{"id":12573,"date":"2022-05-05T21:05:46","date_gmt":"2022-05-05T18:05:46","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12573"},"modified":"2024-03-09T14:28:00","modified_gmt":"2024-03-09T11:28:00","slug":"install-and-configure-snort-3-on-rocky-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-snort-3-on-rocky-linux\/","title":{"rendered":"Install and Configure Snort 3 on Rocky Linux"},"content":{"rendered":"\n

In this tutorial, you will learn how to install and configure Snort 3 on Rocky Linux. Snort<\/a> is a lightweight network intrusion detection system. It features rules-based logging and can perform content searching\/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.<\/p>\n\n\n\n

Install and Configure Snort 3 on Rocky Linux<\/h2>\n\n\n\n

As of this writing, Rocky Linux default repositories do not provide Snort packages. As such, to install Snort 3 on Rocky Linux, then you need to build from the source.<\/p>\n\n\n\n

Build and Install Snort 3 from Source Code<\/h3>\n\n\n\n

For a successful build and installation of Snort 3 on Rocky Linux, there are a number of build tools and dependencies that needs to be installed prior to the build process.<\/p>\n\n\n\n

Install EPEL and enable Powertools Repositories;<\/p>\n\n\n\n

dnf install epel-release<\/code><\/pre>\n\n\n\n
dnf config-manager --set-enabled powertools<\/code><\/pre>\n\n\n\n
Next, install required build tools and libraries;<\/p>\n\n\n\n
dnf -y install bison flex libtool nghttp2 libnghttp2-devel \\\nlibpcap-devel pcre-devel openssl-devel libdnet-devel \\\nlibtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \\\nluajit-devel xz-devel libnfnetlink-devel libmnl-devel \\\nlibnetfilter_queue-devel uuid-devel libsafec-devel<\/code><\/pre>\n\n\n\n
Download and install latest version of the Snort DAQ (Data Acquisition<\/em> library). DAQ is not available on the default Ubuntu repos and hence, you need to build and install it from the source;<\/p>\n\n\n\n
mkdir snort-source-files && cd snort-source-files<\/code><\/pre>\n\n\n\n
\ngit clone https:\/\/github.com\/snort3\/libdaq.git\ncd libdaq\n.\/bootstrap\n.\/configure\nmake\nmake install\n<\/code><\/pre>\n\n\n\n
Download and install google\u2019s thread-caching malloc, Tcmalloc, a memory allocator<\/a> optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. This is an optional dependency but highly recommended.<\/p>\n\n\n\n
cd ..\/\nwget https:\/\/github.com\/gperftools\/gperftools\/releases\/download\/gperftools-2.9.1\/gperftools-2.9.1.tar.gz\ntar xzf gperftools-2.9.1.tar.gz\ncd gperftools-2.9.1\/\n.\/configure\nmake\nmake install\n<\/code><\/pre>\n\n\n\n
Install Snort 3 on Rocky Linux from Source Code<\/h4>\n\n\n\n
Now that we have all required dependencies in place, download and install Snort 3 on Rocky Linux;<\/p>\n\n\n\n
From the releases page<\/a>, get the latest release version of Snort tarball and download it. The command below downloads Snort 3.1.28.0 which is the current latest release as of this writing.<\/p>\n\n\n\n
cd ..\/\nwget https:\/\/github.com\/snort3\/snort3\/archive\/refs\/tags\/3.1.28.0.tar.gz<\/code><\/pre>\n\n\n\n
Extract and navigate to Snort 3 source directory, compile and install it;<\/p>\n\n\n\n
tar xzf 3.1.28.0.tar.gz<\/code><\/pre>\n\n\n\n
cd snort3-3.1.28.0<\/code><\/pre>\n\n\n\n
.\/configure_cmake.sh --prefix=\/usr\/local --enable-tcmalloc<\/code><\/pre>\n\n\n\n
Sample build summary.<\/p>\n\n\n\n
...\n-------------------------------------------------------\nsnort version 3.1.28.0\n\nInstall options:\n    prefix:     \/usr\/local\n    includes:   \/usr\/local\/include\/snort\n    plugins:    \/usr\/local\/lib64\/snort\n\nCompiler options:\n    CC:             \/usr\/bin\/cc\n    CXX:            \/usr\/bin\/c++\n    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUG\n    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUG\n    EXE_LDFLAGS:        \n    MODULE_LDFLAGS:     \n\nFeature options:\n    DAQ Modules:    Static ()\n    libatomic:      System-provided\n    Flatbuffers:    OFF\n    Hyperscan:      OFF\n    ICONV:          ON\n    Libunwind:      ON\n    LZMA:           ON\n    RPC DB:         Built-in\n    SafeC:          OFF\n    TCMalloc:       ON\n    JEMalloc:       OFF\n    UUID:           OFF\n-------------------------------------------------------\n\n-- Configuring done\n-- Generating done\n-- Build files have been written to: \/root\/snort-source-files\/snort3-3.1.28.0\/build\n<\/code><\/pre>\n\n\n\n
Navigate to the build directory and compile and install Snort 3 on Rocky Linux;<\/p>\n\n\n\n
cd build\nexport PKG_CONFIG_PATH=$PKG_CONFIG_PATH:\/usr\/local\/lib64\/pkgconfig:\/usr\/local\/lib\/pkgconfig\nmake\nmake install<\/code><\/pre>\n\n\n\n
Once the installation completes, update shared libraries;<\/p>\n\n\n\n
ln -s \/usr\/local\/lib\/libtcmalloc.so.4 \/lib\/<\/code><\/pre>\n\n\n\n
ln -s \/usr\/local\/lib\/libdaq.so.3 \/lib\/<\/code><\/pre>\n\n\n\n
ldconfig<\/code><\/pre>\n\n\n\n
Verify Snort 3 Installation by checking the version;<\/p>\n\n\n\n
snort -V<\/code><\/pre>\n\n\n\n
\n\n   ,,_     -*> Snort++ <*-\n  o\"  )~   Version 3.1.28.0\n   ''''    By Martin Roesch & The Snort Team\n           http:\/\/snort.org\/contact#team\n           Copyright (C) 2014-2022 Cisco and\/or its affiliates. All rights reserved.\n           Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n           Using DAQ version 3.0.7\n           Using LuaJIT version 2.1.0-beta3\n           Using OpenSSL 1.1.1k  FIPS 25 Mar 2021\n           Using libpcap version 1.9.1 (with TPACKET_V3)\n           Using PCRE version 8.42 2018-03-20\n           Using ZLIB version 1.2.11\n           Using LZMA version 5.2.4\n<\/code><\/pre>\n\n\n\n
The above confirms that Snort 3 installation is successful and is working fine.<\/p>\n\n\n\n
Obtaining Snort Command Line Help<\/h3>\n\n\n\n
To obtain Snort command line help, simply execute either of the commands below and check the difference;<\/p>\n\n\n\n
snort --help<\/code><\/pre>\n\n\n\n
snort -?<\/code><\/pre>\n\n\n\n
Snort has several options to get more help:\n\n-? list command line options (same as --help)\n--help this overview of help\n--help-commands [<module prefix>] output matching commands\n--help-config [<module prefix>] output matching config options\n--help-counts [<module prefix>] output matching peg counts\n--help-limits print the int upper bounds denoted by max*\n--help-module <module> output description of given module\n--help-modules list all available modules with brief help\n--help-modules-json dump description of all available modules in JSON format\n--help-plugins list all available plugins with brief help\n--help-options [<option prefix>] output matching command line options\n--help-signals dump available control signals\n--list-buffers output available inspection buffers\n--list-builtin [<module prefix>] output matching builtin rules\n--list-gids [<module prefix>] output matching generators\n--list-modules [<module type>] list all known modules\n--list-plugins list all known modules\n--show-plugins list module and plugin versions\n\n--help* and --list* options preempt other processing so should be last on the\ncommand line since any following options are ignored.  To ensure options like\n--markup and --plugin-path take effect, place them ahead of the help or list\noptions.\n\nOptions that filter output based on a matching prefix, such as --help-config\nwon't output anything if there is no match.  If no prefix is given, everything\nmatches.\n\nReport bugs to bugs@snort.org.\n<\/code><\/pre>\n\n\n\n
Configuring Snort 3 on Rocky Linux<\/h3>\n\n\n\n
Configure Network Interface Cards<\/h4>\n\n\n\n
First off, put the interface on which Snort is listening for network traffic on promiscuous<\/code> mode so that it can be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.<\/p>\n\n\n\n
ip link set dev enp0s8 promisc on<\/code><\/pre>\n\n\n\n
Verify;<\/p>\n\n\n\n
ip add sh enp0s8<\/code><\/pre>\n\n\n\n
3: enp0s8: <BROADCAST,MULTICAST,PROMISC<\/strong>,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:84:be:8b brd ff:ff:ff:ff:ff:ff\n    inet 192.168.60.22\/24 metric 100 brd 192.168.60.255 scope global dynamic enp0s8\n       valid_lft 377sec preferred_lft 377sec\n    inet6 fe80::a00:27ff:fe84:be8b\/64 scope link \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n
Disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes. You can check if this feature is enabled;<\/p>\n\n\n\n
ethtool -k enp0s8 | grep receive-offload<\/code><\/pre>\n\n\n\n
generic-receive-offload: on\nlarge-receive-offload: off [fixed]<\/code><\/pre>\n\n\n\n
GRO is enabled while LRO is fixed and hence cannot be changed.<\/p>\n\n\n\n
Then disable;<\/p>\n\n\n\n
ethtool -K enp0s8 gro off lro off<\/code><\/pre>\n\n\n\n
The two NIC changes are temporary. To ensure the changes persists across system reboot, create and enable a systemd service unit to implement the changes;<\/p>\n\n\n\n
\ncat > \/etc\/systemd\/system\/snort3-nic.service << 'EOL'\n[Unit]\nDescription=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot\nAfter=network.target\n\n[Service]\nType=oneshot\nExecStart=\/usr\/sbin\/ip link set dev enp0s8 promisc on\nExecStart=\/usr\/sbin\/ethtool -K enp0s8 gro off lro off\nTimeoutStartSec=0\nRemainAfterExit=yes\n\n[Install]\nWantedBy=default.target\nEOL\n<\/code><\/pre>\n\n\n\n
Reload systemd configuration settings;<\/p>\n\n\n\n
systemctl daemon-reload<\/code><\/pre>\n\n\n\n
Start and enable the service on boot;<\/p>\n\n\n\n
systemctl enable --now snort3-nic.service<\/code><\/pre>\n\n\n\n
Install Snort 3 Rulesets on Rocky Linux<\/h4>\n\n\n\n
Rulesets is the main artery for Snorts intrusion detection engine. There are three types of Snort Rules:<\/p>\n\n\n\n