Snort3 - How can I configure it?

Hello,

Is anybody using Snort3 on the router ?

If yes,

  • How did you manage to configure it ?
  • Could you tell me where I can find a tutorial so I can configure it ?

Thank you by advance.

i did,
first you need a device with at least 500mb, it uses around 300mb in total and im not loadid in jet.'

install the snort 3 package, then i use winscp to make the file system some waht easyer.

download the rules from here untar it and put the .rules set inside a own made folde inside /etc/snort

then adjust the snort_defaults.lua file like where the rules are etc.
like:

---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
--     ftp_server = default_ftp_server
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)

RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'

-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'

---------------------------------------------------------------------------
-- default networks
---------------------------------------------------------------------------

-- List of DNS servers on your network
DNS_SERVERS = HOME_NET

-- List of ftp servers on your network
FTP_SERVERS = HOME_NET

-- List of web servers on your network
HTTP_SERVERS = HOME_NET

-- List of sip servers on your network
SIP_SERVERS = HOME_NET

-- List of SMTP servers on your network
SMTP_SERVERS = HOME_NET

-- List of sql servers on your network
SQL_SERVERS = HOME_NET

-- List of ssh servers on your network
SSH_SERVERS = HOME_NET

-- List of telnet servers on your network
TELNET_SERVERS = HOME_NET




also in the snort config file i uncomment a alert log line that all the alerts go to the system log.

than ssh into your router and run
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq

if that runs without errors you can enable it by startup:

/etc/init.d/snort enable
/etc/init.d/snort start

to disable snort on startup use:

/etc/init.d/snort disable

thats what i done and it runs and gives my alerts like

Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(arp_spoof) unicast ARP request"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"

i really dont know what it does or used for, i just have it running 3 days and i really want to use it more i only know for sure that its a intrusion detection system.

good luck

1 Like

Are you saying that you have enabled blocking too?

you can enable blocking by enabling rules inside the rules file.

i installed also the openappid plugin so openappid tells snort what application is used. for example your phone is using youtube than snort knows what the data should look like and blocked if its differt also you can write custom rules that block that application.

And there is a lot just found this out today :slight_smile: im still learning

if you setup snort right your

snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq

should look like this:

root@OpenWrt:~# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
        alert_syslog
        ssh
        hosts
        host_cache
        pop
        so_proxy
        stream_tcp
        smtp
        gtp_inspect
        packets
        dce_http_proxy
        stream_icmp
        normalizer
        alerts
        rewrite
        ips
        stream_udp
        binder
        wizard
        appid
        search_engine
        file_id
        ftp_data
        ftp_server
        port_scan
        dce_http_server
        dce_smb
        dce_tcp
        telnet
        ssl
        sip
        rpc_decode
        netflow
        http_inspect
        network
        http2_inspect
        modbus
        host_tracker
        stream_user
        stream_ip
        trace
        back_orifice
        classifications
        dnp3
        active
        ftp_client
        decode
        daq
        stream
        references
        arp_spoof
        output
        process
        dns
        dce_udp
        imap
        stream_file
Finished /etc/snort/snort.lua:
Loading /etc/snort/rules/snort3-community.rules:
Finished /etc/snort/rules/snort3-community.rules:
--------------------------------------------------
rule counts
       total rules loaded: 1078
               text rules: 551
            builtin rules: 527
            option chains: 1078
            chain headers: 38
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     552       0       0       0
     src     117       1       0       0
     dst     400       7       0       0
    both       0       1       0       0
   total    1069       9       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0    1078       0    1078    /etc/snort/snort.lua
--------------------------------------------------
flowbits
                  defined: 45
              not checked: 37
--------------------------------------------------
service rule counts          to-srv  to-cli
                      dns:        4       0
                      ftp:        4       2
                 ftp-data:        1      44
                     http:      287      77
                    http2:      287      77
                     imap:        1      65
                      irc:        1       1
              netbios-ssn:       24       1
                     pop3:        1      65
                      rdp:        1       0
                     smtp:       66       0
                      ssl:       11      16
                   telnet:        2       0
                    total:      690     348
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:        8      21       1
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       10       8
                      key:        5       0
                   header:        2       5
                     body:        2       0
                     file:        3       5
                  raw_key:        2       0
                   cookie:        2       0
--------------------------------------------------
search engine
                instances: 70
                 patterns: 1221
            pattern chars: 15119
               num states: 12055
         num match states: 1175
             memory scale: KB
             total memory: 417.993
           pattern memory: 62.3916
        match list memory: 137.367
        transition memory: 209.484
Error - appid: can not run DetectorInit, ...enappid/odp/odp/lua/content_group_process_client_352.lua:528: attempt to call method 'addProcessToClientMapping' (a nil value)
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo

cntr + c to exit the snort proces in the terminal

1 Like

Hello,

first thank you for your nice how to, but I did the same and the community rules won't be used.
It always looks like that:

root@OpenWrt:/etc/config# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
        ssh
        hosts
        host_cache
        pop
        so_proxy
        stream_tcp
        smtp
        gtp_inspect
        packets
        dce_http_proxy
        stream_icmp
        normalizer
        alerts
        rewrite
        ips
        stream_udp
        binder
        wizard
        appid
        search_engine
        file_id
        ftp_data
        ftp_server
        port_scan
        dce_http_server
        dce_smb
        dce_tcp
        telnet
        ssl
        sip
        rpc_decode
        netflow
        http_inspect
        network
        http2_inspect
        modbus
        host_tracker
        stream_user
        stream_ip
        trace
        back_orifice
        classifications
        dnp3
        active
        ftp_client
        decode
        daq
        stream
        references
        arp_spoof
        output
        process
        dns
        dce_udp
        imap
        stream_file
Finished /etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo

here the config:

root@OpenWrt:/etc/snort# cat snort_defaults.lua
---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
--     ftp_server = default_ftp_server
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)

RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'

-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'

Any ideas whats wrong?
thx in advance!

so long

EDIT:
I found the mistake, its a missing part:
to use the community rules, you have to uncomment and fix the line in the ips section of "/etc/snort/snort.lua" like that:
include = '/etc/snort/rules/snort3-community.rules',

so long

1 Like