Difference between revisions of "Snort"

From ArchWiki
Jump to: navigation, search
m (remove contractions)
m (Installation: fix package link)
(11 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
 
{{poor writing}}
 
{{poor writing}}
 
{{accuracy}}
 
{{accuracy}}
 +
From the project [http://www.snort.org/ home page]:
 +
: ''Snort® is an open source network intrusion prevention and detection system ([[Wikipedia:Intrusion detection system|IDS]]/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.''
  
Snort is a lightweight Intrusion Detection System (IDS).
+
== Installation ==
  
==Installation==
+
[[pacman|Install]] {{AUR|snort}} from the [[AUR]].
  
According to the site's homepage title, Snort is "the de facto standard for intrusion detection/prevention".
+
== Configuration ==
# pacman -S snort
+
  
==Snort configuration==
+
The main configuration file is {{ic|/etc/snort/snort.conf}}.
The main configuration file is {{Filename|/etc/snort/snort.conf}}.
+
  
 
Read it carefully, as usual it is very well documented.
 
Read it carefully, as usual it is very well documented.
Line 37: Line 37:
 
  chown -R snort:snort /var/log/snort
 
  chown -R snort:snort /var/log/snort
  
{{Note|Under review -- I am not sure about this yet.}}
+
{{Accuracy|Under review -- I am not sure about this yet.}}
  
Edit {{Filename|/etc/conf.d/snort}}:
+
Edit {{ic|/etc/conf.d/snort}}:
 
  SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full
 
  SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full
  
 
Replace 10.0.0.0/28 with the CIDR of your LAN.
 
Replace 10.0.0.0/28 with the CIDR of your LAN.
  
Now Snort will run as user snort in group snort. Should improve security. The other options make it log to ''/var/log/snort'' in ASCII mode. Run ''snort -h'' to see other available options.
+
Now Snort will run as user snort in group snort. Should improve security. The other options make it log to {{ic|/var/log/snort}} in ASCII mode. Run ''snort -h'' to see other available options.
  
 
I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.
 
I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.
  
==Update the rules: Oinkmaster==
+
== Update the rules: Oinkmaster ==
 +
 
 
If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release.  
 
If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release.  
Go ahead and register at [https://www.snort.org/pub-bin/register.cgi Snort]. If you really do not want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They are bleeding edge, meaning they have not been tested thoroughly.
+
Go ahead and register at [https://www.snort.org/signup Snort]. If you really do not want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They are bleeding edge, meaning they have not been tested thoroughly.
  
A user has created a [http://aur.archlinux.org/packages.php?do_Details=1&ID=4314 PKGBUILD for oinkmaster].
+
{{AUR|oinkmaster}} is available as [[AUR]] package.
  
===Oinkmaster setup===
+
=== Oinkmaster setup ===
Edit {{Filename|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
+
 
 +
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
  
 
When you log into your new account, create an "Oink code".
 
When you log into your new account, create an "Oink code".
Line 61: Line 63:
 
  use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules
 
  use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules
  
The rest of the config file is fine.
+
The rest of the configuration file is fine.
 +
 
 +
=== Oinkmaster usage ===
  
===Oinkmaster usage===
 
 
  oinkmaster.pl -o /etc/snort/rules
 
  oinkmaster.pl -o /etc/snort/rules
  
 
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.
 
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.
  
==See also==
+
== See also ==
*[[Simple stateful firewall]]
+
 
*[[Router]]
+
* [[Simple stateful firewall]]
 +
* [[Router]]

Revision as of 01:59, 3 August 2013

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Snort#)

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Snort#)

From the project home page:

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

Installation

Install snortAUR from the AUR.

Configuration

The main configuration file is /etc/snort/snort.conf.

Read it carefully, as usual it is very well documented.

var HOME_NET        10.0.0.0/28           # Change to the subnet of your LAN.
var EXTERNAL_NET    !$HOME_NET
var DNS_SERVERS     $HOME_NET
var SMTP_SERVERS    $HOME_NET             # Comment these if you're not running any servers on the LAN.
var HTTP_SERVERS    $HOME_NET
var SQL_SERVERS     $HOME_NET
var TELNET_SERVERS  $HOME_NET
var HTTP_PORTS      80
var SHELLCODE_PORTS !80
var ORACLE_PORTS    1521
var AIM_SERVERS     [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/
                     24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH       /etc/snort/rules
var HTTP_PORTS      80:5000               # For HTTPd's running on port 80 and 5000. Change appropriately
                                          # to the ports you are using on your LAN.
config detection:   search-method lowmem  # If you're using a machine "with very limited resources".

At the bottom of the file, there is a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.

groupadd snort
mkdir -p /var/log/snort
useradd -g snort -d /var/log/snort snort
chown -R snort:snort /var/log/snort

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Under review -- I am not sure about this yet. (Discuss in Talk:Snort#)

Edit /etc/conf.d/snort:

SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full

Replace 10.0.0.0/28 with the CIDR of your LAN.

Now Snort will run as user snort in group snort. Should improve security. The other options make it log to /var/log/snort in ASCII mode. Run snort -h to see other available options.

I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.

Update the rules: Oinkmaster

If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release. Go ahead and register at Snort. If you really do not want to register, you can use the rules from BleedingSnort.com. They are bleeding edge, meaning they have not been tested thoroughly.

oinkmasterAUR is available as AUR package.

Oinkmaster setup

Edit /etc/oinkmaster.conf and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

When you log into your new account, create an "Oink code". Another thing to change is

use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules

The rest of the configuration file is fine.

Oinkmaster usage

oinkmaster.pl -o /etc/snort/rules

Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.

See also