Snort on Openwrt

Installing and Using OpenWrt
1

Hello everyone,

I'm looking for guidance on installing Snort on OpenWRT version 23.05 running on a Raspberry Pi 3 Model B. My goal is to set up Snort for detecting Denial of Service (DoS) attacks on my Raspberry Pi router setup. Could anyone provide a step-by-step guide or point me in the right direction for accomplishing this task effectively?

Thank you in advance for your assistance!

2

If you only want to detect DDOS the pcap DAQ mode would be recommended if you also want to block them it looks bad because only the NFQ DAQ mode is able to block because the AFpacket mode does not block anything for some reason that has not yet been found and the NFQ mode only works behind the firewall. Alternatively, some time ago I wrote a script to extend the firewall with integrated DDOS detection and blocking. Syn flood protection for FORWARD? - #40 by xxxx

1 Like
3

I just want to detect DDOS or port scan . I want to test snort's attacks detection performance

4

You may have to wait a bit, there's an issue with building snort3 on 23.05 right now and it has silently disappeared (Detecting a scan of a port - #17 by efahl). You could move up to a snapshot build, where everything is working just fine...

This only affects snort3, but since snort2 has never had any documentation on OpenWrt and has been dropped recently (it's still listed in everything up to and including 23.05), you probably don't want to bother with it.

5

Just use banIP, you don't need a fully blown IDS for that.

1 Like
6

You are confusing what Snort is an intrusion detection system that controls all traffic and filters out dangerous packets from the Internet to the internal network. It is also able to recognize portscans and DDOS but this only works if you put it in front of the firewall and there is the problem firstly that there is currently no way that it can block the packets independently so they still end up at the Openwrt firewall, secondly you will get a lot of false positives because Snort has to read all traffic even that is not intended for the device itself. It is not really suitable for what you want to use it for because it requires a lot of computing power and your Pi3 is simply too weak for that.