Snort3 - How can I configure it?

Installing and Using OpenWrt
2

i did,
first you need a device with at least 500mb, it uses around 300mb in total and im not loadid in jet.'

install the snort 3 package, then i use winscp to make the file system some waht easyer.

download the rules from here untar it and put the .rules set inside a own made folde inside /etc/snort

then adjust the snort_defaults.lua file like where the rules are etc.
like:

---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
--     ftp_server = default_ftp_server
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)

RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'

-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'

---------------------------------------------------------------------------
-- default networks
---------------------------------------------------------------------------

-- List of DNS servers on your network
DNS_SERVERS = HOME_NET

-- List of ftp servers on your network
FTP_SERVERS = HOME_NET

-- List of web servers on your network
HTTP_SERVERS = HOME_NET

-- List of sip servers on your network
SIP_SERVERS = HOME_NET

-- List of SMTP servers on your network
SMTP_SERVERS = HOME_NET

-- List of sql servers on your network
SQL_SERVERS = HOME_NET

-- List of ssh servers on your network
SSH_SERVERS = HOME_NET

-- List of telnet servers on your network
TELNET_SERVERS = HOME_NET

also in the snort config file i uncomment a alert log line that all the alerts go to the system log.

than ssh into your router and run
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq

if that runs without errors you can enable it by startup:

/etc/init.d/snort enable
/etc/init.d/snort start

to disable snort on startup use:

/etc/init.d/snort disable

thats what i done and it runs and gives my alerts like

Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:50 2022 auth.info snort: "(arp_spoof) unicast ARP request"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr  3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"

i really dont know what it does or used for, i just have it running 3 days and i really want to use it more i only know for sure that its a intrusion detection system.

good luck

1 Like