Skip to content

Install Snort 3.0

khoanase62625 edited this page Jul 16, 2019 · 3 revisions

Snort 3 feature:

  • Autodetect services for portless configuration.
  • Modular design.
  • Plugin framework with over 200 plugins.
  • LuaJIT configuration, loggers, and rule options.
  • New rule parser and syntax with rule "sticky" buffers.
  • New HTTP inspector.

1. Preparation

Ensure that the operating system and packages are up to date. A reboot maybe required depending on available updates.

yum update
reboot

Create a directory that will hold the source code.

mkdir sources && cd sources

Note: By default, when installing new packet from source start from this folder

Install Necessary Tools

yum install -y vim git wget flex bison gcc gcc-c++ make

Snort 3 requires the minimum version of cmake is 3.4.3. By default, this verion is not available in the CentOS base repository. Therefore, we have install from source. Cmake: >= 3.4.3

yum remove cmake
wget https://github.com/Kitware/CMake/releases/download/v3.14.5/cmake-3.14.5.tar.gz
tar xf cmake-3.14.5.tar.gz && cd cmake-3.14.5
./configure
make && sudo make install
ln -s /usr/local/bin/cmake /usr/bin/cmake

Install Snort 3 Dependencies

dnet (libdnet-devel), hwloc (hwlocdevel), OpenSSL (openssl-devel), pkgconfig (pkgconfig), zlib (zlib-devel)

yum install -y libdnet-devel hwloc-devel openssl-devel zlib-devel pkgconfig

LuaJIT: Latest

wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar xf LuaJIT-2.0.5.tar.gz && cd LuaJIT-2.0.5
make && sudo make 
cp /usr/local/lib/pkgconfig/luajit.pc /usr/lib64/pkgconfig/

PCRE: >= 8.42

wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz
tar xf pcre-8.42.tar.gz && cd pcre-8.42
./configure --libdir=/usr/lib64 --includedir=/usr/include
make && sudo make install

PCAP: >= 1.9.0

wget http://www.tcpdump.org/release/libpcap-1.9.0.tar.gz
tar xf libpcap-1.9.0.tar.gz && cd libpcap-1.9.0
./configure --libdir=/usr/lib64 --includedir=/usr/include
make && sudo make install

DAQ: >= 2.2.2

yum install -y libnfnetlink-devel libnetfilter_queue-devel
wget https://snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar xf daq-2.2.2.tar.gz && cd daq-2.2.2
./configure --disable-ipfw-module --disable-ipq-module --disable-nfq-module
make && sudo make install

Install Snort 3

Get Snort 3 source

wget https://www.snort.org/downloads/snortplus/snort-3.0.0-beta.tar.gz
tar xf snort-3.0.0-beta.tar.gz && cd snort-3.0.0
./configure_cmake.sh --prefix=/usr/local/snort
cd build/
make && sudo make install

set the LD_LIBRARY_PATH

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib

Compiling Snort

./configure_cmake.sh --prefix=/usr/local/snort

Install Snort 3

cd build/
make && sudo make install

Create Folder for Rules, AppID, Logs, and IP Reputation

mkdir –p /usr/local/snort/{rules,appid,intel,logs}

Get rule set


Setting up HOME_NET ,EXTERNAL_NET and IPS mode

sudo vim /usr/local/snort/etc/snort/snort.lua

Change these line:

HOME_NET = '<Your home network>'
EXTERNAL_NET = '<Other from your network. Or 'any'>'
ips = {mode = inline}
alert_json =
{
    fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}

Create Snort mode scripts snort_IDS_start.sh: Start Snort in mode IDS

vim /usr/local/snort/bin/snort_IDS_start.sh

Paste this lines:

#!/bin/bash
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local
/snort/rules/snort3-community.rules --plugin-path /usr/local/snort/lib64/ -i **<network-interface>** -A json -y -q > /usr/local/snort/logs/alerts.json

snort_IPS_start.sh: Start snort in mode IPS

vim /usr/local/snort/bin/snort_IPS_start.sh

Paste this lines:

#!/bin/bash
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local
/snort/rules/snort3-community.rules --plugin-path /usr/local/snort/lib64/ -i **<network-interface 1>:<network-interface 2>** --daq afpacket -Q --process-all-events -A json -y -q > /usr/local/snort/logs/alerts.json

Make 2 scripts executable

sudo chmod +x /usr/local/snort/bin/snort_IDS_start.sh /usr/local/snort/bin/snort_IPS_start.sh

Clone this wiki locally