- "blog-posts" tags:
- "freebsd"
- "ids"
- "ips"
- "snort3"
SNORT 3 on FreeBSD 11.4-RELEASE
note: This article was achieved on a FreeBSD 11.4-RELEASE host parked in the cloud. This guide should work for anyone who is willing to put in their commitment to work. Make sure your FreeBSD host is up to date in terms of the kernel, and the userland and its applications.
Snort is not alien to the tech world. A lot of the people in the west are versed in Snort application and it’s configurations and detection, so it is wise to learn from them.
Snort is a IDS (Intrusion Detection System) developed some good Samaritans all over the world. We will delve into installing the dependencies from pkg then git clone the Snort 3 installation to perform our installation.
Conventions
The following conventions are used for installing and configuring Snort. Snort install prefix /usr/local/snort Rules directory /usr/local/snort/rules AppID directory /usr/local/snort/appid IP Reputation lists directory /usr/local/snort/intel Logging directory /var/log/snort Snort Extra Plugins directory /usr/local/snort/extra
Installing Dependencies
Now we are going to install necessary dependencies required by Snort to work. Following commands will achieve in installing necessary dependencies for Snort to work.
#pkg install git flex bison gcc cmake libdnet libpcap hwloc pcre luajit lua53 pkgconf libdaq hyperscan cpputest flatbuffers libiconv lzlib e2fsprogs-libuuid google-perftools
Once the dependencies installed, we can focus on building Snort from source via git.
Download & Build Snort 3
Now we are going to clone the latest available git version of Snort 3 to our directory of choice and build it.
In order to clone the git of Snort 3, run following command:
#git clone https://github.com/snort3/snort3.git
Next go into the cloned directory and issue following commands to configure and build Snort 3 for us:
# ./configure_cmake.sh --prefix=/usr/local/snortmake -j 2
Once the build is complete, we can now proceed to install Snort 3 issuing following commands in sources/snort3/build:
#make install
To verify the installation, as in verify if the Snort 3 installation linked to the libraries we installed earlier, we can run the command listed below:
#ldd /usr/local/snort/bin/snort
Install Snort 3 Plug-Ins for Additional Capabilities
Now we are going to install Snort 3 plug-ins for additional capabilities. To clone it’s repositories via git:
#git clone https://github.com/snort3/snort3_extra.git
Now enter cloned directory and issue following commands to build and install Snort 3 Plug-Ins:
#setenv PKG_CONFIG_PATH /usr/local/snort/lib/pkgconfig./configure_cmake.sh --prefix=/usr/local/snort/extra
Now change to build directory, build and install Snort 3 extras:
#make#make install
Configuring Snort 3
Configuring Global Paths for Rules, AppID & IP Reputation
Now we are going to configure global paths for rules from Snort, AppID from Snort and IP reputation Cisco. To start create directories from following command:
#mkdir -p /usr/local/snort/{rules,appid,intel}
Snort Rules
By default for Snort 3, Snort have default rule-set that you can download for Snort. For that you need oinkcode for you to download the rule-set. To obtain a oinkcode, kindly register for an account and explore Snort website for free members. Following instructions will download the Snort rules and place them in rules directory.
#fetch 'https://www.snort.org/rules/snortrules-snapshot-3000.tar.gz?oinkcode=<YOUR_OINKCODE>' -o snortrules-snapshot-3000.tar.gz#tar xf snortrules-snapshot-3000.tar.gz#cp rules/*.rules /usr/local/snort/rules/
OpenID
Download and extract the OpenAppID package, extract the odp/ to appid directory:
#fetch <LATEST_APPID_PACKAGE_URL> -o <LATEST_APPID_PACKAGE_URL>.tar.gz#tar xvzf <LATEST_APPID_PACKAGE_URL>.tar.gz#mv odp/ /usr/local/snort/appid/
IP Reputation
Now we are going to install IP reputation list to our Snort installation. The IP Reputation Black List is generated by Talos Security so we download the black list and move it to our directory:
#fetch https://www.talosintelligence.com/documents/ip-blacklist#mv ip-blacklist /usr/local/snort/intel/
We also generate empty file for IP Whitelist by issuing following command:
#touch /usr/local/snort/intel/ip-whitelist
Actual configuration
Here we are going to perform actual configuration related to Snort 3. Open following file snort_defaults.lua and look for default path as described below:
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '../rules'
BUILTIN_RULE_PATH = '../builtin_rules'
PLUGIN_RULE_PATH = '../so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '../lists'
BLACK_LIST_PATH = '../lists'
To following configuration:
---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
RULE_PATH = '../rules'
BUILTIN_RULE_PATH = '../builtin_rules'
PLUGIN_RULE_PATH = '../so_rules'
-- If you are using reputation preprocessor set these
WHITE_LIST_PATH = '../../intel'
BLACK_LIST_PATH = '../../intel'
Setting HOME_NET & EXTERNAL_NET
Next set the home net to your desired net from snort.lua. Especially if you have jail environment with networking, change it from:
-- setup the network addresses you are protectingHOME_NET = 'any'
To following:
-- setup the network addresses you are protectingHOME_NET = [[ 10.0.0.0/8 <YOUR_PUBLIC_IP> ]]
ips Module
The inclusion of Snort rules files (.rules) occurs within the ips module. Using the snort.lua copied from the Snort rules tarball, the inclusion of the rules is already configured. As a result, the changes to the ips module are minimal and involves enabling decoder and inspector alerts with the option --enable_built_rules, and explicitly defining the ips policy to tap mode. The ips policy governs Snort’s operational mode (tap, inline, and inline-test). Edit in Snort Lua configuration files. Change following from
ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true,
-- use include for rules files; be sure to set your path -- note that rules files can include other rules files --include = 'snort3_community.rules'
-- The following include syntax is only valid for BUILD_243 (13-FEB-2018) and later
-- RULE_PATH is typically set in snort_defaults.lua rules = [[ include $RULE_PATH/snort3-app-detect.rules include $RULE_PATH/snort3-browser-chrome.rules .....
--include $RULE_PATH/snort3-sql.rules include $RULE_PATH/snort3-x11.rules ]] }
To the following:
ips = { mode = tap,
-- use this to enable decoder and inspector alerts enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
--include = 'snort3_community.rules'
-- The following include syntax is only valid for BUILD_243 (13-FEB-2018) and later
-- RULE_PATH is typically set in snort_defaults.lua rules = [[ include $RULE_PATH/snort3-app-detect.rules include $RULE_PATH/snort3-browser-chrome.rules ..... include $RULE_PATH/snort3-sql.rules include $RULE_PATH/snort3-x11.rules ]]
}
reputation Inspector
The reputation inspector is disabled (commented) by default. Uncomment its section and change the values of the --blacklist and --whitelist variables to point to the paths IP address lists.
Change from:
--[[ reputation = {
-- configure one or both of these, then uncomment reputation
--blacklist = 'blacklist file name with ip lists'
--whitelist = 'whitelist file name with ip lists' } --
]]
Change to:
reputation = {
-- configure one or both of these, then uncomment reputation
blacklist = BLACK_LIST_PATH .. '/ip-blacklist',
whitelist = WHITE_LIST_PATH .. '/ip-whitelist' }
file_id & file_log Inspectors
This allows Snort to identify the type of a file traversing a network stream via the file magic headers. The file_id inspector supports HTTP, SMTP, IMAP, POP3, FTP, and SMB protocols. Taking advantage of the file_id inspector involves:
- Including the file magic rules. This step is completed in the default form of the inspector.
- Configuring the inspector and define the policy.
- Enabling the inspector logging to generate file events.
The default configuration of the file_id inspector is expanded as follows:
file_id = { file_rules = file_magic }
Leave it as it is.
Next configuration will be enabling event loggging for the inspector. This is accomplished with the file_log inspector at the end of the configuration file. This inspector has two Boolean options that allow logging of packet and system time of file events.
file_log = { log_pkt_time = true, log_sys_time = false }
data_log Inspector
The data_log plugin is available via the extra plugins installed in an earlier step. The data_log is a passive inspector plugin that does not alter data flowing through Snort, instead, it allows for logging additional network data it is subscribed to within Snort 3 processing workflow. The inspector can be used to log HTTP request or response headers. Recall in Snort 2.X this was possible using the log_uri and log_hostname configuration options of the http_inspect preprocessor. These two options are no long part of Snort 3 http_inspect inspector, and the data_log inspector allows for capturing additional data. The captured data is stored into the log file data.log within Snort’s configured logging directory. In order to enable the data_log inspector, the inspector must be defined in snort.lua. The below example configuration will log both HTTP request headers into the data_log file and limit the size of the log file to 100MB before a new log file is generated.
data_log = { key = 'http_request_header_event', limit = 100 }
logger Module
There are various logger modules available in Snort 3 either natively or via the extra plugins. Loggers are disabled (commented) by default. For this guide, the alert_fast logger will be used. Enabling this logger is accomplished by uncommenting its section and configuring it to allow logging to a file. By default Snort uses /var/log/snort for saving log files. This can also be specified at run time using the -l flag. Change from:
--alert_fast = { }
Change to:
alert_fast = { file = true }
After the configuration is completed, create the log directory for Snort as mentioned earlier.
# mkdir -p /var/log/snort
Running against an interface
Snort can be run against a listening interface via the -i flag while specifying the capture network interface. # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -i vtnet0 -l /var/log/snort --plugin-path /usr/local/snort/extra -k none
REFERENCES
Written with StackEdit.