Snort IDS/IPS with iptables by adding fwsnort?

Hello all,

I've been looking at Snort, and I realized there's no software to block alerts on OpenWRT. I noted that SnortSam requires a second agent to run. fwsnort seems to only require the iptables string match module.

This seems like a good software to add to OpenWRT...any thoughts?


Trying to get into "firewalls". Stumbled upon this when searched snort.
Where would be a good place to start on snort3 on openwrt?
I want to gives it a try, which I understand 3 is the first version to use multi-cores.
Also I was under impression snort is self-sufficient.
It appears it's not if add-ons SnortSam/fwsnort is required.

Lastly, is snort on pfsense any different from snort on openwrt?
I read you @lleachii recommended someone to use pfsense+snort.

Are you able to test and see if it compiles and runs in 18.06.2 and Snapshot?

Per the Package Table, the version in the repository is

No, snort only alerts. I've found no way to tell snort to block on OpenWrt. Some other process has to handle firewalling based on those hits/patterns you want to block.

Yes, Snort can block on pfsense. This is why I made a post to ask about adding the capability to OpenWrt. You must be referring to a conversation in another thread about someone who wanted to do the same. Sadly, that OP didn't understand someone had to work on the code to realize this in OpenWrt.

1 Like

I am going to give it a try.
Do you think I can use available openWRT Makefile from version (2.9)?
There are supposed to be drastic changes from 2.9 to 3.0 hence the doubt.

Wait, I can see snort3 here:

Does it mean Snapshot already has snort3?

So I downloaded snapshot sdk and snort3 source and tried building.
It failed with CMake related errors. Probably the latest sdk hasn't yet added support for this package.

  • Can you post the make errors? (Perhaps someone else will see and can assist.)
  • Are you saying that snort3 had the error compiling?
  • Also, do you see in code a way to block directly thru snort?

I have raised a ticket here:
" snort3: fails to build"

Posting error below:

   openwrt_sdk/openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/staging_dir/toolchain-x86_64_gcc-7.4.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/7.4.0/../../../../x86_64-openwrt-linux-musl/bin/ld: cannot find -ltirpc
    collect2: error: ld returned 1 exit status
    make[4]: *** [cmTC_b52d1] Error 1
    make[4]: Leaving directory `openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/build_dir/target-x86_64_musl/snort3/snort-3.0.0/CMakeFiles/CMakeTmp'
    make[3]: *** [cmTC_b52d1/fast] Error 2
    make[3]: Leaving directory `openwrt_sdk/openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/build_dir/target-x86_64_musl/snort3/snort-3.0.0/CMakeFiles/CMakeTmp'

  CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
  CMakeLists.txt:2 (project)

Yes. It had error cross compiling for openwrt with x86_64 snapshot sdk. It compiled fine on ubuntu.

No clue on this. I have not gone through the code.

1 Like

@rakesh, thanks for this progress. I definitely appreciate it!!!

any success in compilation and test(s) ?

Thanks in advance for the feedback

Old topic but still a (good) actual question...

1 Like
opkg update
opkg install perl perlbase-socket perlbase-io perlbase-file perlbase-sys perlbase-data perlbase-getopt

Can't locate IPTables/ in @INC (you may need to install the IPTables::Parse module) (@INC contains: /usr/lib/perl5/5.28) at /usr/sbin/fwsnort line 4288.
Can't locate NetAddr/ in @INC (you may need to install the NetAddr::IP module) (@INC contains: /usr/lib/perl5/5.28) at /usr/sbin/fwsnort line 4289.
Can't locate in @INC (you may need to install the AutoLoader module) (@INC contains: /usr/lib/perl5/5.28) at /usr/lib/perl5/5.28/NetAddr/IP/ line 9.
opkg install perlbase-autoloader
Can't locate auto/NetAddr/IP/InetBase/autosplit.ix in @INC (@INC contains: /usr/lib/perl5/5.28) at /usr/lib/perl5/5.28/ line 181.

try this maybe:
cpan App::cpanminus
if its not works then try this:
curl -L | perl - App::cpanminus
after this another commands:

cpan IPTables::Parse
cpan NetAddr::IP
cpan AutoLoader
cpan reload cpan

then try again from point you failed.