Snort3 help - doesn't work at all

trustno1foxm · December 16, 2023, 11:16am

hello, I need some help to get snort3 to work properbly. I have read severeall threads and they are so different and none of them works.

I figured out that my test rule doesn't work at all, so why not? There must be something wrong...
here are my config files:

/etc/config/firewall:

...
config include
        option enabled '1'
        option type 'script'
        option path '/etc/snort/snort-table.sh'
        option fw4_compatible '1'

/etc/snort/snort-table.sh:

#!/bin/sh

verbose=false

nft list tables | grep -q 'snort' && nft flush table inet snort

nft -f - <<TABLE
    table inet snort {
        chain IPS {
            type filter hook forward priority filter; policy accept;

            counter  queue flags bypass to 4-6

#           meta l4proto tcp               counter  queue flags bypass to 4
#           meta l4proto udp               counter  queue flags bypass to 5
#           meta l4proto != { tcp, udp }   counter  queue flags bypass to 6
        }
    }
TABLE

$verbose && nft list table inet snort

exit 0

/etc/init.d/snort:

#!/bin/sh /etc/rc.common

START=99
STOP=10

USE_PROCD=1
PROG=/usr/bin/snort

validate_snort_section() {
        uci_validate_section snort snort "${1}" \
                'config_dir:string' \
                'interface:string'
}

start_service() {
        local config_file interface

        validate_snort_section snort || {
                echo "validation failed"
                return 1
        }

        procd_open_instance
        procd_set_param command $PROG -q -i "$interface" -c "${config_dir%/}/snort.lua" --tweaks local
        procd_set_param env SNORT_LUA_PATH="$config_dir"
        procd_set_param file $CONFIGFILE
        procd_set_param respawn
        procd_close_instance
}

stop_service()
{
        service_stop ${PROG}
}

service_triggers()
{
        procd_add_reload_trigger "snort"
        procd_add_validation validate_snort_section
}

/etc/snort/local.lua:

-- use ths file to customize any functions defined in /etc/snort/snort.lua

-- switch tap to inline in ips and uncomment the below to run snort in inline mode
snort = {}
snort["-Q"] = true

ips = {
  -- mode = tap,
  mode = inline,
  variables = default_variables,
  action_override = drop,
  -- uncomment and change the below to reflect rules or symlinks to rules on your filesystem
  include = RULE_PATH .. '/snort.rules',
  include = RULE_PATH .. '/snort3-community-rules/snort3-community.rules',
  include = RULE_PATH .. '/snort3-registered-rules/includes.rules',
}

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
    }
  }
}

alert_syslog = {
  level = 'info',
}

-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
output.logdir = '/var/log/snort'
alert_fast = {
  file = true,
  packet = false,
}

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}

-- To use openappid with snort, install the openappid package and uncomment the below
--appid = {
--    app_detector_dir = '/usr/lib/openappid',
--    log_stats = true,
--    app_stats_period = 60,
--}

/etc/snort/homenet.lua:

-- setup HOME_NET below with your IP range/ranges to protect
HOME_NET = [[ 192.168.0.0/24 192.168.3.0/24 192.168.4.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"

thx!

efahl · December 16, 2023, 6:18pm

Could you provide the output from ubus call system board?

If you're running SNAPSHOT, I've got a new package build Coming Soon™ (the PR was just merged a few hours ago, and it will take a while to get through the build process). With the new stuff, it should be much simpler for you to get things going.

What to look for is a version 3.1.76.0-2 or greater (that -2 is the important bit as of today, but it might roll up to 3.1.77.0-1... which will also be fine).

$ opkg update > /dev/null ; opkg -A info snort3
Package: snort3
Version: 3.1.76.0-2

But, until that rolls out...

First, I'd recommend starting out using IDS (detection-only) mode for a while to see what's going to happen. (You don't want to lock yourself out of the router with some wacky combination of drop rules.)

Second, use of the action_override is probably not a good thing. That rewrites ALL of the rules, even the "inspect-only" ones to force drop packets that match, and many of the rules are simply warnings and should not induce a drop. (Also, get rid of the -Q option, see below for all the rest.)

Third, I'd not use the afpacket or nfq daq, use the pcap daq as it's much simpler to configure and will get you functioning sooner so you can play with other stuff. This means delete the nftables stuff, and use this as a starting point:

snort  = {
  -- Note, no "-Q" option enabled.
  ['--daq'] = 'pcap',
}

ips = {
  mode            = 'tap',
  variables       = default_variables,
  include         = '/etc/snort/' .. RULE_PATH .. '/snort.rules',
... and whatever else you've already got in hand ...
}

daq = {
  inputs      = { 'eth0' },
  snaplen     = 1518,
  module_dirs = { '/usr/lib/daq/', },
  modules     = {
    {
      name      = 'pcap',
      mode      = 'passive',
      variables = {},
    }
  }
}

... plus your already-existing logging config that looks fine...

Then test the config with the test option -T:

$ snort -T -c /etc/config/snort.lua --tweaks local

If that doesn't error out, then do your /etc/init.d/snort restart and report back...

trustno1foxm · December 17, 2023, 8:38am

thank you! phew that's too much for me, so pls step by step.
It's running now after removing that part and a reboot:

/etc/config/firewall:

...
config include
        option enabled '1'
        option type 'script'
        option path '/etc/snort/snort-table.sh'
        option fw4_compatible '1'

I can see dropping results by now. But my test rule in snort.rules never shows up

alert icmp any any <> any any (msg:"TEST ALERT ICMP v4"; icode:0; itype: 8; sid:10000010; rev:001;)

Any ideas?

the next step is that pcap thing. So I still want IPS and not only IDS.
do I have to install any further packages for pcap?

the config should be like that, right?:

snort  = {
  -- Note, no "-Q" option enabled.
  ['--daq'] = 'pcap',
}

ips = {
  mode            = 'inline',
  variables       = default_variables,
  action_override = drop,
  include         = '/etc/snort/' .. RULE_PATH .. '/snort.rules',
... and whatever else you've already got in hand ...
}

daq = {
  inputs      = { 'eth0' },
  snaplen     = 1518,
  module_dirs = { '/usr/lib/daq/', },
  modules     = {
    {
      name      = 'pcap',
      mode      = 'inline',
      variables = {},
    }
  }
}

thank you!

edit:

Package: snort3
Version: 3.1.61.0-1

efahl · December 17, 2023, 3:55pm

I reply separately for each q:

Are you testing across the specified interface? In other words, are you running ping on a machine that talks to something on the other side of "eth0"? I usually do ping -c4 8.8.8.8 from a workstation connected to the router, so that the packets come in on br-lan and leave through eth0, to make sure they are crossing snort's line-of-sight.

efahl · December 17, 2023, 4:05pm

No, pcap is all built-in stuff, so nothing extra is needed. If you ultimately decide to go with nfq, and are using the old pre-my-updates version, then you'll need to manually install kmod-nft-queue, but both pcap and afpacket already have all their supporting packages in place.

Almost there... You've got both ips.mode and the daq module mode set to inline correctly, but you need to also add back the -Q option in the snort section.

snort  = {
  ['-Q']    = true,  -- Add this back in for inline mode = IPS.
  ['--daq'] = 'pcap',
}

Then you should see a message like this with a date stamp of "right now".

$ /etc/init.d/snort restart
$ logread -l 10
...
Sun Dec 17 07:59:17 2023 kern.info kernel: [165484.340866] device eth0 entered promiscuous mode

EDIT:
Also, if you run that snort -T ... config-check command, it will show this at the bottom of the output (if you see configured to passive, then it's still in IDS-only mode).

pcap DAQ configured to inline.

Snort successfully validated the configuration (with 139 warnings).
o")~   Snort exiting

efahl · December 17, 2023, 4:14pm

And finally, ok so looks like you're on 23.05 (which is of course prudent if this is your gateway router). All the snort3 action is on the SNAPSHOT build, not sure if/when I'll backport to release, but here's a preview of what's already there via the config file:

github.com

openwrt/packages/blob/master/net/snort3/files/snort.config

#
# This is not an exhaustive list of configuration items, just those that
# require more explanation than is given in the tables that define them, below.
#
# https://openwrt.org/docs/guide-user/services/snort
#
# snort
#     manual          - When set to 1, use manual configuration for legacy behavior.
#                       When disabled, then use this config.
#     interface       - Default should usually be 'uci get network.wan.device',
#                       something like 'eth0'
#     home_net        - IP range/ranges to protect. May be 'any', but more likely it's
#                       your lan range, default is '192.168.1.0/24'
#     external_net    - IP range external to home.  Usually 'any', but if you only
#                       care about true external hosts (trusting all lan devices),
#                       then '!$HOME_NET' or some specific range
#     mode            - 'ids' or 'ips', for detection-only or prevention, respectively
#     oinkcode        - https://www.snort.org/oinkcodes
#     config_dir      - Location of the base snort configuration files.  Default /etc/snort
#     temp_dir        - Location of all transient snort config, including downloaded rules

This file has been truncated. show original

goppinath · August 29, 2024, 11:44am

After seeing the Auto-Configuration section I decided to give a try to the Snort3. I am on version 23.05.4 and with RPi 4. I tried the 1st command snort-rules --testing and I am getting the error -ash: snort-rules: not found.

It seems that Auto-Configuration will only work on the upcoming stable or SNAPSHOT. I also support porting it to the 23.05 version.

system · September 8, 2024, 11:44am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.