules-snapshot-$shortver.tar.gz?oinkcode=$oinkcode" -O /tmp/new.tar.gz || exit 1

if [[ -f "$livedir"/new.tar.gz.md5 ]]; then
	if md5sum -c -s "$livedir"/new.tar.gz.md5; then
		echo " >>> rules have not changed so quit"
		rm -f /tmp/new.tar.gz
		exit
	else
		echo " >>> rules have changed so continue"
	fi
else
	echo " >>> no checksum file found so using tarball as-is"
fi

md5sum /tmp/new.tar.gz > "$livedir"/new.tar.gz.md5

if [[ ! -d "$snort" ]]; then
	mkdir -p "$snort" || exit 1
fi

tar zxf /tmp/new.tar.gz -C "$snort" || exit 1

if [[ -f "$livedir"/snort.rules ]]; then
	mv -f "$livedir"/snort.rules "$livedir"/snort.rules-$(date "+%Y%m%d")
fi

cd "$snort"/rules || exit 1

removes=(
	snort3-browser-ie.rules
	snort3-browser-other.rules
	snort3-protocol-finger.rules
	snort3-protocol-scada.rules
	snort3-protocol-telnet.rules
	snort3-protocol-tftp.rules
	snort3-server-mssql.rules
	snort3-server-mysql.rules
	snort3-server-iis.rules
	snort3-os-solaris.rules
	snort3-os-windows.rules
)

for i in "${removes[@]}"; do
	rm "$i"
done

for i in *.rules; do cat $i >> snort.rules; done

# breaks discoveryplus
#sed -i '/PROTOCOL-ICMP Echo Reply/g' snort.rules

# lyra health breaks modem connection?
# 02/07-16:04:01.752362 [drop] [**] [1:402:16] "PROTOCOL-ICMP destination unreachable port unreachable packet detected" [**] [Classification: Misc activity] [Priority: 3] {ICMP} 34.203.254.45 -> 10.9.8.202
sed -i '/PROTOCOL-ICMP destination unreachable port unreachable packet detected/d' snort.rules

# this kills stuff in lxc and when downloading systemd-253.6-2-aarch64.pkg.tar.xz
sed -i '/INDICATOR-SHELLCODE x86 setuid 0/d' snort.rules

# may affect pihole
sed -i '/PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority/d' snort.rules

# remove ssh port check
sed -i '/APP-DETECT SSH server detected on non-standard port/d' snort.rules

# no not stop pings
sed -i '/PROTOCOL-ICMP Echo Reply/d' snort.rules

# remove superfluous includes and comment then rotate into place
sed -e '/^include/d' -e '/^#/d' snort.rules > "$livedir"/snort.rules

rm -rf "$snort"

echo " >>> restart snort to use new rules"

Hello,

I apologize for the late reply. Thanks for your script, I'll take a look and test it.

Regards,

I'm back...

My mistake, when I wrote it up, snort3 was not being built for 23.05 and I thought it only existed in snapshot, which was incorrect...

How does the list look now? Did I mess anything up or could it be made more clear? https://openwrt.org/docs/guide-user/services/snort#installation

The "any" value will filter on all interfaces, so that if you have internal attackers going out, they will be detected. If you restrict it, to a specific subnet, then you ignore attacks coming from that subnet, but it does save CPU cycles. I run snort on an over-muscled x86 and have CPU to burn, so I leave it at "any"...

As you've found, this is sort of brittle as I don't have a good way to auto-detect all possible configs (especially in light of multiple WAN interfaces). This might be one of the cases where we "fix" things in the documentation rather than the code. Do you have a better way to do this than the default uci get... that I've got in the code now?

Yeah, as John says, I think the community rules are redundant with the subscription rules (the latter being a superset of the former).

In my experience, enabling the builtin_rules will generate a huge amount of false positives. They look to me to include a ton of legacy stuff that cover various vulnerabilities that have been mitigated long ago, but it is interesting to see what they hit.

If you want to enable them, and are using the autoconfig with snort-mgr, you can do something like this:

$ echo 'ips.enable_builtin_rules=true' >> /etc/snort/include.snort
$ uci set snort.snort.include=/etc/snort/include.snort
$ uci commit
$ /etc/init.d/snort restart

I'm not sure about the so_rules stuff, I've looked at it a while back but forgot to take notes. Do you have anything specific you'd like me to look at?

You're not wrong actually, at one point there really wasn't snort3 in version 23.05 (this year), I think it was February or March when I checked. And by the day of asking my question appeared.

I haven't downloaded the package again now, and I don't know if the snort-rules and snort-mgr files and their dependencies have been added. It would be helpful, if they are not expected to be added in the future, to describe where they can be downloaded from. And what is recorded where.

If the snort-rules and snort-mgr files exist in the package in the snapshot, perhaps point 4 should be added, which describes a configuration option for a normal version (NOT a snapshot) and a version of 3.1.78.0-2 or later, how to configure snort.

I think I get the idea and agree. It might be nice if there was a hint as to why it's "any" and not a specific network. And what will lead to it.

Due to the fact that system administration is somewhat a kind of creativity and vision of the system administrator himself, I agree with you. If a sysadmin is not using WAN but custom names, my suggestion is:

  • To put a note that if classic configuration with WAN is not used, it should be entered manually. In /etc/config/snort on line: option interface , describe the interface, and if more than one interface, use ':' as separator.

Simply document how it is configured if there is customization of interface names and logic other than WAN and LAN. I save a lot of time.

I will be testing this in the near future :slight_smile:

Nothing concrete, I've had an idea for a long time to test snort, but my home router has a rather complex configuration for a "home" router. And it takes time to sort it all out. I am currently a test environment on a VM. I want to see which rulesets detect what and how they are affected.

1 Like