Snort3 or snort2 not works

I installed OpenWrt in RPI 4, and working nice, but for my academic project, I wanted to install IDS and IPS system to it, for that I tried Snort first, but after installing snort 2, I typed snort -T -c /etc/snort/snort.conf -I <interface name> , but gives me error ERROR: Can't find pcap DAQ! , after taking help from ChatGPT, it says to check in /etc/snort/snort.conf
after done.

again run and got

Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /etc/snort/snort.conf(247) Could not stat dynamic module path "/usr/local/lib/snort_dynamicpreprocessor/": No such file or directory.

Fatal Error, Quitting..

these types of errors and issue happened, lastly I removed and installed snort3.

after installing snort3, static LAN stoped working for Dlink router (access point), only works in single computer through LAN ethernet. but since I can't use Pi wireless module, so I made a router Access point and using it as wireless interface for other devices.

currently installing crowdsec, but don't know how to work on it.
one more is suricata but official openwrt package is not available.

I have never been able to get snort2 to work, but snort3 works fine with some fiddling. Lots of info in Snort3 - How can I configure it? and a couple other threads.

Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
	ssh
	host_cache
	pop
	so_proxy
	stream_tcp
	mms
	smtp
	gtp_inspect
	packets
	dce_http_proxy
	ips
ERROR: /etc/snort/snort.lua: can't find ips.daq
	stream_icmp
	hosts
	normalizer
	binder
	wizard
	appid
	js_norm
	file_id
	http2_inspect
	http_inspect
	stream_udp
	ftp_data
	ftp_server
	search_engine
	port_scan
	dce_http_server
	dce_tcp
	dce_smb
	iec104
	cip
	telnet
	ssl
	sip
	rpc_decode
	netflow
	modbus
	host_tracker
	stream_user
	stream_ip
	trace
	back_orifice
	classifications
	dnp3
	active
	process
	ftp_client
	daq
	decode
	alerts
	stream
	references
	arp_spoof
	output
	network
	dns
	dce_udp
	imap
	file_policy
	s7commplus
	stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
ERROR: ips.rules:3 can't open rulessnort3-community.rules

Finished ips.rules:
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     208       0     208    /etc/snort/snort.lua
--------------------------------------------------
rule counts
       total rules loaded: 208
               text rules: 208
            option chains: 208
            chain headers: 1
--------------------------------------------------
service rule counts          to-srv  to-cli
                  file_id:      208     208
                    total:      208     208
--------------------------------------------------
fast pattern groups
                to_server: 1
                to_client: 1
--------------------------------------------------
search engine (ac_bnfa)
appid: MaxRss diff: 2600
appid: patterns loaded: 300
--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 2 errors (0 warnings)
Fatal Error, Quitting..
root@OpenWrt:~#

everything was fine, unless this one error comes, I don't know how to solve it, not getting any idea.

my ips block

ips =
{
    -- use this to enable decoder and inspector alerts
    --enable_builtin_rules = true,

    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    -- (see also related path vars at the top of snort_defaults.lua)
    -- My Edit Hemant

    mode = tap,
    variables = default_variables,

    rules = [[ 
        include $RULE_PATH/snort3-community.rules
    ]],

    daq = {
        module_dirs = {
            '/usr/lib/daq',
        },
        modules = {
            {
                name = 'afpacket',
                mode = 'inline',
                action_override = 'drop',
                variables = {
                    'fanout_type=hash'
                }
            }
        }
    },

    variables = default_variables
}

Now how to do things.

Let's diagnose the first one, make sure you've got libdaq3 installed:

opkg info libdaq3

Related to that, afpacket has been proven not to work in IPS mode, you should probably use pcap if you don't care about performance, and nfq, which is quite bit more work, but much faster. (As an aside, since you're running on an ARM processor, you can't take advantage of the Intel pattern matching accelerators, so if you see those mentioned somewhere, just ignore them.)

Here's a snippet of a working config that you can pick through and probably use.

snort  = {
  ['-Q'] = true,
  ['--daq'] = pcap,
--['--daq-dir'] = '/usr/lib/daq/',
}

ips = {
  mode            = inline,
  variables       = default_variables,
  action_override = alert,
  include         = "/etc/snort/" .. RULE_PATH .. '/snort.rules',
}

daq = {
  inputs      = { 'eth0' },
  snaplen     = 1518,
  module_dirs = { '/usr/lib/daq/', },
  modules     = {
    {
      name      = 'pcap',
      mode      = inline,
      variables = {},
    }
  }
}

The second error can't open rulessnort3-community.rules is due to mislocated or missing ruleset. Here's a script that sets up the rules in a location corresponding to the config snippet above. Save it on your router, I call it snort-rules, and run it to download the rules and configure their location appropriately.

#!/bin/sh
# Copyright (c) 2023 Eric Fahlgren <eric.fahlgren@gmail.com>
# SPDX-License-Identifier: GPL-2.0

alias log='logger -s -t "snort-rules[$$]" -p "info"'

[ "$1" = "-t" ] && testing=true || testing=false

download_rules() {
        # Further information:
        #    https://www.snort.org/products#rule_subscriptions
        #    https://www.snort.org/oinkcodes
        #
        # Also, what to do about "subscription" vs Talos_LightSPD rules when subbed?
        # Add a "use_rules" list or option or something?
        oinkcode=$(uci -q get snort.snort.oinkcode)

        local conf_dir=$(uci -q get snort.snort.config_dir || echo "/etc/snort")
        local rules_file="$conf_dir/rules/snort.rules"
        local data_dir=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d")
        local data_tar="$data_dir/rules.tar.gz"

        # Make sure everything exists.
        [ -d "$data_dir" ] || mkdir -p "$data_dir"

        if $testing ; then
                log "Generating testing rules..."
                new_rules="$data_dir/testing.rules"
                rm -f "$new_rules"
                echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v4"; icode:0; itype: 8; sid:10000010; rev:001;)' >> "$new_rules"
                #echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:33; sid:10000011; rev:001;)' >> "$new_rules"
                #echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:34; sid:10000012; rev:001;)' >> "$new_rules"

        else
                if [ -z "$oinkcode" ]; then
                        # If you do not have a subscription, then we use the community rules:
                        log "Downloading community rules..."
                        url="https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"

                else
                        # If you have a subscription and its corresponding oinkcode, use this:
                        #
                        # 'snortver' is the version number of the snort executable in use on your
                        # router.
                        #
                        # Ideally, the 'snort --version' output would work, but OpenWrt builds
                        # are often between (or, more likely, newer than) those listed on the
                        # snort.org downloads page.
                        #
                        # So instead, we define it manually to be the value just before the
                        # installed version.  Look on https://www.snort.org/advisories/ and
                        # select the most recent date.  On that page, find the closest version
                        # number preceding your installed version and modify the hard-coded
                        # value below (for example, installed is 31600 then use 31470):

                        #snortver=$(snort --version | awk '/Version/ {print gensub("\\.", "", "", $NF)}')
                        snortver=31470

                        log "Downloading subscription rules..."
                        url="https://www.snort.org/rules/snortrules-snapshot-$snortver.tar.gz?oinkcode=$oinkcode"
                fi

                wget "$url" -O "$data_tar" 2>&1 | log || exit 1

                # ??? Does non-community tar contain just the one "*.rules" file, too???
                new_rules=$(tar tzf "$data_tar" | grep '\.rules$')
                new_rules="$data_dir/$new_rules"

                old_rules="$data_dir/old.rules"
                if [ -e "$new_rules" ]; then
                        # Before we overwrite with the new download.
                        log "Stashing old rules to $old_rules ..."
                        mv -f "$new_rules" "$old_rules"
                fi

                log "Unpacking $data_tar ..."
                tar xzvf "$data_tar" -C "$data_dir" | log || exit 1
                if [ -e "$old_rules" ] && ! cmp -s "$new_rules" "$old_rules" ; then
                        diff "$new_rules" "$old_rules" 2>&1 | log
                fi
        fi

        rm -f "$rules_file"
        ln -s "$new_rules" "$rules_file"

        log "Snort rules loaded, restart snort now."
}

download_rules

The second issue of rules not found solved, but giving absolute path, but thanks for the first part, I will try it, but kindly tell me, where to write first snippet, in snort.lua ? under section of IPS ?

Now snort -A not working, means everything works fine, but when I mentioned snort -A console it says unknown logger console.

I assume you're manually configuring things, so you should probably leave snort.lua alone and change things in /etc/snort/local.lua, which is read after every other config file when using the default startup from /etc/init.d/snort.

You can replace the ips and daq sections in there with my snippet verbatim, and probably modify the inputs in daq to match your hardware names.

Also, the ips.action_override can be any of alert, block, drop or reject, depending on your use case. If you're just interested in seeing what triggers the rules, leaving it at alert is probably appropriate.

these things are done, I made changes in snort.lua, no worry, but now I don't know, why it is not creating log file, I changed, and write add remove comment things 20-25 times, but nothing happened. I don't know how miracle, once a log file was created alert_csv.txt in / folder, but I deleted it to regenerate and till now it not generated.

I just change --alert_csv = { } to alert_csv = {file = true,} and even it not working -A console, saying unknown logger console.

and all the ways I tried, now help me. Snort working fine on

snort -c /etc/snort/snort/lua -i eth0 or br-lan -A alert_csv -L alert_csv --daq-dir /usr/lib/daq 

Maybe logdir isn't defined?

I put it in the snort.lua config, plus the definition for log type, either one or both, you can generate both the text and json at the same time (they have subtly different content).

output.logdir = "/var/log"

alert_fast = {
-- bool alert_fast.file   = false: output to alert_fast.txt instead of stdout
-- bool alert_fast.packet = false: output packet dump with alert
-- int alert_fast.limit   = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
  file = true,
  packet = false,
}

alert_json = {
-- bool   alert_json.file      = false: output to alert_json.txt instead of stdout
-- multi  alert_json.fields    = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output
-- int    alert_json.limit     = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
-- string alert_json.separator = , : separate fields with this character sequence
  file = true,
}

I like the json as it's of course much easier to parse, but if I remember right, it's missing something that's in the text version. Here are my notes from a few months back (which doesn't remind me of what I thought was missing).

From alert_fast:
08/30-11:39:57.639021 [**] [1:382:11] "PROTOCOL-ICMP PING Windows" [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.1.1.186 -> 10.1.1.20

Same event in alert_json (single line broken for clarity):
{ "timestamp" : "08/30-11:39:57.639021", "pkt_num" : 5366, "proto" : "ICMP", "pkt_gen" : "raw",
   "pkt_len" : 60, "dir" : "C2S", "src_ap" : "10.1.1.186:0", "dst_ap" :  10.1.1.20:0",
   "rule" : "1:382:11", "action" : "allow" }

Second part of "rule", 382, is "sid" in ruleset, suffixing 11 is "rev". So
grep '\bsid:382\b' /etc/snort/rules/snort.rules  (again, single line broken for clarity):
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Windows";
    itype:8; content:"abcdefghijklmnop",depth 16; metadata:ruleset community;
    classtype:misc-activity; sid:382; rev:11; )

Not sure where the prefixing 1 comes from?

Ah, now I remember! The text version has the two strings msg and classtype already expanded, whereas the json just has references into the ruleset for msg, and classtype requires a lookup in /etc/snort/snort_defaults.lua for "enum" values like misc-activity to get their corresponding text. That looked like work, so I skipped it and just ran the alert_text through awk...

Logging only PCAP, not all

Screenshot 2023-11-28 at 1.17.35 PM1484×386 29.7 KB

Screenshot 2023-11-28 at 1.17.56 PM1824×1772 329 KB

Screenshot 2023-11-28 at 1.18.14 PM1824×1772 291 KB

Let's see if there are any issues with the startup of snort. What we'll do is run ps to get the command line that it's currently using, then run snort from the command line with some added diagnostic options.

First step should look something like this:

$ ps www | grep snort
19916 root  217m  S /usr/bin/snort -q -i br-lan -c /etc/snort/snort.lua --tweaks local

So we cut out the command, delete -q (quiet, we want verbose), then add -T (testing) and --warn-all (be very verbose).

$ /usr/bin/snort -T --warn-all -i br-lan -c /etc/snort/snort.lua --tweaks local
--------------------------------------------------
o")~   Snort++ 3.1.74.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
... and hundreds more lines of diagnostics ...

You can pick through that and either post it all, or any bits that look suspicious to you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.