Snort - mata-elang-stable/MataElang-Platform GitHub Wiki
| Item | Value |
|---|---|
| Protected network address | 172.16.0.0/16 |
| monitoring network interface : IP address | eth1 : 0.0.0.0/0 |
| Defence center network interface : IP address | eth2 : 172.16.2.10/24 |
| Mosquitto IP address | 172.16.2.30 |
| Sensor ID | (Any ID for sensor) |
| Oinkcode | (Code obtained from Snort webpage) |
| MQTT user / password | mataelang / mataelang |
✅ Ubuntu 20.04 LTS installed and updated with the following command.
sudo apt update && sudo apt -y upgrade
✅ Time Zone and NTP already set.
✅ Docker 20.10 or later installed with the following command.
sudo apt -y install docker.io
✅ Docker Compose 2.13 or later installed with the following command.
sudo curl -L "https://github.com/docker/compose/releases/download/v2.13.0/docker-compose-$(uname -s)-$(uname -m)"\
-o /usr/bin/docker-compose && sudo chmod +x /usr/bin/docker-compose
Docker networking system is capaple of bypassing system Firewall (UFW).
As the related mapped port forwarding is can't be filtered by UFW, these ports are prone to attacks.
For further readings, please refer to:
⛔ DO NOT use netplan because it does not support promiscuous mode.
sudo apt -y install ifupdown
sudo nano /etc/network/interfaces
Configuration
🔑 Set the CIDR-format IP address of the sensor for the Defense Center side.
🔑 Don't forget to change eth1 and eth2 to your actual NIC names. To see the actual NIC name, use ip a command.
🔑 In the above model case, eth1 0.0.0.0/0 is connected to a network tap and set to promiscuous mode, while another eth2 172.16.2.10/24 is connected to Defense Center.
source-directory /etc/network/interfaces.d
auto eth1
iface eth1 inet manual
address 0.0.0.0/0
up ip link set eth1 promisc on
down ip link set eth1 promisc off
auto eth2
iface eth2 inet static
address <YOUR_CIDR_IP_ADDRESS (e.g. 172.16.2.10/24)>
⛔ DO NOT use the command sudo systemctl restart networking because it might cause a system halt.
sudo reboot now
✅ After rebooting, you can check the network configuration with ip a command.
ip a
Result
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 06:**:**:**:**:75 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42b:****:****:de75/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 06:**:**:**:**:95 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.10/24 brd 172.16.2.255 scope global dynamic eth2
valid_lft forever preferred_lft forever
inet6 fe80::42b:****:****:4295/64 scope link
valid_lft forever preferred_lft forever
git clone https://github.com/mata-elang-stable/sensor-snort.git ~/sensor
docker-compose.yaml to configure your environment.
sudo nano ~/sensor/docker-compose.yaml
Configuration
🔑 Set the monitoring network interface name to NETWORK_INTERFACE. (e.g. eth1)
🔑 Set the IP address of your MQTT host to MQTT_HOST. (e.g. 172.16.2.30)
🔑 Set the username and password for MQTT authentication to MQTT_USERNAME and MQTT_PASSWORD. (e.g. mataelang / mataelang)
🔑 Set the ID for identifying the sensor to SENSOR_ID. If no ID is specified, <machine-id> is automatically replaced with the contents of /etc/machine-id.
services:
snort:
environment:
- NETWORK_INTERFACE=<NETWORK_INTERFACE_NAME>
snort-parser:
environment:
- MQTT_HOST=<MQTT_HOST_IP_OR_NAME>
- MQTT_PORT=1883
- MQTT_USERNAME=<MQTT_USERNAME>
- MQTT_PASSWORD=<MQTT_PASSWORD>
- MAX_PCAP_FILES=5
- SENSOR_ID=<machine-id>
- MQTT_TOPIC=mataelang/sensor/v3/<sensor-id>
- SNORT_ALERT_FILE_PATH=/var/log/snort/alert_json.txt
snort.lua to configure Snort.
sudo nano ~/sensor/snort/snort.lua
Configuration
🔑 Set the network address you are protecting to HOME_NET. (e.g. 172.16.0.0/16)
---------------------------------------------------------------------------
-- 1. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'any'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
alert_json = {
file = true,
limit = 100,
}
log_pcap = {
limit = 100, -- in MBytes
}
pulledpork.conf to specify your oinkcode.
mv ~/sensor/snort/pulledpork.conf.example ~/sensor/snort/pulledpork.conf
sudo nano ~/sensor/snort/pulledpork.conf
Configuration
🔑 Set your oinkcode here.
# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets
oinkcode = <your-oinkcode>
❗ The MQTT service must be started before running the sensor service.
sudo docker-compose -f ~/sensor/docker-compose.yaml up -d
✅ Confirm the containers are running.
sudo docker-compose -f ~/sensor/docker-compose.yaml ps -a
Result
NAME COMMAND SERVICE STATUS PORTS
sensor-snort-1 "/usr/local/bin/star…" snort running
sensor-snort-parser-1 "/app/me-snort3-pars…" snort-parser running
Click to show commands
✅ Show service status
sudo docker-compose -f ~/sensor/docker-compose.yaml ps -a
Result
NAME COMMAND SERVICE STATUS PORTS
sensor-snort-1 "/usr/local/bin/star…" snort running
sensor-snort-parser-1 "/app/me-snort3-pars…" snort-parser running
✅ Start services
sudo docker-compose -f ~/sensor/docker-compose.yaml up -d
✅ Stop services (and remove containers)
sudo docker-compose -f ~/sensor/docker-compose.yaml down
✅ Stop services (and keep containers)
sudo docker-compose -f ~/sensor/docker-compose.yaml stop
✅ Restart services
sudo docker-compose -f ~/sensor/docker-compose.yaml restart
✅ Update snort rules
# If you want to set a local rule, edit the local.rules file.
nano ~/sensor/snort/local.rules
# Download the latest published rules and recreate Docker container.
sudo ~/sensor/run.sh update-rules
✅ Retrieve snort log
sudo docker-compose -f ~/sensor/docker-compose.yaml cp snort:/var/log/snort .
✅ Build multi-platform images of Mata Elang sensor.
- Please prepare another host to build the images.
# update packages and install docker
sudo apt update && sudo apt -y upgrade
sudo apt -y install docker.io
# prepare docker buildx plugin
sudo wget -P ~ https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64
sudo mkdir -p /usr/local/lib/docker/cli-plugins
sudo mv ~/buildx-v0.10.1.linux-amd64 /usr/local/lib/docker/cli-plugins/docker-buildx
sudo chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx
sudo docker run --privileged --rm tonistiigi/binfmt --install all
sudo docker buildx create --name mybuilder
sudo docker buildx use mybuilder
# download snort3-docker-image from Github
git clone https://github.com/mata-elang-stable/snort3-docker-image.git ~/snort3
# build an image & push it to your Docker Hub
cd ~/snort3
sudo docker login -u <USERNAME>
Password:
sudo docker buildx build --push --platform linux/amd64,linux/arm64 -t <REPOSITORY>/snort-base[:TAG] -f dockerfiles/debian.dockerfile .
# download snort3-parser from Github
git clone https://github.com/mata-elang-stable/snort3-parser.git ~/parser
# build an image & push it to your Docker Hub
cd ~/parser
sudo docker login -u <USERNAME>
Password:
sudo docker buildx build --push --platform linux/amd64,linux/arm64 -t <REPOSITORY>/snort3-parser[:TAG] -f ./Dockerfile .
✅ Build Mata Elang sensor images.
# update packages and install docker
sudo apt update && sudo apt -y upgrade
sudo apt -y install docker.io
# download snort3-docker-image from Github
git clone https://github.com/mata-elang-stable/snort3-docker-image.git ~/snort3
# build an image
cd ~/snort3
sudo docker build -t snort-base[:TAG] -f dockerfiles/debian.dockerfile .
# download snort3-parser from Github
git clone https://github.com/mata-elang-stable/snort3-parser.git ~/parser
# build an image
cd ~/parser
sudo docker build -t snort3-parser[:TAG] -f ./Dockerfile .
✅ Show environment variables
sudo docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' sensor-snort-1
sudo docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' sensor-snort-parser-1
✅ Show the loaded configurations
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort cat /usr/local/etc/snort/snort.lua
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort cat /usr/local/etc/pulledpork/pulledpork.conf
✅ Show Snort logs
sudo docker-compose -f ~/sensor/docker-compose.yaml logs snort
sudo docker-compose -f ~/sensor/docker-compose.yaml logs snort-parser
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort cat /var/log/snort/alert_json.txt
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort tail -f /var/log/snort/alert_json.txt
✅ Show Snort version
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort snort --version
✅ Show PulledPork version
sudo docker-compose -f ~/sensor/docker-compose.yaml exec snort pulledpork.py --version
✅ Show Docker version
sudo docker version
✅ Show Docker Compose version
docker-compose version
✅ Show OS version
cat /etc/os-release