I have OpenWrt 23.05.3 on a VM. The idea with which I put it is to check how mwan3 + snort is.
Regarding the snort documentation, there are a few things that could be added and/or fixed.
uci set snort.snort.home_net="any" - I may be mistaken here, I need to lan the network example: 192.168.1.0/24 - according to the documentation above.
uci set snort.snort.interface="$(uci get network.wan.device)" - if there is no WAN, as in my case. I have 2 delivery and my interfaces are eth0.2 and eth0.270.
As enumeration is done with ":"
uci set snort.snort.interface="eth0.2:eth0.270"
The snort-rules and snort-mgr commands are not in the base package, I found them here:
Having done the following:
I downloaded snort-rules and snort-mgr in /usr/bin and made them executable, but for them to work nftables.uc, snort.uc, main.uc must also be downloaded
mkdir -p /usr/share/snort/templates
main.uc > /usr/share/snort/main.uc
nftables.uc > /usr/share/snort/templates/nftables.uc
snort.uc > /usr/share/snort/templates/snort.uc
Additionally, download the init.d script as well as the snort config file.
After that the snort-rules and snort-mgr commands are now working.
I have an oinkcode where I have a problem.
If I enter oinkcode I can't use snort3-community-rules.
how can i get snort3-community-rules and other rules in builtin_rules and so_rules
I believe the community-rules with the member rules are redundant. You do not need them. If you wanted to you could simply concatenate the various rules files together... this is how I do it:
#!/bin/zsh
livedir=/mnt/data/snort
shortver=31470
snort=/tmp/snort-$(date "+%Y%m%d")
oinkcode='xxx'
wget -q "https://www.snort.org/rules/snortrules-snapshot-$shortver.tar.gz?oinkcode=$oinkcode" -O /tmp/new.tar.gz || exit 1
if [[ -f "$livedir"/new.tar.gz.md5 ]]; then
if md5sum -c -s "$livedir"/new.tar.gz.md5; then
echo " >>> rules have not changed so quit"
rm -f /tmp/new.tar.gz
exit
else
echo " >>> rules have changed so continue"
fi
else
echo " >>> no checksum file found so using tarball as-is"
fi
md5sum /tmp/new.tar.gz > "$livedir"/new.tar.gz.md5
if [[ ! -d "$snort" ]]; then
mkdir -p "$snort" || exit 1
fi
tar zxf /tmp/new.tar.gz -C "$snort" || exit 1
if [[ -f "$livedir"/snort.rules ]]; then
mv -f "$livedir"/snort.rules "$livedir"/snort.rules-$(date "+%Y%m%d")
fi
cd "$snort"/rules || exit 1
removes=(
snort3-browser-ie.rules
snort3-browser-other.rules
snort3-protocol-finger.rules
snort3-protocol-scada.rules
snort3-protocol-telnet.rules
snort3-protocol-tftp.rules
snort3-server-mssql.rules
snort3-server-mysql.rules
snort3-server-iis.rules
snort3-os-solaris.rules
snort3-os-windows.rules
)
for i in "${removes[@]}"; do
rm "$i"
done
for i in *.rules; do cat $i >> snort.rules; done
# breaks discoveryplus
#sed -i '/PROTOCOL-ICMP Echo Reply/g' snort.rules
# lyra health breaks modem connection?
# 02/07-16:04:01.752362 [drop] [**] [1:402:16] "PROTOCOL-ICMP destination unreachable port unreachable packet detected" [**] [Classification: Misc activity] [Priority: 3] {ICMP} 34.203.254.45 -> 10.9.8.202
sed -i '/PROTOCOL-ICMP destination unreachable port unreachable packet detected/d' snort.rules
# this kills stuff in lxc and when downloading systemd-253.6-2-aarch64.pkg.tar.xz
sed -i '/INDICATOR-SHELLCODE x86 setuid 0/d' snort.rules
# may affect pihole
sed -i '/PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority/d' snort.rules
# remove ssh port check
sed -i '/APP-DETECT SSH server detected on non-standard port/d' snort.rules
# no not stop pings
sed -i '/PROTOCOL-ICMP Echo Reply/d' snort.rules
# remove superfluous includes and comment then rotate into place
sed -e '/^include/d' -e '/^#/d' snort.rules > "$livedir"/snort.rules
rm -rf "$snort"
echo " >>> restart snort to use new rules"
The "any" value will filter on all interfaces, so that if you have internal attackers going out, they will be detected. If you restrict it, to a specific subnet, then you ignore attacks coming from that subnet, but it does save CPU cycles. I run snort on an over-muscled x86 and have CPU to burn, so I leave it at "any"...
As you've found, this is sort of brittle as I don't have a good way to auto-detect all possible configs (especially in light of multiple WAN interfaces). This might be one of the cases where we "fix" things in the documentation rather than the code. Do you have a better way to do this than the default uci get... that I've got in the code now?
Yeah, as John says, I think the community rules are redundant with the subscription rules (the latter being a superset of the former).
In my experience, enabling the builtin_rules will generate a huge amount of false positives. They look to me to include a ton of legacy stuff that cover various vulnerabilities that have been mitigated long ago, but it is interesting to see what they hit.
If you want to enable them, and are using the autoconfig with snort-mgr, you can do something like this:
I'm not sure about the so_rules stuff, I've looked at it a while back but forgot to take notes. Do you have anything specific you'd like me to look at?
You're not wrong actually, at one point there really wasn't snort3 in version 23.05 (this year), I think it was February or March when I checked. And by the day of asking my question appeared.
I haven't downloaded the package again now, and I don't know if the snort-rules and snort-mgr files and their dependencies have been added. It would be helpful, if they are not expected to be added in the future, to describe where they can be downloaded from. And what is recorded where.
If the snort-rules and snort-mgr files exist in the package in the snapshot, perhaps point 4 should be added, which describes a configuration option for a normal version (NOT a snapshot) and a version of 3.1.78.0-2 or later, how to configure snort.
I think I get the idea and agree. It might be nice if there was a hint as to why it's "any" and not a specific network. And what will lead to it.
Due to the fact that system administration is somewhat a kind of creativity and vision of the system administrator himself, I agree with you. If a sysadmin is not using WAN but custom names, my suggestion is:
To put a note that if classic configuration with WAN is not used, it should be entered manually. In /etc/config/snort on line: option interface , describe the interface, and if more than one interface, use ':' as separator.
Simply document how it is configured if there is customization of interface names and logic other than WAN and LAN. I save a lot of time.
I will be testing this in the near future
Nothing concrete, I've had an idea for a long time to test snort, but my home router has a rather complex configuration for a "home" router. And it takes time to sort it all out. I am currently a test environment on a VM. I want to see which rulesets detect what and how they are affected.
I've installed snort(document) inside a container(ubuntu as base), and the traffic which is reaching to another container on same network space, i want snort to pickup that traffic using NFQUEUE, I followed the document provided on snort website about NFQUEUE, but in the end when i am running snort getting following error Error receiving message from the DAQ instance: nfq_daq_msg_receive: Netlink message processing failed: -1 - Operation not permitted (1)
Just opkg update && opgk install snort3 and you get the custom nfq daq integration by default, no need to mess with hand configuration until you get it running. What version of OpenWrt are you running in the container, SNAPSHOT or 25.03.x?
I am using Ubuntu as base layer, are their any packages for snort3? or should i use OpenWrt as base image? Also, my other containers are ubuntu based, so if i use OpenWrt and will keep the network space same as of other ubuntu containers, with this snort container will be able to receive packets through NFQUEUE?
I created an image of OpenWRT using this document, and when i spinning up container of OpenWRT, i don't see there any snort or snort3 command recognised, I was under the impression that snort will be installed, can you help me here what is the right way of spinning up an OpenWRT container with snort installed
I need an image to spin up a container with snort, what am i suppose to select in this link https://firmware-selector.openwrt.org/, which name or model?