Hello all,
I've been looking at Snort, and I realized there's no software to block alerts on OpenWRT. I noted that SnortSam requires a second agent to run. fwsnort seems to only require the iptables string match module.
This seems like a good software to add to OpenWRT...any thoughts?
Trying to get into "firewalls". Stumbled upon this when searched snort.
Where would be a good place to start on snort3 on openwrt?
I want to gives it a try, which I understand 3 is the first version to use multi-cores.
Also I was under impression snort is self-sufficient.
It appears it's not if add-ons SnortSam/fwsnort is required.
Lastly, is snort on pfsense any different from snort on openwrt?
I read you @lleachii recommended someone to use pfsense+snort.
Are you able to test and see if it compiles and runs in 18.06.2 and Snapshot?
Per the Package Table, the version in the repository is 2.9.11.1-5.
No, snort only alerts. I've found no way to tell snort to block on OpenWrt. Some other process has to handle firewalling based on those hits/patterns you want to block.
Yes, Snort can block on pfsense. This is why I made a post to ask about adding the capability to OpenWrt. You must be referring to a conversation in another thread about someone who wanted to do the same. Sadly, that OP didn't understand someone had to work on the code to realize this in OpenWrt.
I am going to give it a try.
Do you think I can use available openWRT Makefile from version (2.9)?
There are supposed to be drastic changes from 2.9 to 3.0 hence the doubt.
Wait, I can see snort3 here:
Does it mean Snapshot already has snort3?
Update:
So I downloaded snapshot sdk and snort3 source and tried building.
It failed with CMake related errors. Probably the latest sdk hasn't yet added support for this package.
I have raised a ticket here: https://github.com/openwrt/packages/issues
" snort3: fails to build"
Posting error below:
openwrt_sdk/openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/staging_dir/toolchain-x86_64_gcc-7.4.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/7.4.0/../../../../x86_64-openwrt-linux-musl/bin/ld: cannot find -ltirpc
collect2: error: ld returned 1 exit status
make[4]: *** [cmTC_b52d1] Error 1
make[4]: Leaving directory `openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/build_dir/target-x86_64_musl/snort3/snort-3.0.0/CMakeFiles/CMakeTmp'
make[3]: *** [cmTC_b52d1/fast] Error 2
make[3]: Leaving directory `openwrt_sdk/openwrt-sdk-x86-64_gcc-7.4.0_musl.Linux-x86_64/build_dir/target-x86_64_musl/snort3/snort-3.0.0/CMakeFiles/CMakeTmp'
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:2 (project)
Yes. It had error cross compiling for openwrt with x86_64 snapshot sdk. It compiled fine on ubuntu.
No clue on this. I have not gone through the code.
any success in compilation and test(s) ?
Thanks in advance for the feedback
Old topic but still a (good) actual question...
opkg update
opkg install perl perlbase-socket perlbase-io perlbase-file perlbase-sys perlbase-data perlbase-getopt
Can't locate IPTables/Parse.pm in @INC (you may need to install the IPTables::Parse module) (@INC contains: /usr/lib/perl5/5.28) at /usr/sbin/fwsnort line 4288.
#installviatar
Can't locate NetAddr/IP.pm in @INC (you may need to install the NetAddr::IP module) (@INC contains: /usr/lib/perl5/5.28) at /usr/sbin/fwsnort line 4289.
#install-manually
Can't locate AutoLoader.pm in @INC (you may need to install the AutoLoader module) (@INC contains: /usr/lib/perl5/5.28) at /usr/lib/perl5/5.28/NetAddr/IP/InetBase.pm line 9.
opkg install perlbase-autoloader
Can't locate auto/NetAddr/IP/InetBase/autosplit.ix in @INC (@INC contains: /usr/lib/perl5/5.28) at /usr/lib/perl5/5.28/AutoLoader.pm line 181.
try this maybe:
cpan App::cpanminus
if its not works then try this:
curl -L http://cpanmin.us | perl - App::cpanminus
after this another commands:
cpan IPTables::Parse
cpan NetAddr::IP
cpan AutoLoader
cpan reload cpan
then try again from point you failed.