https://wiki.archlinux.org/api.php?action=feedcontributions&user=Sirtoffski&feedformat=atomArchWiki - User contributions [en]2024-03-29T10:18:26ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Snort&diff=599287Snort2020-02-27T02:11:05Z<p>Sirtoffski: Update Snort sign up link</p>
<hr />
<div>[[Category:Intrusion detection]]<br />
[[ja:Snort]]<br />
From the project [http://www.snort.org/ home page]:<br />
:Snort® is an open source network intrusion prevention and detection system ([[Wikipedia:Intrusion detection system|IDS]]/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.<br />
<br />
== General Setup and Notes ==<br />
<br />
* A Snort setup that sniffs WAN <-> LAN is more difficult to use. It does not show you which computer triggered the alert, and it requires you to set HOME_NET as your WAN IP address, which can change if your modem uses DHCP. <br />
* Snort will bridge the two interfaces for you, you will not need to configure this.<br />
<br />
You can use Snort to sniff wireless traffic with two routers. For simplicity the router with ''DHCP on and wireless off'' will be called "router A" and the router with ''wireless on and DHCP off'' "router B". <br />
<br />
* Ensure the routers do not have the same IP address, but are on the same subnet. <br />
* If the machine running Snort is configured for inline mode, you will need 3 network interface cards. One for management, one for incoming traffic, and one for outgoing traffic. <br />
* Connect a ethernet cord from router B to a spare NIC on the Snort machine. <br />
* Connect another ethernet cord from router A to a spare NIC on the Snort machine. <br />
* Once Snort is running traffic should flow from router B <-> Snort machine <-> router A <-> internet. <br />
* If you are not using inline mode, then the traffic will need to be forwarded to the Snort machine, see: [[wikipedia:Port_mirroring|Port Mirroring]]<br />
<br />
== Installation ==<br />
<br />
Install {{AUR|snort}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
The main configuration file is located at {{ic|/etc/snort/snort.conf}}.<br />
<br />
Let Snort know what network (or networks) you want to monitor. <br />
ipvar HOME_NET [10.8.0.0/24,192.168.1.0/24] <br />
<br />
At the bottom of the file, there is a list of includes. If you are going to use Pulledpork to download your rule set, then comment out all of the includes except for:<br />
include $RULE_PATH/snort.rules<br />
<br />
=== Inline mode ===<br />
Inline mode means that packets pass ''through'' snort, rather than being diverted to snort. In this mode, snort can drop packets and abort exploitation attempts in real-time. In this mode, snort acts as an intrusion prevention system (IPS).<br />
<br />
If you are planning on using Snort in inline mode add these lines to the bottom of the configuration:<br />
config policy_mode:inline<br />
config daq: afpacket<br />
config daq_mode: inline<br />
config daq_var: buffer_size_mb=1024<br />
A working example of inline mode in {{ic|snort.conf}} is also available on [http://pastebin.com/xNuVtni3 pastebin].<br />
<br />
Then ensure your service file {{ic|/usr/lib/systemd/system/snort@.service}} has the correct arguments for inline mode. This meant adding {{ic|-Q}} to the service file. Also Snort advises you to turn off LRO and GRO, [http://manual.snort.org/node7.html source]. <br />
[Unit]<br />
Description=Snort IDS system listening on '%I'<br />
<br />
[Service]<br />
Type=simple<br />
ExecStartPre=/usr/sbin/ip link set up dev %I<br />
ExecStartPre=/usr/bin/ethtool -K %I gro off<br />
ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I -Q<br />
<br />
[Install]<br />
Alias=multi-user.target.wants/snort@%i.service<br />
<br />
To start Snort that is configured for inline mode run (''your network interfaces may vary''): <br />
systemctl start snort@ens1:ens4<br />
<br />
=== IDS mode ===<br />
In intrusion detection mode (IDS), packets are diverted to snort. Snort can not drop packets, which means that it can only notify you that a exploitation attempt is occuring, or have already occured.<br />
<br />
To start Snort in IDS mode run:<br />
systemctl start snort@ens1<br />
<br />
== Updating the rules with Pulledpork ==<br />
Install {{AUR|pulledpork}} from the [[AUR]].<br />
<br />
=== Configuration ===<br />
The configuration files are located in {{ic|/etc/pulledpork}}<br />
<br />
Edit {{ic|/etc/pulledpork/pulledpork.conf}} and uncomment the rules you want to use. You will need an "oinkcode" to download some of the rules. <br />
<br />
* {{ic|dropsid.conf}} any rules matched in this file will have its traffic dropped. <br />
* {{ic|enablesid.conf}} is used to enable signatures. All signatures seem to be enabled by default, no need to edit this file. <br />
* {{ic|disablesid.conf}} is used to completely remove a signature from Snort.<br />
The current categories that are within your rule set can be found by running the following:<br />
pulledpork.pl -c /etc/snort/pulledpork.conf -Pw<br />
lz /var/tmp/*.gz | egrep '\.rules' | cut -d'/' -f3 | sort -u | perl -lne '/(.*).rules/ && print $1' > rules.`date +%F`<br />
<br />
=== Drop traffic with Pulledpork ===<br />
If you want to drop ''all'' traffic that matches a Snort signature instead of just alerting, add the following to your {{ic|dropsid.conf}}:<br />
pcre:.<br />
<br />
Or if you want to drop all traffic matching an entire category:<br />
policy-social<br />
policy-other<br />
file-other<br />
<br />
If you only want to drop a single rule:<br />
118:7<br />
<br />
=== Disabling rules with Pulledpork ===<br />
<br />
If you want to disable a single signature add its gen_id and sig_id to {{ic|/etc/pulledpork/disablesid.conf}}<br />
118:22<br />
<br />
If you want to disable an entire category:<br />
deleted<br />
protocol-icmp<br />
policy-social<br />
policy-other<br />
<br />
=== Running Pulledpork ===<br />
This will pull the new rules and write them to {{ic|/etc/snort/rules/snort.rules}}<br />
pulledpork.pl -c /etc/pulledpork/pulledpork.conf -P<br />
<br />
== Update the rules: Oinkmaster ==<br />
<br />
There are two sets of rules distributed by Snort: "Community Ruleset" and "Snort Subscriber Rule Set". The former one is freely available to all of the users. The latter one is made available to subscribed and registered users. Paid subscribers receive rulesets in real-time as they are released. Registered users will receive rulesets 30 days after the subscribers. Registration is free and available at: [https://snort.org/users/sign_up Snort: Sign up].<br />
<br />
{{AUR|oinkmaster}} is available as [[AUR]] package.<br />
<br />
=== Oinkmaster setup ===<br />
<br />
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.<br />
<br />
When you log into your new account, create an "Oink code".<br />
Another thing to change is<br />
use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules<br />
<br />
The rest of the configuration file is fine.<br />
<br />
=== Oinkmaster usage ===<br />
<br />
oinkmaster.pl -o /etc/snort/rules<br />
<br />
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.<br />
<br />
== See also ==<br />
<br />
* [[Simple stateful firewall]]<br />
* [[Router]]</div>Sirtoffskihttps://wiki.archlinux.org/index.php?title=Snort&diff=597922Snort2020-02-18T20:58:28Z<p>Sirtoffski: Remove reference to bleedingsnort.com as it does not appear to be an active domain anymore.</p>
<hr />
<div>[[Category:Intrusion detection]]<br />
[[ja:Snort]]<br />
From the project [http://www.snort.org/ home page]:<br />
:Snort® is an open source network intrusion prevention and detection system ([[Wikipedia:Intrusion detection system|IDS]]/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.<br />
<br />
== General Setup and Notes ==<br />
<br />
* A Snort setup that sniffs WAN <-> LAN is more difficult to use. It does not show you which computer triggered the alert, and it requires you to set HOME_NET as your WAN IP address, which can change if your modem uses DHCP. <br />
* Snort will bridge the two interfaces for you, you will not need to configure this.<br />
<br />
You can use Snort to sniff wireless traffic with two routers. For simplicity the router with ''DHCP on and wireless off'' will be called "router A" and the router with ''wireless on and DHCP off'' "router B". <br />
<br />
* Ensure the routers do not have the same IP address, but are on the same subnet. <br />
* If the machine running Snort is configured for inline mode, you will need 3 network interface cards. One for management, one for incoming traffic, and one for outgoing traffic. <br />
* Connect a ethernet cord from router B to a spare NIC on the Snort machine. <br />
* Connect another ethernet cord from router A to a spare NIC on the Snort machine. <br />
* Once Snort is running traffic should flow from router B <-> Snort machine <-> router A <-> internet. <br />
* If you are not using inline mode, then the traffic will need to be forwarded to the Snort machine, see: [[wikipedia:Port_mirroring|Port Mirroring]]<br />
<br />
== Installation ==<br />
<br />
Install {{AUR|snort}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
The main configuration file is located at {{ic|/etc/snort/snort.conf}}.<br />
<br />
Let Snort know what network (or networks) you want to monitor. <br />
ipvar HOME_NET [10.8.0.0/24,192.168.1.0/24] <br />
<br />
At the bottom of the file, there is a list of includes. If you are going to use Pulledpork to download your rule set, then comment out all of the includes except for:<br />
include $RULE_PATH/snort.rules<br />
<br />
=== Inline mode ===<br />
Inline mode means that packets pass ''through'' snort, rather than being diverted to snort. In this mode, snort can drop packets and abort exploitation attempts in real-time. In this mode, snort acts as an intrusion prevention system (IPS).<br />
<br />
If you are planning on using Snort in inline mode add these lines to the bottom of the configuration:<br />
config policy_mode:inline<br />
config daq: afpacket<br />
config daq_mode: inline<br />
config daq_var: buffer_size_mb=1024<br />
A working example of inline mode in {{ic|snort.conf}} is also available on [http://pastebin.com/xNuVtni3 pastebin].<br />
<br />
Then ensure your service file {{ic|/usr/lib/systemd/system/snort@.service}} has the correct arguments for inline mode. This meant adding {{ic|-Q}} to the service file. Also Snort advises you to turn off LRO and GRO, [http://manual.snort.org/node7.html source]. <br />
[Unit]<br />
Description=Snort IDS system listening on '%I'<br />
<br />
[Service]<br />
Type=simple<br />
ExecStartPre=/usr/sbin/ip link set up dev %I<br />
ExecStartPre=/usr/bin/ethtool -K %I gro off<br />
ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I -Q<br />
<br />
[Install]<br />
Alias=multi-user.target.wants/snort@%i.service<br />
<br />
To start Snort that is configured for inline mode run (''your network interfaces may vary''): <br />
systemctl start snort@ens1:ens4<br />
<br />
=== IDS mode ===<br />
In intrusion detection mode (IDS), packets are diverted to snort. Snort can not drop packets, which means that it can only notify you that a exploitation attempt is occuring, or have already occured.<br />
<br />
To start Snort in IDS mode run:<br />
systemctl start snort@ens1<br />
<br />
== Updating the rules with Pulledpork ==<br />
Install {{AUR|pulledpork}} from the [[AUR]].<br />
<br />
=== Configuration ===<br />
The configuration files are located in {{ic|/etc/pulledpork}}<br />
<br />
Edit {{ic|/etc/pulledpork/pulledpork.conf}} and uncomment the rules you want to use. You will need an "oinkcode" to download some of the rules. <br />
<br />
* {{ic|dropsid.conf}} any rules matched in this file will have its traffic dropped. <br />
* {{ic|enablesid.conf}} is used to enable signatures. All signatures seem to be enabled by default, no need to edit this file. <br />
* {{ic|disablesid.conf}} is used to completely remove a signature from Snort.<br />
The current categories that are within your rule set can be found by running the following:<br />
pulledpork.pl -c /etc/snort/pulledpork.conf -Pw<br />
lz /var/tmp/*.gz | egrep '\.rules' | cut -d'/' -f3 | sort -u | perl -lne '/(.*).rules/ && print $1' > rules.`date +%F`<br />
<br />
=== Drop traffic with Pulledpork ===<br />
If you want to drop ''all'' traffic that matches a Snort signature instead of just alerting, add the following to your {{ic|dropsid.conf}}:<br />
pcre:.<br />
<br />
Or if you want to drop all traffic matching an entire category:<br />
policy-social<br />
policy-other<br />
file-other<br />
<br />
If you only want to drop a single rule:<br />
118:7<br />
<br />
=== Disabling rules with Pulledpork ===<br />
<br />
If you want to disable a single signature add its gen_id and sig_id to {{ic|/etc/pulledpork/disablesid.conf}}<br />
118:22<br />
<br />
If you want to disable an entire category:<br />
deleted<br />
protocol-icmp<br />
policy-social<br />
policy-other<br />
<br />
=== Running Pulledpork ===<br />
This will pull the new rules and write them to {{ic|/etc/snort/rules/snort.rules}}<br />
pulledpork.pl -c /etc/pulledpork/pulledpork.conf -P<br />
<br />
== Update the rules: Oinkmaster ==<br />
<br />
There are two sets of rules distributed by Snort: "Community Ruleset" and "Snort Subscriber Rule Set". The former one is freely available to all of the users. The latter one is made available to subscribed and registered users. Paid subscribers receive rulesets in real-time as they are released. Registered users will receive rulesets 30 days after the subscribers. Registration is free and available at: [https://www.snort.org/signup Snort].<br />
<br />
{{AUR|oinkmaster}} is available as [[AUR]] package.<br />
<br />
=== Oinkmaster setup ===<br />
<br />
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.<br />
<br />
When you log into your new account, create an "Oink code".<br />
Another thing to change is<br />
use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules<br />
<br />
The rest of the configuration file is fine.<br />
<br />
=== Oinkmaster usage ===<br />
<br />
oinkmaster.pl -o /etc/snort/rules<br />
<br />
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.<br />
<br />
== See also ==<br />
<br />
* [[Simple stateful firewall]]<br />
* [[Router]]</div>Sirtoffskihttps://wiki.archlinux.org/index.php?title=Snort&diff=597568Snort2020-02-15T13:26:38Z<p>Sirtoffski: /* Update the rules: Oinkmaster */ Update information on how snort rulesets are distributed. Subscriber ruleset are now released to registered in 30 days.</p>
<hr />
<div>[[Category:Intrusion detection]]<br />
[[ja:Snort]]<br />
From the project [http://www.snort.org/ home page]:<br />
:Snort® is an open source network intrusion prevention and detection system ([[Wikipedia:Intrusion detection system|IDS]]/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.<br />
<br />
== General Setup and Notes ==<br />
<br />
* A Snort setup that sniffs WAN <-> LAN is more difficult to use. It does not show you which computer triggered the alert, and it requires you to set HOME_NET as your WAN IP address, which can change if your modem uses DHCP. <br />
* Snort will bridge the two interfaces for you, you will not need to configure this.<br />
<br />
You can use Snort to sniff wireless traffic with two routers. For simplicity the router with ''DHCP on and wireless off'' will be called "router A" and the router with ''wireless on and DHCP off'' "router B". <br />
<br />
* Ensure the routers do not have the same IP address, but are on the same subnet. <br />
* If the machine running Snort is configured for inline mode, you will need 3 network interface cards. One for management, one for incoming traffic, and one for outgoing traffic. <br />
* Connect a ethernet cord from router B to a spare NIC on the Snort machine. <br />
* Connect another ethernet cord from router A to a spare NIC on the Snort machine. <br />
* Once Snort is running traffic should flow from router B <-> Snort machine <-> router A <-> internet. <br />
* If you are not using inline mode, then the traffic will need to be forwarded to the Snort machine, see: [[wikipedia:Port_mirroring|Port Mirroring]]<br />
<br />
== Installation ==<br />
<br />
Install {{AUR|snort}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
The main configuration file is located at {{ic|/etc/snort/snort.conf}}.<br />
<br />
Let Snort know what network (or networks) you want to monitor. <br />
ipvar HOME_NET [10.8.0.0/24,192.168.1.0/24] <br />
<br />
At the bottom of the file, there is a list of includes. If you are going to use Pulledpork to download your rule set, then comment out all of the includes except for:<br />
include $RULE_PATH/snort.rules<br />
<br />
=== Inline mode ===<br />
Inline mode means that packets pass ''through'' snort, rather than being diverted to snort. In this mode, snort can drop packets and abort exploitation attempts in real-time. In this mode, snort acts as an intrusion prevention system (IPS).<br />
<br />
If you are planning on using Snort in inline mode add these lines to the bottom of the configuration:<br />
config policy_mode:inline<br />
config daq: afpacket<br />
config daq_mode: inline<br />
config daq_var: buffer_size_mb=1024<br />
A working example of inline mode in {{ic|snort.conf}} is also available on [http://pastebin.com/xNuVtni3 pastebin].<br />
<br />
Then ensure your service file {{ic|/usr/lib/systemd/system/snort@.service}} has the correct arguments for inline mode. This meant adding {{ic|-Q}} to the service file. Also Snort advises you to turn off LRO and GRO, [http://manual.snort.org/node7.html source]. <br />
[Unit]<br />
Description=Snort IDS system listening on '%I'<br />
<br />
[Service]<br />
Type=simple<br />
ExecStartPre=/usr/sbin/ip link set up dev %I<br />
ExecStartPre=/usr/bin/ethtool -K %I gro off<br />
ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I -Q<br />
<br />
[Install]<br />
Alias=multi-user.target.wants/snort@%i.service<br />
<br />
To start Snort that is configured for inline mode run (''your network interfaces may vary''): <br />
systemctl start snort@ens1:ens4<br />
<br />
=== IDS mode ===<br />
In intrusion detection mode (IDS), packets are diverted to snort. Snort can not drop packets, which means that it can only notify you that a exploitation attempt is occuring, or have already occured.<br />
<br />
To start Snort in IDS mode run:<br />
systemctl start snort@ens1<br />
<br />
== Updating the rules with Pulledpork ==<br />
Install {{AUR|pulledpork}} from the [[AUR]].<br />
<br />
=== Configuration ===<br />
The configuration files are located in {{ic|/etc/pulledpork}}<br />
<br />
Edit {{ic|/etc/pulledpork/pulledpork.conf}} and uncomment the rules you want to use. You will need an "oinkcode" to download some of the rules. <br />
<br />
* {{ic|dropsid.conf}} any rules matched in this file will have its traffic dropped. <br />
* {{ic|enablesid.conf}} is used to enable signatures. All signatures seem to be enabled by default, no need to edit this file. <br />
* {{ic|disablesid.conf}} is used to completely remove a signature from Snort.<br />
The current categories that are within your rule set can be found by running the following:<br />
pulledpork.pl -c /etc/snort/pulledpork.conf -Pw<br />
lz /var/tmp/*.gz | egrep '\.rules' | cut -d'/' -f3 | sort -u | perl -lne '/(.*).rules/ && print $1' > rules.`date +%F`<br />
<br />
=== Drop traffic with Pulledpork ===<br />
If you want to drop ''all'' traffic that matches a Snort signature instead of just alerting, add the following to your {{ic|dropsid.conf}}:<br />
pcre:.<br />
<br />
Or if you want to drop all traffic matching an entire category:<br />
policy-social<br />
policy-other<br />
file-other<br />
<br />
If you only want to drop a single rule:<br />
118:7<br />
<br />
=== Disabling rules with Pulledpork ===<br />
<br />
If you want to disable a single signature add its gen_id and sig_id to {{ic|/etc/pulledpork/disablesid.conf}}<br />
118:22<br />
<br />
If you want to disable an entire category:<br />
deleted<br />
protocol-icmp<br />
policy-social<br />
policy-other<br />
<br />
=== Running Pulledpork ===<br />
This will pull the new rules and write them to {{ic|/etc/snort/rules/snort.rules}}<br />
pulledpork.pl -c /etc/pulledpork/pulledpork.conf -P<br />
<br />
== Update the rules: Oinkmaster ==<br />
<br />
There are two sets of rules distributed by Snort: "Community Ruleset" and "Snort Subscriber Rule Set". The former one is freely available to all of the users. The latter one is made available to subscribed and registered users. Paid subscribers receive rulesets in real-time as they are released. Registered users will receive rulesets 30 days after the subscribers. Registration is free.<br />
Go ahead and register at [https://www.snort.org/signup Snort]. If you really do not want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They are bleeding edge, meaning they have not been tested thoroughly.<br />
<br />
{{AUR|oinkmaster}} is available as [[AUR]] package.<br />
<br />
=== Oinkmaster setup ===<br />
<br />
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.<br />
<br />
When you log into your new account, create an "Oink code".<br />
Another thing to change is<br />
use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules<br />
<br />
The rest of the configuration file is fine.<br />
<br />
=== Oinkmaster usage ===<br />
<br />
oinkmaster.pl -o /etc/snort/rules<br />
<br />
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.<br />
<br />
== See also ==<br />
<br />
* [[Simple stateful firewall]]<br />
* [[Router]]</div>Sirtoffski