Hello,
Is anybody using Snort3 on the router ?
If yes,
- How did you manage to configure it ?
- Could you tell me where I can find a tutorial so I can configure it ?
Thank you by advance.
i did,
first you need a device with at least 500mb, it uses around 300mb in total and im not loadid in jet.'
install the snort 3 package, then i use winscp to make the file system some waht easyer.
download the rules from here untar it and put the .rules set inside a own made folde inside /etc/snort
then adjust the snort_defaults.lua file like where the rules are etc.
like:
---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
-- ftp_server = default_ftp_server
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'
---------------------------------------------------------------------------
-- default networks
---------------------------------------------------------------------------
-- List of DNS servers on your network
DNS_SERVERS = HOME_NET
-- List of ftp servers on your network
FTP_SERVERS = HOME_NET
-- List of web servers on your network
HTTP_SERVERS = HOME_NET
-- List of sip servers on your network
SIP_SERVERS = HOME_NET
-- List of SMTP servers on your network
SMTP_SERVERS = HOME_NET
-- List of sql servers on your network
SQL_SERVERS = HOME_NET
-- List of ssh servers on your network
SSH_SERVERS = HOME_NET
-- List of telnet servers on your network
TELNET_SERVERS = HOME_NET
also in the snort config file i uncomment a alert log line that all the alerts go to the system log.
than ssh into your router and run
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
if that runs without errors you can enable it by startup:
/etc/init.d/snort enable
/etc/init.d/snort start
to disable snort on startup use:
/etc/init.d/snort disable
thats what i done and it runs and gives my alerts like
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(arp_spoof) unicast ARP request"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
i really dont know what it does or used for, i just have it running 3 days and i really want to use it more i only know for sure that its a intrusion detection system.
good luck
1 Like
Are you saying that you have enabled blocking too?
you can enable blocking by enabling rules inside the rules file.
i installed also the openappid plugin so openappid tells snort what application is used. for example your phone is using youtube than snort knows what the data should look like and blocked if its differt also you can write custom rules that block that application.
And there is a lot just found this out today 
im still learning
if you setup snort right your
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
should look like this:
root@OpenWrt:~# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~ Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
alert_syslog
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
rewrite
ips
stream_udp
binder
wizard
appid
search_engine
file_id
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
network
http2_inspect
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua:
Loading /etc/snort/rules/snort3-community.rules:
Finished /etc/snort/rules/snort3-community.rules:
--------------------------------------------------
rule counts
total rules loaded: 1078
text rules: 551
builtin rules: 527
option chains: 1078
chain headers: 38
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 552 0 0 0
src 117 1 0 0
dst 400 7 0 0
both 0 1 0 0
total 1069 9 0 0
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 1078 0 1078 /etc/snort/snort.lua
--------------------------------------------------
flowbits
defined: 45
not checked: 37
--------------------------------------------------
service rule counts to-srv to-cli
dns: 4 0
ftp: 4 2
ftp-data: 1 44
http: 287 77
http2: 287 77
imap: 1 65
irc: 1 1
netbios-ssn: 24 1
pop3: 1 65
rdp: 1 0
smtp: 66 0
ssl: 11 16
telnet: 2 0
total: 690 348
--------------------------------------------------
fast pattern port groups src dst any
packet: 8 21 1
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 10 8
key: 5 0
header: 2 5
body: 2 0
file: 3 5
raw_key: 2 0
cookie: 2 0
--------------------------------------------------
search engine
instances: 70
patterns: 1221
pattern chars: 15119
num states: 12055
num match states: 1175
memory scale: KB
total memory: 417.993
pattern memory: 62.3916
match list memory: 137.367
transition memory: 209.484
Error - appid: can not run DetectorInit, ...enappid/odp/odp/lua/content_group_process_client_352.lua:528: attempt to call method 'addProcessToClientMapping' (a nil value)
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo
cntr + c to exit the snort proces in the terminal
1 Like
Hello,
first thank you for your nice how to, but I did the same and the community rules won't be used.
It always looks like that:
root@OpenWrt:/etc/config# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~ Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
rewrite
ips
stream_udp
binder
wizard
appid
search_engine
file_id
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
network
http2_inspect
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo
here the config:
root@OpenWrt:/etc/snort# cat snort_defaults.lua
---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
-- ftp_server = default_ftp_server
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'
Any ideas whats wrong?
thx in advance!
so long
EDIT:
I found the mistake, its a missing part:
to use the community rules, you have to uncomment and fix the line in the ips section of "/etc/snort/snort.lua" like that:
include = '/etc/snort/rules/snort3-community.rules',
so long
1 Like