Install Snort 3.0 - khoanase62625/Snort-Capstone GitHub Wiki
Snort 3 feature:
- Autodetect services for portless configuration.
- Modular design.
- Plugin framework with over 200 plugins.
- LuaJIT configuration, loggers, and rule options.
- New rule parser and syntax with rule "sticky" buffers.
- New HTTP inspector.
1. Preparation
Ensure that the operating system and packages are up to date. A reboot maybe required depending on available updates.
yum update
reboot
Create a directory that will hold the source code.
mkdir sources && cd sources
Note: By default, when installing new packet from source start from this folder
Install Necessary Tools
yum install -y vim git wget flex bison gcc gcc-c++ make
Snort 3 requires the minimum version of cmake is 3.4.3. By default, this verion is not available in the CentOS base repository. Therefore, we have install from source. Cmake: >= 3.4.3
yum remove cmake
wget https://github.com/Kitware/CMake/releases/download/v3.14.5/cmake-3.14.5.tar.gz
tar xf cmake-3.14.5.tar.gz && cd cmake-3.14.5
./configure
make && sudo make install
ln -s /usr/local/bin/cmake /usr/bin/cmake
Install Snort 3 Dependencies
dnet (libdnet-devel), hwloc (hwlocdevel), OpenSSL (openssl-devel), pkgconfig (pkgconfig), zlib (zlib-devel)
yum install -y libdnet-devel hwloc-devel openssl-devel zlib-devel pkgconfig
LuaJIT: Latest
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar xf LuaJIT-2.0.5.tar.gz && cd LuaJIT-2.0.5
make && sudo make
cp /usr/local/lib/pkgconfig/luajit.pc /usr/lib64/pkgconfig/
PCRE: >= 8.42
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz
tar xf pcre-8.42.tar.gz && cd pcre-8.42
./configure --libdir=/usr/lib64 --includedir=/usr/include
make && sudo make install
PCAP: >= 1.9.0
wget http://www.tcpdump.org/release/libpcap-1.9.0.tar.gz
tar xf libpcap-1.9.0.tar.gz && cd libpcap-1.9.0
./configure --libdir=/usr/lib64 --includedir=/usr/include
make && sudo make install
DAQ: >= 2.2.2
yum install -y libnfnetlink-devel libnetfilter_queue-devel
wget https://snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar xf daq-2.2.2.tar.gz && cd daq-2.2.2
./configure --disable-ipfw-module --disable-ipq-module --disable-nfq-module
make && sudo make install
Install Snort 3
Get Snort 3 source
wget https://www.snort.org/downloads/snortplus/snort-3.0.0-beta.tar.gz
tar xf snort-3.0.0-beta.tar.gz && cd snort-3.0.0
./configure_cmake.sh --prefix=/usr/local/snort
cd build/
make && sudo make install
set the LD_LIBRARY_PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib:/usr/local/lib
Compiling Snort
./configure_cmake.sh --prefix=/usr/local/snort
Install Snort 3
cd build/
make && sudo make install
Create Folder for Rules, AppID, Logs, and IP Reputation
mkdir –p /usr/local/snort/{rules,appid,intel,logs}
Get rule set
Setting up HOME_NET ,EXTERNAL_NET and IPS mode
sudo vim /usr/local/snort/etc/snort/snort.lua
Change these line:
HOME_NET = '<Your home network>'
EXTERNAL_NET = '<Other from your network. Or 'any'>'
ips = {mode = inline}
alert_json =
{
fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}
Create Snort mode scripts snort_IDS_start.sh: Start Snort in mode IDS
vim /usr/local/snort/bin/snort_IDS_start.sh
Paste this lines:
#!/bin/bash
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local
/snort/rules/snort3-community.rules --plugin-path /usr/local/snort/lib64/ -i **<network-interface>** -A json -y -q > /usr/local/snort/logs/alerts.json
snort_IPS_start.sh: Start snort in mode IPS
vim /usr/local/snort/bin/snort_IPS_start.sh
Paste this lines:
#!/bin/bash
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local
/snort/rules/snort3-community.rules --plugin-path /usr/local/snort/lib64/ -i **<network-interface 1>:<network-interface 2>** --daq afpacket -Q --process-all-events -A json -y -q > /usr/local/snort/logs/alerts.json
Make 2 scripts executable
sudo chmod +x /usr/local/snort/bin/snort_IDS_start.sh /usr/local/snort/bin/snort_IPS_start.sh