Hello,
Is anybody using Snort3 on the router ?
If yes,
- How did you manage to configure it ?
- Could you tell me where I can find a tutorial so I can configure it ?
Thank you by advance.
i did,
first you need a device with at least 500mb, it uses around 300mb in total and im not loadid in jet.'
install the snort 3 package, then i use winscp to make the file system some waht easyer.
download the rules from here untar it and put the .rules set inside a own made folde inside /etc/snort
then adjust the snort_defaults.lua file like where the rules are etc.
like:
---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
-- ftp_server = default_ftp_server
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'
---------------------------------------------------------------------------
-- default networks
---------------------------------------------------------------------------
-- List of DNS servers on your network
DNS_SERVERS = HOME_NET
-- List of ftp servers on your network
FTP_SERVERS = HOME_NET
-- List of web servers on your network
HTTP_SERVERS = HOME_NET
-- List of sip servers on your network
SIP_SERVERS = HOME_NET
-- List of SMTP servers on your network
SMTP_SERVERS = HOME_NET
-- List of sql servers on your network
SQL_SERVERS = HOME_NET
-- List of ssh servers on your network
SSH_SERVERS = HOME_NET
-- List of telnet servers on your network
TELNET_SERVERS = HOME_NET
also in the snort config file i uncomment a alert log line that all the alerts go to the system log.
than ssh into your router and run
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
if that runs without errors you can enable it by startup:
/etc/init.d/snort enable
/etc/init.d/snort start
to disable snort on startup use:
/etc/init.d/snort disable
thats what i done and it runs and gives my alerts like
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:50 2022 auth.info snort: "(arp_spoof) unicast ARP request"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
Sun Apr 3 21:38:51 2022 auth.info snort: "(ipv4) IPv4 datagram length > captured length"
i really dont know what it does or used for, i just have it running 3 days and i really want to use it more i only know for sure that its a intrusion detection system.
good luck
1 Like
Are you saying that you have enabled blocking too?
you can enable blocking by enabling rules inside the rules file.
i installed also the openappid plugin so openappid tells snort what application is used. for example your phone is using youtube than snort knows what the data should look like and blocked if its differt also you can write custom rules that block that application.
And there is a lot just found this out today 
im still learning
if you setup snort right your
snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
should look like this:
root@OpenWrt:~# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~ Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
alert_syslog
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
rewrite
ips
stream_udp
binder
wizard
appid
search_engine
file_id
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
network
http2_inspect
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua:
Loading /etc/snort/rules/snort3-community.rules:
Finished /etc/snort/rules/snort3-community.rules:
--------------------------------------------------
rule counts
total rules loaded: 1078
text rules: 551
builtin rules: 527
option chains: 1078
chain headers: 38
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 552 0 0 0
src 117 1 0 0
dst 400 7 0 0
both 0 1 0 0
total 1069 9 0 0
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 1078 0 1078 /etc/snort/snort.lua
--------------------------------------------------
flowbits
defined: 45
not checked: 37
--------------------------------------------------
service rule counts to-srv to-cli
dns: 4 0
ftp: 4 2
ftp-data: 1 44
http: 287 77
http2: 287 77
imap: 1 65
irc: 1 1
netbios-ssn: 24 1
pop3: 1 65
rdp: 1 0
smtp: 66 0
ssl: 11 16
telnet: 2 0
total: 690 348
--------------------------------------------------
fast pattern port groups src dst any
packet: 8 21 1
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 10 8
key: 5 0
header: 2 5
body: 2 0
file: 3 5
raw_key: 2 0
cookie: 2 0
--------------------------------------------------
search engine
instances: 70
patterns: 1221
pattern chars: 15119
num states: 12055
num match states: 1175
memory scale: KB
total memory: 417.993
pattern memory: 62.3916
match list memory: 137.367
transition memory: 209.484
Error - appid: can not run DetectorInit, ...enappid/odp/odp/lua/content_group_process_client_352.lua:528: attempt to call method 'addProcessToClientMapping' (a nil value)
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo
cntr + c to exit the snort proces in the terminal
1 Like
Hello,
first thank you for your nice how to, but I did the same and the community rules won't be used.
It always looks like that:
root@OpenWrt:/etc/config# snort -c "/etc/snort/snort.lua" -i "lo" --daq-dir /usr/lib/daq
--------------------------------------------------
o")~ Snort++ 3.1.0.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
rewrite
ips
stream_udp
binder
wizard
appid
search_engine
file_id
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
network
http2_inspect
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] lo
here the config:
root@OpenWrt:/etc/snort# cat snort_defaults.lua
---------------------------------------------------------------------------
-- Snort++ defaults
--
-- include in your snort.lua with a dofile statement
-- after you set HOME_NET and EXTERNAL_NET
--
-- use these by assignment, eg
-- ftp_server = default_ftp_server
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- Set paths, ports, and nets:
--
-- variables with 'PATH' in the name are vars
-- variables with 'PORT' in the name are portvars
-- variables with 'NET' in the name are ipvars
-- variables with 'SERVER' in the name are ipvars
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '/etc/snort/rules'
BUILTIN_RULE_PATH = '/etc/snort/builtin_rules'
PLUGIN_RULE_PATH = '/etc/snort/so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '/etc/snort/lists'
BLACK_LIST_PATH = '/etc/snort/lists'
Any ideas whats wrong?
thx in advance!
so long
EDIT:
I found the mistake, its a missing part:
to use the community rules, you have to uncomment and fix the line in the ips section of "/etc/snort/snort.lua" like that:
include = '/etc/snort/rules/snort3-community.rules',
so long
1 Like
Hi,
did anyone succeed in installing and configuring also the snort_extras package so to enable the app flow tracking ?
I edited and updated the wiki, https://openwrt.org/docs/guide-user/services/snort
Maybe someone with more knowledge can proof read and correct any errors I may have made.
EDIT: I'm not sure I got it right for dropping mode (IPS). It does work in alert mode though (IDS). I think there is some more stuff to define to get drooping mode working including defining two NICs or network devices. Maybe someone else can help.
EDIT2: I am getting MUCH closer to getting this running properly. If anyone is following along with my wiki page edits, what I have there is currently except for this little bit: in order to get the snort to drop rule matches, you have to edit /etc/init.d/snort and append a -Q to the procd_set_param command line in order to get the daq mode from passive to inline for reasons that aren't yet obvious to me. Could be that I don't have something quite right in the config file but still working though this.
Example:
procd_set_param command $PROG -Q -q --daq-dir /usr/lib/daq/ -i "$interface" -c "${config_dir%/}/snort.lua" -A "$alert_module"
@lleachii @spence @develox2021 - any of you guys running based on my wiki edits?
Note that you can see this immediately when you test your config:
# snort -c "/etc/snort/snort.lua" --daq-dir /usr/lib/daq -T
...
afpacket DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Forcing it with the -Q flag gives both the expected inline result here as well as in the logs of actual traffic getting dropped:
# snort -c "/etc/snort/snort.lua" --daq-dir /usr/lib/daq -T -Q
...
afpacket DAQ configured to inline.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
Examples, (note to drop):
11/30-16:52:47.039465 [drop] [**] [1:254:16] "PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority" [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 1.1.1.1:53 -> 10.9.1.203:55003
11/30-16:54:45.588756 [drop] [**] [1:51037:1] "POLICY-OTHER IGMP membership query attempt" [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {IP} 0.0.0.0 -> 224.0.0.1
3 Likes
No, I'm not running snort yet. I'm glad to see an update to the wiki so it might help me when I do try it.
2 Likes
For me snort is not working. It will be great if someone can create a video for configuring snort. I followed the official documentation https://openwrt.org/docs/guide-user/services/snort
Is there some special technique to enable Snort3 and not lose ones internet connection, or Modem DHCP lease. Apparently, my modem frequently renews the dhcp lease and that is how my internet connection is maintained. Snort3 starts blocking these requests in short work using the default settings, and following your wiki edits. Do you have any suggestions to stop this specific behavior?
Are you running it on your router/firewall or on a remote device?
On the router itself.
Here is the full network topology. Modem is connected to a Non-openwrt vlan switch. The vlan switch is tagging packets for openwrt router which is acting as a router between the tagged and untagged network. The switch is also providing additional ethernet ports for all the accesspoints. Snort is installed on the router itself.
My setup is moving the switch after the router and it works fine. I don't understand it with the switch before the modem.
The switch after the modem, but before the router. There is vlan10, and vlan20. Ethernet cable connects from modem to switch, gets vlan20 for wan. Cable from switch to router get vlan10 for lan, but also serves as trunk port. Wan and wan6 on router use eth0.20 as wan interface. And use eth0.10 for br-lan bridge. Remaining ethernet ports on switch serve as ports for lan network. But i guess snort must not be compatible this way.
So I am trying it with tweak connectivity. It seems to have maybe solved the connectivity issue.
--tweaks connectivity
did you have to do this step in order to perform IPS
cd /path/to/rules
for i in *.rules; do sed -i s'/^alert/drop/' "$i"; done
or is this relevant to older versions of snort?
1 Like
Yes, that is needed with snort3
Did you do that with only the regular rules directory or also the builtins and so_rules?
just snort.rules
1 Like