{"id":6764,"date":"2020-08-23T00:14:20","date_gmt":"2020-08-22T21:14:20","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6764"},"modified":"2024-03-14T22:24:08","modified_gmt":"2024-03-14T19:24:08","slug":"install-and-configure-snort-3-nids-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-snort-3-nids-on-ubuntu-20-04\/","title":{"rendered":"Install and Configure Snort 3 NIDS on Ubuntu 20.04"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and configure Snort 3 NIDS on Ubuntu 20.04. <a href=\"https:\/\/www.snort.org\/snort3\" target=\"_blank\" rel=\"noreferrer noopener\">Snort<\/a> is a lightweight network intrusion detection system. It features rules-based logging and can perform content searching\/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to<br>syslog, a separate &#8220;alert&#8221; file, or even to a Windows computer via Samba.<\/p>\n\n\n\n<p>Some of the Snort 3 features include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Support multiple packet processing threads<\/li>\n\n\n\n<li>Shared configuration and attribute table<\/li>\n\n\n\n<li>Use a simple, scriptable configuration<\/li>\n\n\n\n<li>Make key components pluggable<\/li>\n\n\n\n<li>Autodetect services for portless configuration<\/li>\n\n\n\n<li>Support sticky buffers in rules<\/li>\n\n\n\n<li>Autogenerate reference documentation<\/li>\n\n\n\n<li>Provide better cross platform support<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Snort 3 NIDS on Ubuntu 20.04<\/h2>\n\n\n\n<p>As of this writing, Ubuntu 20.04 provides snort 2.9 on its default Universe repos;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt show snort<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nPackage: snort\nVersion: 2.9.7.0-5build1\nPriority: optional\nSection: universe\/net\nOrigin: Ubuntu\nMaintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>\nOriginal-Maintainer: Javier Fern\u00e1ndez-Sanguino Pe\u00f1a <jfs@debian.org>\nBugs: https:\/\/bugs.launchpad.net\/ubuntu\/+filebug\nInstalled-Size: 1,987 kB\nPre-Depends: adduser (>= 3.11)\nDepends: snort-common-libraries (>= 2.9.7.0-5build1), snort-rules-default (>= 2.9.7.0-5build1), snort-common (>= 2.9.7.0-5build1), debconf (>= 0.5) | debconf-2.0, rsyslog | system-log-daemon, logrotate, net-tools, libc6 (>= 2.16), libdaq2, libdumbnet1 (>= 1.8), liblzma5 (>= 5.1.1alpha+20120614), libpcap0.8 (>= 1.0.0), libpcre3, zlib1g (>= 1:1.1.4)\nRecommends: iproute2\nSuggests: snort-doc\nConflicts: snort-mysql, snort-pgsql\nReplaces: snort-common (<< 2.0.2-3)\nHomepage: http:\/\/www.snort.org\/\nDownload-Size: 656 kB\nAPT-Sources: http:\/\/ke.archive.ubuntu.com\/ubuntu focal\/universe amd64 Packages\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Build and Install Snort 3 from Source Code on Ubuntu 20.04<\/h3>\n\n\n\n<p>In order to install Snort 3 NIDS, you need to build it from the source.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Run System Update<\/h4>\n\n\n\n<p>To begin with, run system package cache update;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt upgrade<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install Required Build Tools<\/h4>\n\n\n\n<p>For a successful build and installation of Snort 3 on Ubuntu 20.04, there are a number of build tools and dependencies that needs to be installed prior to the build process as outlined on the <a href=\"https:\/\/snort-org-site.s3.amazonaws.com\/production\/release_files\/files\/000\/013\/583\/original\/snort_manual.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200822%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20200822T085438Z&amp;X-Amz-Expires=3600&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=7a91dcc103afbbbac582f5211d6e679bc4ab762746d3eeca945dc82c6fbdaa2d#_dependencies\" target=\"_blank\" rel=\"noreferrer noopener\">Dependencies page<\/a>. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev<\/code><\/pre>\n\n\n\n<p>Download and install latest version of the Snort&nbsp;DAQ&nbsp;(<em>Data Acquisition<\/em>&nbsp;library)&nbsp;. DAQ is not available on the default Ubuntu repos and hence, you need to build and install it from the source;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir snort-source-files\ncd snort-source-files<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>git clone https:\/\/github.com\/snort3\/libdaq.git\ncd libdaq\n.\/bootstrap\n.\/configure\nmake\nmake install\n<\/code><\/pre>\n\n\n\n<p>Download and install google\u2019s thread-caching malloc, Tcmalloc, a memory allocator optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. This is an optional dependency but highly recommended.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cd ..\/\nwget wget https:\/\/github.com\/gperftools\/gperftools\/releases\/download\/gperftools-2.9.1\/gperftools-2.9.1.tar.gz\ntar xzf gperftools-2.9.1.tar.gz\ncd gperftools-2.8\/\n.\/configure\nmake\nmake install\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install Snort 3 from Source Code on Ubuntu 20.04<\/h4>\n\n\n\n<p>Now that we have all required dependencies in place, <a href=\"https:\/\/github.com\/snort3\/snort3\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">download<\/a> and install Snort 3 on Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ..\/\nwget https:\/\/github.com\/snort3\/snort3\/archive\/refs\/tags\/3.1.28.0.tar.gz<\/code><\/pre>\n\n\n\n<p>Extract and navigate to Snort 3 source directory, compile and install it;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf 3.1.28.0.tar.gz<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cd snort3-3.1.28.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/configure_cmake.sh --prefix=\/usr\/local --enable-tcmalloc<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n-------------------------------------------------------\nsnort version 3.0.2\n\nInstall options:\n    prefix:     \/usr\/local\n    includes:   \/usr\/local\/include\/snort\n    plugins:    \/usr\/local\/lib\/snort\n\nCompiler options:\n    CC:             \/usr\/bin\/cc\n    CXX:            \/usr\/bin\/c++\n    CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free \n    CXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free \n    EXE_LDFLAGS:        \n    MODULE_LDFLAGS:     \n\nFeature options:\n    DAQ Modules:    Static (afpacket;bpf;dump;fst;nfq;pcap;trace)\n    Flatbuffers:    OFF\n    Hyperscan:      OFF\n    ICONV:          ON\n    Libunwind:      ON\n    LZMA:           ON\n    RPC DB:         Built-in\n    SafeC:          OFF\n    TCMalloc:       ON\n    UUID:           ON\n-------------------------------------------------------\n\n-- Configuring done\n-- Generating done\n-- Build files have been written to: \/root\/snort-source-files\/snort3\/build\n<\/code><\/pre>\n\n\n\n<p>Navigate to the build directory and compile and install Snort 3 on Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd build\nmake\nmake install<\/code><\/pre>\n\n\n\n<p>Once the installation completes, update shared libraries;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldconfig<\/code><\/pre>\n\n\n\n<p>Verify Snort 3 Installation by checking the version;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -V<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n   ,,_     -*> Snort++ <*-\n  o\"  )~   Version 3.1.28.0\n   ''''    By Martin Roesch &#038; The Snort Team\n           http:\/\/snort.org\/contact#team\n           Copyright (C) 2014-2022 Cisco and\/or its affiliates. All rights reserved.\n           Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n           Using DAQ version 3.0.6\n           Using LuaJIT version 2.1.0-beta3\n           Using OpenSSL 3.0.2 15 Mar 2022\n           Using libpcap version 1.10.1 (with TPACKET_V3)\n           Using PCRE version 8.39 2016-06-14\n           Using ZLIB version 1.2.11\n           Using LZMA version 5.2.5\n<\/code><\/pre>\n\n\n\n<p>The above confirms that Snort  3 installation is successful and is working fine.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Obtaining Snort Command Line Help<\/h3>\n\n\n\n<p>To obtain Snort command line help, simply execute either of the commands below and check the difference;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort --help<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -?<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>-? &lt;option prefix&gt; output matching command line option quick help (same as --help-options) (optional)\n-A &lt;mode&gt; set alert mode: none, cmg, or alert_*\n-B &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask\n-C print out payloads with character data only (no hex)\n-c &lt;conf&gt; use this configuration\n-D run Snort in background (daemon) mode\n-d dump the Application Layer\n-e display the second layer header info\n-f turn off fflush() calls after binary log writes\n-G &lt;0xid&gt; (same as --logid) (0:65535)\n-g &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization\n-H make hash tables deterministic\n-i &lt;iface&gt;... list of interfaces\n-k &lt;mode&gt; checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\n-L &lt;mode&gt; logging mode (none, dump, pcap, or log_*)\n-l &lt;logdir&gt; log to this directory instead of current directory\n-M log messages to syslog (not alerts)\n-m &lt;umask&gt; set the process file mode creation mask (0x000:0x1FF)\n-n &lt;count&gt; stop after count packets (0:max53)\n-O obfuscate the logged IP addresses\n-Q enable inline mode operation\n-q quiet mode - suppress normal logging on stdout\n-R &lt;rules&gt; include this rules file in the default policy\n-r &lt;pcap&gt;... (same as --pcap-list)\n-S &lt;x=v&gt; set config variable x equal to value v\n-s &lt;snap&gt; (same as --snaplen); default is 1518 (68:65535)\n-T test and report on the current Snort configuration\n-t &lt;dir&gt; chroots process to &lt;dir&gt; after initialization\n-U use UTC for timestamps\n-u &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization\n-V (same as --version)\n-v be verbose\n-X dump the raw packet data starting at the link layer\n-x same as --pedantic\n-y include year in timestamp in the alert and log files\n-z &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:max32)\n...\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Snort 3 NIDS on Ubuntu 20.04<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Network Interface Cards<\/h4>\n\n\n\n<p>First off, put the interface on which Snort is listening for network traffic on <code>promiscuous<\/code> mode so that it can be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip link set dev enp0s8 promisc on<\/code><\/pre>\n\n\n\n<p>Verify;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ip add sh enp0s8<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3: enp0s8: &lt;BROADCAST,MULTICAST,<strong>PROMISC<\/strong>,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:7f:84:15 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.57.3\/24 brd 192.168.57.255 scope global dynamic enp0s8\n       valid_lft 446sec preferred_lft 446sec\n    inet6 fe80::a00:27ff:fe7f:8415\/64 scope link \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n<p>Disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes. You can check if this feature is enabled;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -k enp0s8 | grep receive-offload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>generic-receive-offload: on\nlarge-receive-offload: off &#91;fixed]<\/code><\/pre>\n\n\n\n<p>GRO is enabled while LRO is fixed and hence cannot be changed.<\/p>\n\n\n\n<p>Then disable;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -K enp0s8 gro off lro off<\/code><\/pre>\n\n\n\n<p>The two NIC changes are temporary. To ensure the changes persists across system reboot, create and enable a systemd service unit to implement the changes;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/systemd\/system\/snort3-nic.service<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[Unit]\nDescription=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot\nAfter=network.target\n\n[Service]\nType=oneshot\nExecStart=\/usr\/sbin\/ip link set dev enp0s8 promisc on\nExecStart=\/usr\/sbin\/ethtool -K enp0s8 gro off lro off\nTimeoutStartSec=0\nRemainAfterExit=yes\n\n[Install]\nWantedBy=default.target\n<\/code><\/pre>\n\n\n\n<p>Reload systemd configuration settings;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Start and enable the service on boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now snort3-nic.service<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install Snort 3 Rulesets on Ubuntu 20.04<\/h4>\n\n\n\n<p>Rulesets is the main artery for Snorts&nbsp;intrusion detection engine. There are three types of Snort Rules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Community Rules<\/li>\n\n\n\n<li>Registered Rules<\/li>\n\n\n\n<li>Subscriber Rules<\/li>\n<\/ul>\n\n\n\n<p>In this tutorial, we will install the community Snort rules;<\/p>\n\n\n\n<p>Create Snort Rules directory. In the <strong><code>\/usr\/local\/etc\/snort\/snort_defaults.lua<\/code><\/strong> config file, the default rules path (RULE_PATH), is defined as <code><strong>\/usr\/local\/etc\/rules<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/usr\/local\/etc\/rules<\/code><\/pre>\n\n\n\n<p>Download Snort 3 community rules from <a href=\"https:\/\/www.snort.org\/downloads\/#snort-3.0\" target=\"_blank\" rel=\"noreferrer noopener\">Snort 3 downloads page<\/a>;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/www.snort.org\/downloads\/community\/snort3-community-rules.tar.gz<\/code><\/pre>\n\n\n\n<p>Extract the rules and store them on Snort rules directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf snort3-community-rules.tar.gz -C \/usr\/local\/etc\/rules\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls \/usr\/local\/etc\/rules\/snort3-community-rules\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>AUTHORS  LICENSE  sid-msg.map  <strong>snort3-community.rules<\/strong>  VRT-License.txt<\/code><\/pre>\n\n\n\n<p>Now that we have the rules to get us started in place, you need to configure Snort 3. Open the main configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<p>Set the networks to protect against attacks as the value for the <code><strong>HOME_NET<\/strong><\/code> variable. For simplicity, i just set this to the subnet of Snort 3 interface. The <strong><code>EXTERNAL_NET<\/code><\/strong> is anything other than our HOME_NET;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n-- HOME_NET and EXTERNAL_NET must be set now\n-- setup the network addresses you are protecting\nHOME_NET = '192.168.57.3\/32'\n\n-- set up the external network addresses.\n-- (leave as \"any\" in most situations)\n-- EXTERNAL_NET = 'any'\nEXTERNAL_NET = '!$HOME_NET'\n...\n<\/code><\/pre>\n\n\n\n<p>Edit Snort condif in the <code><strong>\/usr\/local\/etc\/snort\/snort.lua<\/strong><\/code> configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<p>Under IPS section, define the location to your rules;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nips =\n{\n    -- use this to enable decoder and inspector alerts\n    --enable_builtin_rules = true,\n\n    -- use include for rules files; be sure to set your path\n    -- note that rules files can include other rules files\n    variables = default_variables,\n    rules = [[ \n    include $RULE_PATH\/snort3-community-rules\/snort3-community.rules\n    ]]\n}\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Installing Snort OpenAppID<\/h3>\n\n\n\n<p>OpenAppID is an application layer plugin that enables Snort to detect various applications, &nbsp;Facebook, Netflix, Twitter, and Reddit, used in the network. Run the commands below download from <a href=\"https:\/\/www.snort.org\/downloads\/#snort-3.0\" target=\"_blank\" rel=\"noreferrer noopener\">Snort 3 downloads page<\/a> and install Snort OpenAppID;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/snort.org\/downloads\/openappid\/12159 -O OpenAppId-12159.tgz\ntar -xzvf OpenAppId-12159.tgz\ncp -R odp \/usr\/local\/lib\/<\/code><\/pre>\n\n\n\n<p>Next, edit the Snort 3 configuration file and define the location of the OpenAppID libraries;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>appid =\n{\n    -- appid requires this to use appids in rules\n    --app_detector_dir = 'directory to load appid detectors from'\n    <strong>app_detector_dir = '\/usr\/local\/lib',<\/strong>\n    <code><strong>log_stats = true,<\/strong><\/code>\n\n}<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<p>Create Snorts Log directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/var\/log\/snort<\/code><\/pre>\n\n\n\n<p>Next, run syntax checking;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -c \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\nFinished \/usr\/local\/etc\/snort\/snort.lua:\nLoading \/usr\/local\/etc\/rules\/snort3-community-rules\/snort3-community.rules:\nFinished \/usr\/local\/etc\/rules\/snort3-community-rules\/snort3-community.rules:\n--------------------------------------------------\nrule counts\n       total rules loaded: 829\n               text rules: 829\n            option chains: 829\n            chain headers: 56\n--------------------------------------------------\nport rule counts\n             tcp     udp    icmp      ip\n     any      63       3       0       0\n     src     124       2       0       0\n     dst     539      98       0       0\n    both       0       1       0       0\n   total     726     104       0       0\n--------------------------------------------------\nips policies rule stats\n              id  loaded  shared enabled    file\n               0     829       0     829    \/usr\/local\/etc\/snort\/snort.lua\n--------------------------------------------------\nflowbits\n                  defined: 20\n              not checked: 11\n                  not set: 3\n--------------------------------------------------\nservice rule counts          to-srv  to-cli\n                      dns:       89       2\n                      ftp:        7       2\n                 ftp-data:        0       8\n                     http:      489      92\n                    http2:      489      92\n                     imap:        0       8\n                      irc:        4       1\n              netbios-ssn:       15       1\n                     pop3:        0       8\n                     smtp:       16       0\n                      ssl:       14      31\n                   telnet:        1       0\n                    total:     1124     245\n--------------------------------------------------\nfast pattern port groups        src     dst     any\n                   packet:       11      24       2\n--------------------------------------------------\nfast pattern service groups  to-srv  to-cli\n                   packet:        9       7\n                      key:        2       0\n                   header:        2       5\n                     body:        2       0\n                     file:        2       5\n                   method:        2       0\n--------------------------------------------------\nsearch engine\n                instances: 70\n                 patterns: 1715\n            pattern chars: 36451\n               num states: 27885\n         num match states: 1724\n             memory scale: KB\n             total memory: 785.997\n           pattern memory: 102.521\n        match list memory: 280.07\n        transition memory: 394.656\n--------------------------------------------------\npcap DAQ configured to passive.\n\nSnort successfully validated the configuration (with 0 warnings).\no\")~   Snort exiting\n<\/code><\/pre>\n\n\n\n<p>Create Custom local rules for the purposes of testing our Snort setup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/etc\/rules\/local.rules<\/code><\/pre>\n\n\n\n<p>Create a rule to detect ping tests;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>alert icmp any any -&gt; $HOME_NET any (msg:\"ICMP connection test\"; sid:1000001; rev:1;)<\/code><\/pre>\n\n\n\n<p>Save and exit the local rules file. Check the syntax;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -c \/usr\/local\/etc\/snort\/snort.lua -R \/usr\/local\/etc\/rules\/local.rules<\/code><\/pre>\n\n\n\n<p>Next, run the test by executing the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -c \/usr\/local\/etc\/snort\/snort.lua -R \/usr\/local\/etc\/rules\/local.rules -i enp0s8 -A alert_fast -s 65535 -k none<\/code><\/pre>\n\n\n\n<p>On another terminal, ping your Snort server. While the ping runs, you should see the alert lines written to standard output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n--------------------------------------------------\nsearch engine\n                instances: 70\n                 patterns: 1715\n            pattern chars: 36451\n               num states: 27885\n         num match states: 1724\n             memory scale: KB\n             total memory: 785.997\n           pattern memory: 102.521\n        match list memory: 280.07\n        transition memory: 394.656\n--------------------------------------------------\npcap DAQ configured to passive.\nCommencing packet processing\n++ [0] enp0s8\n08\/22-19:20:23.502536 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:20:24.526491 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:20:25.550241 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:20:26.574652 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:20:27.598509 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n...\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Snort 3 Logging<\/h4>\n\n\n\n<p>To write Snort 3 events to log files, you need to enable configure alert settings. There are different Snort logging options that are explained well in the <a href=\"https:\/\/snort-org-site.s3.amazonaws.com\/production\/release_files\/files\/000\/013\/583\/original\/snort_manual.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200822%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20200822T085438Z&amp;X-Amz-Expires=3600&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=7a91dcc103afbbbac582f5211d6e679bc4ab762746d3eeca945dc82c6fbdaa2d#_logger_modules\" target=\"_blank\" rel=\"noreferrer noopener\">Snort 3 manual, Logger Modules section<\/a>. To output the event data to a file, in brief format (as defined in the command line above by option <code><strong>-A alert_type<\/strong><\/code>), open the <strong><code>snort.lua<\/code><\/strong> configuration and head over to the outputs section.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>---------------------------------------------------------------------------\n-- 7. configure outputs\n---------------------------------------------------------------------------\n\n-- event logging\n-- you can enable with defaults from the command line with -A <alert_type>\n-- uncomment below to set non-default configs\n--alert_csv = { }\n<strong>alert_fast = { \n        file = true, \n        packet = false,\n        limit = 10,\n}<\/strong>\n--alert_full = { }\n--alert_sfsocket = { }\n--alert_syslog = { }\n--unified2 = { }<\/alert_type><\/code><\/pre>\n\n\n\n<p>The setting will cause snort to write logs to <code><strong>alert_fast.txt<\/strong><\/code> file. Save and exit the configuration and run syntax checking.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -c \/usr\/local\/etc\/snort\/snort.lua<\/code><\/pre>\n\n\n\n<p>Run the command again, this time, without the option, <code><strong>-A alert_fast<\/strong><\/code>, but with an option to specify the log directory, <code><strong>-l \/var\/log\/snort<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>snort -c \/usr\/local\/etc\/snort\/snort.lua -R \/usr\/local\/etc\/rules\/local.rules -i enp0s8 -s 65535 -k none -l \/var\/log\/snort\/<\/code><\/pre>\n\n\n\n<p>Run the ping test again. If you check on the logs directory, you should see an <code><strong>alert_fast.txt<\/strong><\/code> file created. You can tail this file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/snort\/alert_fast.txt<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>08\/22-19:30:41.554941 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:30:42.578554 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:30:43.602594 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:30:44.626660 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:30:45.650654 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n08\/22-19:30:46.674630 [**] [1:1000001:1] \"ICMP connection test\" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -&gt; 192.168.57.3\n...\n<\/code><\/pre>\n\n\n\n<p>You can include the local rules in snort.lua;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>ips =\n{\n    -- use this to enable decoder and inspector alerts\n    -- enable_builtin_rules = true,\n\n    -- use include for rules files; be sure to set your path\n    -- note that rules files can include other rules files\n    variables = default_variables,\n    rules = [[ \n    include $RULE_PATH\/snort3-community-rules\/snort3-community.rules\n    include $RULE_PATH\/local.rules\n    ]]\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Snort as a Service<\/h3>\n\n\n\n<p>While it is possible to run Snort as a daemon in the background with command line option <code><strong>-D<\/strong><\/code>, it is also possible to create a systemd service unit for Snort.<\/p>\n\n\n\n<p>If you are going to run Snort as a service, it is prudent to run it a non privileged system user. Hence, create a non login system user account for Snort;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>useradd -r -s \/usr\/sbin\/nologin -M -c SNORT_IDS snort<\/code><\/pre>\n\n\n\n<p>Create a systemd service unit for Snort to be run as snort user. Adjust your interfaces accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/systemd\/system\/snort3.service<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[Unit]\nDescription=Snort 3 NIDS Daemon\nAfter=syslog.target network.target\n\n[Service]\nType=simple\nExecStart=\/usr\/local\/bin\/snort -c \/usr\/local\/etc\/snort\/snort.lua -s 65535 -k none -l \/var\/log\/snort -D -i enp0s8 -m 0x1b -u snort -g snort\nExecStop=\/bin\/kill -9 $MAINPID\n\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n\n\n\n<p>Reload systemd configs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Set the ownership and permissions on the log file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod -R 5775 \/var\/log\/snort<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R snort:snort \/var\/log\/snort<\/code><\/pre>\n\n\n\n<p>Start and enable Snort to run on system boot. The service will run as root and then drop the privileges to Snort user created.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now snort3<\/code><\/pre>\n\n\n\n<p>Check the service to confirm if it is running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status snort3<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf snort3.service - Snort 3 NIDS Daemon\n     Loaded: loaded (\/etc\/systemd\/system\/snort3.service; enabled; vendor preset: enabled)\n     Active: active (running) since Sat 2020-08-22 20:50:26 UTC; 1min 14s ago\n   Main PID: 43673 (snort)\n      Tasks: 2 (limit: 2282)\n     Memory: 145.3M\n     CGroup: \/system.slice\/snort3.service\n             \u2514\u250043673 \/usr\/local\/bin\/snort -c \/usr\/local\/etc\/snort\/snort.lua -s 65535 -k none -l \/var\/log\/snort -D -i enp0s8 -m 0x1b -u snort -g snort\n\nAug 22 20:50:26 ubuntu20 systemd[1]: Started Snort 3 NIDS Daemon.\n<\/code><\/pre>\n\n\n\n<p><strong>Note that we have just scratched the service on what the configuration and what Snort 3 is capable of.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p><a href=\"https:\/\/snort-org-site.s3.amazonaws.com\/production\/document_files\/files\/000\/000\/251\/original\/Snort_3_on_Ubuntu.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200822%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20200822T082759Z&amp;X-Amz-Expires=172800&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=c15c92f1c8ef8e464c90718a179a25ee2fa5c3527d55084cb46c58ecaec7b327\" target=\"_blank\" rel=\"noreferrer noopener\">Snort 3 Installation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.snort.org\/downloads\/snortplus\/snort_manual.html\" target=\"_blank\" rel=\"noreferrer noopener\">Snort 3 User Manual<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-aide-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure AIDE on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-tripwire-security-monitoring-tool-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure Tripwire Security Monitoring tool on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and configure Snort 3 NIDS on Ubuntu 20.04. Snort is a lightweight network intrusion detection system.<\/p>\n","protected":false},"author":3,"featured_media":6769,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121],"tags":[1922,1921,1927,1926,1925,1923,1924,1200],"class_list":["post-6764","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","tag-configure-snort-3-on-ubuntu-20-04","tag-install-snort-3-on-ubuntu-20-04","tag-nids","tag-snort-3","tag-snort-3-logging","tag-snort-3-nids","tag-snort-lua","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6764"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6764"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6764\/revisions"}],"predecessor-version":[{"id":21470,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6764\/revisions\/21470"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/6769"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}