Posts Tagged: NIDS

Installing Snort++ in Ubuntu (Version 3.0 Alpha 4 build 240)

The instructions below show how to install Snort 3 alpha 4 build 240 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).

Snort 3 Alpha 4 Build 40 was released on November 1st, 2017, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev uuid-dev

Install tools required for compiling the source from github:

sudo apt-get install -y libtool git autoconf

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):

sudo apt-get install -y asciidoc dblatex source-highlight w3m

If you want to run Snort in inline mode using NFQ, install the required packages (not required for IDS mode or inline mode using afpacket). If you’re unsure, you should install this package.

sudo apt-get install -y libnetfilter-queue-dev

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):

cd ~/snort_src
wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
./configure
make
sudo make install

One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.

Install Ragel 6.10 from source:

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install

Download the Boost 1.65.1 libraries, but do not install:

cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.65.1/source/boost_1_65_1.tar.gz
tar -xvzf boost_1_65_1.tar.gz

Install Hyperscan 4.6.0 from source, referencing the location of the Boost source directory:

cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/v4.6.0.tar.gz
tar -xvzf v4.6.0.tar.gz
mkdir ~/snort_src/hyperscan-4.6.0-build
cd hyperscan-4.6.0-build/

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_65_1/ ../hyperscan-4.6.0

make
sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.6.0-build/
./bin/unit-hyperscan

The unit tests will run (this takes a few minutes).

Snort has an optional requirement for flatbuffers, A memory efficient serialization library:

cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/master.tar.gz -O flatbuffers-master.tar.gz
tar -xvzf flatbuffers-master.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build

cmake ../flatbuffers-master

make
sudo make install

Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):

cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar -xvzf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 239, but as the codebase is updated, you’ll get a newer version). If you want to specifically download the version used in this guide, use this URL instead with wget below: https://github.com/snortadmin/snort3/archive/BUILD_239.tar.gz.

If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:

cd ~/snort_src
wget https://github.com/snortadmin/snort3/archive/master.tar.gz
tar -xvzf master.tar.gz
cd snort3-master/
autoreconf -isvf

./configure --prefix=/opt/snort

make
sudo make install

Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /opt/snort/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):

export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/opt/snort/etc/snort
 
sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a4 (Build 240) from 2.9.8-383
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.4
           Using OpenSSL 1.0.2g 1 Mar 2016
           Using libpcap version 1.7.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using FlatBuffers 1.7.0
           Using Hyperscan version 4.6.0 2017-11-04
           Using LZMA version 5.1.0alpha

user@snort3:~$

A note on install locations:

When you install snort to /opt/snort, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│   ├── fbstreamer
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── decompress
│       ├── detection
│       ├── events
│       ├── file_api
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── managers
│       ├── mime
│       ├── packet_io
│       ├── profiler
│       ├── protocols
│       ├── pub_sub
│       ├── search_engines
│       ├── sfip
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

38 directories, 8 files

The /opt/snort/bin folder contains the following Snort binaries:

  • fbstreamer : A utility for accessing the statistics generated in flatbuffer format.
  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Snort Rules

Snort3 rules have more options than Snort 2 rules, and while the normal rules downloaded with PulledPork or manually will work, for testing you will probably want to download the set of community rules specificallycreated for snort3. You can manually download snort3 specific community rules from the snort website:

cd ~/snort_src/
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
tar -xvzf snort3-community-rules.tar.gz
cd snort3-community-rules
sudo mkdir /opt/snort/etc/snort/rules
sudo cp snort3-community.rules /opt/snort/etc/snort/rules/
sudo cp sid-msg.map /opt/snort/etc/snort/rules/

now test that snort can load these rules:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules

your output should contain something similar:

Loading rules:
Loading /opt/snort/etc/snort/rules/snort3-community.rules:
Finished /opt/snort/etc/snort/rules/snort3-community.rules.
Finished rules.
--------------------------------------------------
rule counts
total rules loaded: 3462
text rules: 3462
option chains: 3462
chain headers: 264
--------------------------------------------------
...

you may want to run Snort with the following flags to detect issues: the warn-all and pedantic flags. From the Snort3 manual:
Warnings are not emitted unless –warn-* is specified. –warn-all enables all warnings, and –pedantic makes such warnings fatal

Installing OpenAppID

OpenAppID allows for the identification of application layer traffic. The Snort team has put together a package of detectors, with assistance from the community that you can download and install, called the Application Detector Package which needs to be installed. First download the OpenAppID detector package:

cd ~/snort_src/
wget https://www.snort.org/downloads/openappid/5759 -O OpenAppId-6329
tar -xzvf OpenAppId-6329
sudo cp -R odp /opt/snort/lib/

Now we need to edit our snort configuration file to point to this odp directory:

sudo vi /opt/snort/etc/snort/snort.lua

At line 113 (yours line number may be slightly different) you will see the appid= entry. You will want to add the app detector dir option here, pointing to the parent folder of the odf folder. It should look like this:

appid =
{
    app_detector_dir = '/opt/snort/lib',
}

note that you must have four spaces (not a tab) for the indented line. Now we want to test the configuration file loads correctly:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua --warn-all

you should see output similar to:

...
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting

Now to load Snort with the OpenAppID detectors, as well as all rules (we omit the pedantic flag, since the rules will throw flowbit warnings that are non fatal and can be ignored:)

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules --warn-all

Create a simple rule to test that OpenAppID is working correctly:

sudo touch /opt/snort/etc/snort/rules/local.rules
sudo vi /opt/snort/etc/snort/rules/local.rules

with the following content:

alert tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

test to make sure the rule loads correctly:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules --warn-all

You should see one rule loaded successfully. Now let’s run snort in detection mode on an interface (change eth0 below to match your interface name), printing alerts to the console:

sudo /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules -i eth0 -A alert_fast -k none

the -k none flag tells Snort to ignore bad checksums. the Stream and Frag decoders will drop packets that have bad checksums, and the packets will not get processed by the OpenAppID detectors. By including this flag, we ensure that a packet with a bad checksum still gets processed. Now from another window on that computer (open a new terminal window or a second ssh session), use wget
to connect to facebook:

wget facebook.com

from the first console window you will see alerts output similar to the following:

08/05−19:13:45.451834 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 157.240.1.35:443 −> 10.0.0.104:33882
08/05−19:13:45.451842 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 10.0.0.104:33882 −> 157.240.1.35:443

use ctrl-c to stop Snort.

Note: if you are collecting packets with a larger MTU that the standard MTU for your adapter (VLAN tagged packets, MPLS Packets, packets from a different network type with a larger MTU), you may need to use the –snaplen flag to adjust snort to process larger packets)

Where to go from here

If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to develop Snort plugins, please see my guide: Installing Snort++ Example Plugins.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Installing Snort++ in Ubuntu (Version 3.0 Alpha 4 build 239)

NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 240) in Ubuntu

The instructions below show how to install Snort 3 alpha 4 build 239 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).

Snort 3 Alpha 4 Build 239 was released on July 28, 2017, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev

Install tools required for compiling the source from github:

sudo apt-get install -y libtool git autoconf

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):

sudo apt-get install -y asciidoc dblatex source-highlight

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):

cd ~/snort_src
wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
./configure
make
sudo make install

One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.

Install Ragel 6.10 from source:

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install

Download the Boost 1.64 libraries, but do not install:

cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.64.0/source/boost_1_64_0.tar.gz
tar -xvzf boost_1_64_0.tar.gz

Install Hyperscan 4.5.1 from source, referencing the location of the Boost source directory:

cd ~/snort_src
wget https://github.com/01org/hyperscan/archive/v4.5.2.tar.gz
tar -xvzf v4.5.2.tar.gz
mkdir ~/snort_src/hyperscan-4.5.2-build
cd hyperscan-4.5.2-build/

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_64_0/ ../hyperscan-4.5.2

make
sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.5.2-build/
./bin/unit-hyperscan

The unit tests will run (this takes a few minutes).

Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):

cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz
tar -xvzf daq-2.2.2.tar.gz
cd daq-2.2.2
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 239, but as the codebase is updated, you’ll get a newer version). If you want to specifically download the version used in this guide, use this URL instead with wget below: https://github.com/snortadmin/snort3/archive/BUILD_239.tar.gz.

If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:

cd ~/snort_src
wget https://github.com/snortadmin/snort3/archive/master.tar.gz
tar -xvzf master.tar.gz
cd snort3-master/
autoreconf -isvf

./configure --prefix=/opt/snort

make
sudo make install

Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /opt/snort/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):

export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/opt/snort/etc/snort
 
sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a4 (Build 239) from 2.9.8-383
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using libpcap version 1.7.4
           Using LuaJIT version 2.0.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using LZMA version 5.1.0alpha
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using Hyperscan version 4.5.2 2017-08-05

user@snort3:~$

A note on install locations:

When you install snort to /opt/snort, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── decompress
│       ├── detection
│       ├── events
│       ├── file_api
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── managers
│       ├── mime
│       ├── packet_io
│       ├── profiler
│       ├── protocols
│       ├── pub_sub
│       ├── search_engines
│       ├── sfip
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

36 directories, 8 files

The /opt/snort/bin folder contains the following Snort binaries:

  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Snort Rules

Snort3 rules have more options than Snort 2 rules, and while the normal rules downloaded with PulledPork or manually will work, for testing you will probably want to download the set of community rules specificallycreated for snort3. You can manually download snort3 specific community rules from the snort website:

cd ~/snort_src/
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
tar -xvzf snort3-community-rules.tar.gz
cd snort3-community-rules
sudo mkdir /opt/snort/etc/snort/rules
sudo cp snort3-community.rules /opt/snort/etc/snort/rules/
sudo cp sid-msg.map /opt/snort/etc/snort/rules/

now test that snort can load these rules:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules

your output should contain something similar:

Loading rules:
Loading /opt/snort/etc/snort/rules/snort3-community.rules:
Finished /opt/snort/etc/snort/rules/snort3-community.rules.
Finished rules.
--------------------------------------------------
rule counts
total rules loaded: 3462
text rules: 3462
option chains: 3462
chain headers: 264
--------------------------------------------------
...

you may want to run Snort with the following flags to detect issues: the warn-all and pedantic flags. From the Snort3 manual:
Warnings are not emitted unless –warn-* is specified. –warn-all enables all warnings, and –pedantic makes such warnings fatal

Installing OpenAppID

OpenAppID allows for the identification of application layer traffic. The Snort team has put together a package of detectors, with assistance from the community that you can download and install, called the Application Detector Package which needs to be installed. First download the OpenAppID detector package:

cd ~/snort_src/
wget https://www.snort.org/downloads/openappid/5759 -O OpenAppId-5759
tar -xzvf OpenAppId-5759
sudo cp -R odp /opt/snort/lib/

Now we need to edit our snort configuration file to point to this odp directory:

sudo vi /opt/snort/etc/snort/snort.lua

At line 113 (yours line number may be slightly different) you will see the appid= entry. You will want to add the app detector dir option here, pointing to the parent folder of the odf folder. It should look like this:

appid =
{
    app_detector_dir = '/opt/snort/lib',
}

note that you must have four spaces (not a tab) for the indented line. Now we want to test the configuration file loads correctly:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua --warn-all

you should see output similar to:

...
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting

Now to load Snort with the OpenAppID detectors, as well as all rules (we omit the pedantic flag, since the rules will throw flowbit warnings that are non fatal and can be ignored:)

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules --warn-all

Create a simple rule to test that OpenAppID is working correctly:

sudo touch /opt/snort/etc/snort/rules/local.rules
sudo vi /opt/snort/etc/snort/rules/local.rules

with the following content:

alert tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

test to make sure the rule loads correctly:

/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules --warn-all

You should see one rule loaded successfully. Now let’s run snort in detection mode on an interface (change eth0 below to match your interface name), printing alerts to the console:

sudo /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules -i eth0 -A alert_fast -k none

the -k none flag tells Snort to ignore bad checksums. the Stream and Frag decoders will drop packets that have bad checksums, and the packets will not get processed by the OpenAppID detectors. By including this flag, we ensure that a packet with a bad checksum still gets processed. Now from another window on that computer (open a new terminal window or a second ssh session), use wget
to connect to facebook:

wget facebook.com

from the first console window you will see alerts output similar to the following:

08/05−19:13:45.451834 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 157.240.1.35:443 −> 10.0.0.104:33882
08/05−19:13:45.451842 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 10.0.0.104:33882 −> 157.240.1.35:443

use ctrl-c to stop Snort.

Note: if you are collecting packets with a larger MTU that the standard MTU for your adapter (VLAN tagged packets, MPLS Packets, packets from a different network type with a larger MTU), you may need to use the –snaplen flag to adjust snort to process larger packets)

Where to go from here

If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to develop Snort plugins, please see my guide: Installing Snort++ Example Plugins.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Installing Snort++ in Ubuntu (Version 3.0 Alpha 4 build 237)

NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 240) in Ubuntu

The instructions below show how to install Snort 3 alpha 4 build 237 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).

Snort 3 Alpha 4 Build 237 was released on July 13, 2017, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake libsqlite3-dev

Install tools required for compiling the source from github:

sudo apt-get install -y libtool git autoconf

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):

sudo apt-get install -y asciidoc dblatex source-highlight

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):

cd ~/snort_src
wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz
tar -xzvf libsafec-10052013.tar.gz
cd libsafec-10052013
./configure
make
sudo make install

One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.

Install Ragel 6.10 from source:

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install

Download the Boost 1.64 libraries, but do not install:

cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.64.0/source/boost_1_64_0.tar.gz
tar -xvzf boost_1_64_0.tar.gz

Install Hyperscan 4.5.1 from source, referencing the location of the Boost source directory:

cd ~/snort_src
wget https://github.com/01org/hyperscan/archive/v4.5.1.tar.gz
tar -xvzf v4.5.1.tar.gz
mkdir ~/snort_src/hyperscan-4.5.1-build
cd hyperscan-4.5.1-build/

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_64_0/ ../hyperscan-4.5.1

make
sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.5.1-build/
./bin/unit-hyperscan

The unit tests will run (this takes a few minutes).

Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):

cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/daq-2.2.1.tar.gz
tar -xvzf daq-2.2.1.tar.gz
cd daq-2.2.1
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 237, but as the codebase is updated, you’ll get a newer version). If you want to specifically download the version used in this guide, use this URL instead with wget below: https://github.com/snortadmin/snort3/archive/3376324350b3ef6228c4e30799a22779413789c2.tar.gz.

If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:

cd ~/snort_src
wget https://github.com/snortadmin/snort3/archive/master.tar.gz
tar -xvzf master.tar.gz
cd snort3-master/
autoreconf -isvf

./configure --prefix=/opt/snort
make
sudo make install

Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /opt/snort/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):

export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/opt/snort/etc/snort
 
sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc"
sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a4 (Build 237) from 2.9.8-383
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.1
           Using libpcap version 1.7.4
           Using LuaJIT version 2.0.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using LZMA version 5.1.0alpha
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using Hyperscan version 4.5.1 2017-07-18

user@snort3:~$

Now let’s test snort with the default configuration file and ruleset:

user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~   Snort++ 3.0.0-a4-237
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
	ssh
	pop
	stream_tcp
	gtp_inspect
	stream_icmp
	ftp_server
	stream_udp
	ips
	http_inspect
	wizard
	file_id
	ftp_data
	smtp
	back_orifice
	port_scan
	telnet
	ssl
	sip
	rpc_decode
	reputation
	classifications
	arp_spoof
	appid
	stream_user
	stream_ip
	stream
	dnp3
	ftp_client
	references
	dns
	imap
	stream_file
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 3974
               text rules: 3974
            option chains: 3974
            chain headers: 187
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     119      31      29      26
     src    1685       4       0       0
     dst    1927     232       0       0
    both       0       1       0       0
   total    3731     268      29      26
--------------------------------------------------
flowbits
                  defined: 124
              not checked: 9
                  not set: 2
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                   dcerpc:        3       0
                     drda:        3       0
                      ftp:        8       2
                     http:     1161    1553
                    ident:        1       0
                     imap:       29    1044
                     ircd:        1       1
                     ldap:        5       0
                    mysql:       29       1
               netbios-ns:        4       0
              netbios-ssn:       25       7
                     pop3:       12    1043
                     rtsp:        2       0
                     smtp:      550       3
                      ssl:        5       1
                   sunrpc:        9       0
                   telnet:        5       1
               vnc-server:        1       3
                    total:     1853    3659
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                   dcerpc:        2       0
                      dns:      170       2
                 kerberos:        4       4
              netbios-dgm:        7       7
               netbios-ns:        1       1
              netbios-ssn:        1       1
                      ntp:        1       0
                     snmp:        1       1
                     ssdp:        8       0
                   sunrpc:        7       3
                     tftp:        1       0
                    total:      203      19
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       27     125       4
                      key:       23     107       1
                   header:       23     107       1
                     body:        0       2       0
                     file:       23     107       1
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       29      17
                      key:        3       0
                   header:        1       3
                     body:        1       0
                     file:        1       4
--------------------------------------------------
search engine
                instances: 565
                 patterns: 24659
            pattern chars: 515569
               num states: 409078
         num match states: 23799
             memory scale: MB
             total memory: 10.6222
           pattern memory: 1.43181
        match list memory: 3.91914
        transition memory: 5.20227
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration.
o")~   Snort exiting

user@snort3:~$ 

If you have output similar to the above, then Snort 3.0.0 Alpha 4 is installed and works.

A note on install locations:

When you install snort to /opt/snort, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── sample.rules
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── decompress
│       ├── detection
│       ├── events
│       ├── file_api
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── managers
│       ├── mime
│       ├── packet_io
│       ├── profiler
│       ├── protocols
│       ├── search_engines
│       ├── sfip
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

35 directories, 9 files

The /opt/snort/bin folder contains the following Snort binaries:

  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Where to go from here

If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to work with protocol (layer 7) detection, please see my article on OpenAppID.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Snort 2.9.9.x on Ubuntu – Part 8: Conclusion

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Where to Go From Here

I hope this series of articles has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you have. The goal of this guide was not just for you to create a Snort NIDS, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Snort NIDS with confidence.

Capturing More Traffic With Snort

You will probably want to configure your network infrastructure to mirror traffic meant for other hosts to your Snort sensor. This configuration is dependent on what network equipment you are using. If you are running Snort as a Virtual Machine on a VMware ESXi server, you can configure promiscuous mode for ESXi by following my instructions in this article: configure promiscuous mode for ESXi.

For different network infrastrucutre, you will need to do a little research to configure network mirroring for your Snort server. Cisco calls this a span port, but most other vendors call this Port Mirroring. Instructions for Mikrotik (a linux based switch and router product that I like).  If you run DD-WRT, it can be configured with iptables, like any linux based system. If you have network equipment not listed above, any search engine should point you towards a solution, if one exists. Note that many consumer switches will not have the ability to mirror ports.

You can also purchase devices specifically made to mirror data (called taps). Some products that have been recommended on the Snort-Users list are:

More Advanced Snort Configuration

Snort has the ability to do much more than we’ve covered in this set of articles. Hopefully you’ve learned enough through this setup that you will be able to implement more advanced configurations and make Snort work for you. Some things that Snort is capable of:

Some other related articles I have written:

Recommended Reading

Feedback

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Snort 2.9.9.x on Ubuntu – Part 7: Installing BASE

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Installing BASE On Ubuntu

BASE is a simple web GUI for Snort. Alternate products include Snorby, Splunk, Sguil, AlienVault OSSIM, and any syslog server.

Splunk is a fantastic product, great for ingesting, collating, and parsing large data sets. Splunk is free to use (limited to 500 MB of data per day, which is a lot for a small shop). Sguil client is an application written in tcl/tk. Snorby is abandoned, and relies on old versions of many Ruby packages that makes documenting the installation difficult, and a constantly changing target.

I’ve chosen to use BASE in this guide because it’s simple to setup, simple to use, and works well for what it does. Both BASE and Snorby are abandoned projects, and while Snorby gives a nice web-2.0 interface, since it is written in Ruby-on-Rails, the Ruby packages it relies on are constantly upgrading, which causes compatibility issues with other required Snorby packages, which causes too many installation problems. If you want to try installing Snorby, please see these unsupported out of date guides for Ubuntu 14 or Ubuntu 16.

There is a slight difference between BASE on Ubuntu 14 versus 16: BASE requires PHP 5, which isn’t available in the Ubuntu 16 archives (Ubuntu has moved on to PHP 7 in this release), so we have to use a PPA on Ubuntu 16 to install the php 5 packages:

# Ubuntu 16 only:
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6-mysql php5.6-cli php5.6 php5.6-common php5.6-gd php5.6-cli php-pear php5.6-xml

in Ubuntu 14, we can just install the necessary libraries:

# Ubuntu 14 only:
sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear

next install Pear image Graph:

sudo pear install -f --alldeps Image_Graph

Download and install ADODB:

cd ~/snort_src
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
tar -xvzf adodb-5.20.8.tar.gz
sudo mv adodb5 /var/adodb
sudo chmod -R 755 /var/adodb

Download BASE and copy to apache root

cd ~/snort_src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/

Create the BASE configuration file:

cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php

Now edit the config file:

sudo vi /var/www/html/base/base_conf.php

with the following settings (note that the trailing slash on line 80 is required, despite the instructions in the configuration file):

$BASE_urlpath = '/base';                   # line 50
$DBlib_path = '/var/adodb/';               #line 80
$alert_dbname     = 'snort';               # line 102
$alert_host       = 'localhost';
$alert_port       = '';
$alert_user       = 'snort';
$alert_password   = 'MySqlSNORTpassword';   # line 106

While in the base conf.php file, you will also want to comment out line 457 (we don’t want the DejaVuSans font), and un-comment (remove the two backslashes) from line 459, enabling a blank font. The section for fonts (begining at line 456) should look like this:

//$graph_font_name = "Verdana";
//$graph_font_name = "DejaVuSans";
//$graph_font_name = "Image_Graph_Font";
$graph_font_name = "";

Set permissions on the BASE folder, and since the password is in the base conf.php file, we should prevent other users from reading it:

sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php

restart Apache:

sudo service apache2 restart

The last step to configure BASE is done via http:

  1. Browse to http://ServerIP/base/index.php and click on the setup page link (replace ServerIP with the IP of your Snort Server).
  2. Click on the Create BASE AG button on the upper right of the page.
  3. Click on the Main page link.

Note: If you read through the BASE configuration file, there are a number of other options you can implement if you like. A few options are SMTP Email alerts, IP Address to Country Support, and user authentication.

Congratulations, if you’ve made it this far, you have a fully-functioning Snort system. Please continue on to the Conclusion for more things you can do with Snort.

Snort 2.9.9.x on Ubuntu – Part 6b: Creating systemD Scripts for Snort on Ubuntu 16

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Overview

In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update.  In this article, we will finalize the configuration of our Snort service by creating systemD scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 14, you should go see my Upstart article instead of this article.

Creating a systemD startup script in Ubuntu 16

Ubuntu 16 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.

To create the Snort systemD service, use an editor to create a service file:

sudo vi /lib/systemd/system/snort.service

with the following content (change ens160 if different on your system):

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160

[Install]
WantedBy=multi-user.target

Now we tell systemD that the service should be started at boot:

sudo systemctl enable snort

And start the Snort service:

sudo systemctl start snort

Verify the service is running

systemctl status snort

Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:

sudo vi /lib/systemd/system/barnyard2.service

With the following content:

[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs

[Install]
WantedBy=multi-user.target

Now we tell systemD that the service should be started at boot:

sudo systemctl enable barnyard2

And start the barnyard2 service:

sudo systemctl start barnyard2

Verify the service is running

systemctl status barnyard2

Reboot the computer and check that both services are started

user@snortserver:~$ service snort status
snort start/running, process 1116
user@snortserver:~$ service barnyard2 status
barnyard2 start/running, process 1109
user@snortserver:~$

If both services are running, you are ready to move to the next section, where you will install BASE, a web-based GUI to view and profile alert data: Installing BASE

Snort 2.9.9.x on Ubuntu – Part 6a: Creating Upstart Scripts for Snort on Ubuntu 14

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Overview

Creating the Upstart Scripts for Ubuntu 14

In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update.  In this article, we will finalize the configuration of our Snort service by creating Upstart scripts for the Snort and Barnyard2 daemons. If you are running Ubuntu 16, you should go see my systemD article instead of this article.

First create the Snort Upstart script:

sudo vi /etc/init/snort.conf

We will insert the below content into this Upstart script.  Note that we are using the same flags that we used in earlier articles, so if Snort ran correctly for you earlier, then you shouldn’t need to change any of these flags:

description "Snort NIDS service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script

Now make the script executable, and tell Upstart that the script exists:

sudo chmod +x /etc/init/snort.conf
initctl list | grep snort
	snort stop/waiting

do the same for our Barnyard2 script:

sudo vi /etc/init/barnyard2.conf

with the following content:

description "barnyard2 service"
stop on runlevel [!2345]
start on runlevel [2345]
script
    exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
end script

Note that we have added a new flag here that we didn’t use before: -a /var/log/snort/archived_logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived_logs/ folder.

Now make the script executable, and tell Upstart that the script exists:

sudo chmod +x /etc/init/barnyard2.conf
initctl list | grep barnyard
	barnyard2 stop/waiting

Reboot the computer and check that both services are started:

user@snortserver:~$ service snort status
snort start/running, process 1116
user@snortserver:~$ service barnyard2 status
barnyard2 start/running, process 1109
user@snortserver:~$

If both services are running, you are ready to move to the next section, where you will install BASE, a web-based GUI to view and profile alert data: Installing BASE

Snort 2.9.9.x on Ubuntu – Part 5: Installing PulledPork

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Onwards

In the previous two sections of this article, we installed Snort and configured it to work as a NIDS with Barnyard2 processing packets that generated alerts based on a rule. In this article, we are going to install a Perl script called PulledPork, which will automatically download the latest rulesets from the Snort website.

Oinkcode

To download the main free ruleset from Snort, you need an oinkcode. Register on the Snort website and save your oinkcode before continuing, as the oinkcode is required for the most popular free ruleset.

Installing PulledPork

Install the PulledPork pre-requisites:

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Download the latest PulledPork and install. Here we copy the actual perl file to /usr/local/bin and the needed configuration files to /etc/snort:

cd ~/snort_src
wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz
tar xzvf pulledpork-master.tar.gz
cd pulledpork-master/

sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

Test that PulledPork runs by running the following command, looking for the output below:

user@snortserver:~$ /usr/local/bin/pulledpork.pl -V
PulledPork v0.7.3 - Making signature updates great again!

user@snortserver:~$

Now that we are sure that PulledPork works, we need to configure it:

sudo vi /etc/snort/pulledpork.conf

Make the following changes to the pulledpork.conf file. Anywhere you see ‹oinkcode› enter your oinkcode from the Snort website.  I have included line numbers to help you identify the location of these lines in the configuration file.

Line 19:  enter your oinkcode where appropriate (or comment out if no oinkcode)
Line 29:  Un-comment for Emerging threats ruleset (not tested with this guide)

Line 74:  change to: rule_path=/etc/snort/rules/snort.rules
Line 89:  change to: local_rules=/etc/snort/rules/local.rules
Line 92:  change to: sid_msg=/etc/snort/sid-msg.map
Line 96:  change to: sid_msg_version=2

Line 119:  change to: config_path=/etc/snort/snort.conf

Line 133:  change to: distro=Ubuntu-12-04

Line 141:  change to: black_list=/etc/snort/rules/iplists/black_list.rules
Line 150:  change to: IPRVersion=/etc/snort/rules/iplists

We want to run PulledPork once manually to make sure it works. We use the following flags:

 -c /etc/snort/pulledpork.conf      the location of the snort.conf file
 -l                                 Write detailed logs to /var/log

Run the following command:

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l 

After this command runs (it takes some time), you should now see snort.rules in /etc/snort/rules, and .so rules in /usr/local/lib/snort_dynamicrules. Pulled Pork combines all the rulesets that it downloads into these two files. You need to make sure to add the line: include $RULE_PATH/snort.rules to the snort.conf file, or the pulled pork rules will never be read into memory when Snort starts:

sudo vi /etc/snort/snort.conf

Add the following line to enable snort to use the rules that PulledPork downloaded (line 547), after the line for local.rules:

include $RULE_PATH/snort.rules

Since we have modified snort.conf, we should test that Snort loads correctly in NIDS mode with the PulledPork rules included:

sudo snort -T -c /etc/snort/snort.conf -i eth0

Once that is successful, we want to test that Snort and Barnyard2 load correctly when run manually as daemons:

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D

As before, ping the IP address of the Snort eth0 interface, and then check the database for more events (remember to use the MYSQLSNORTPASSWORD):

mysql -u snort -p -D snort -e "select count(*) from event"

The number of events reported should be greater than what you saw the last time you ran this command. Now that we are sure that PulledPork runs correctly, we want to add PulledPork to root’s crontab to run daily:

sudo crontab -e

Choose any editor if prompted

The Snort team has asked you to randomize when PulledPork connects to their server to help with load balancing. In the example below, we have PulledPork checking at 04:01 every day. Change the minutes value (the 01 below) to a value between 0 and 59, and the hours value (the 04 below) to a value between 00 and 23. For more info on crontab layout, check here:

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Stop the running daemons from earlier testing:

user@snortserver:~$ ps aux | grep snort
snort     1296  0.0  2.1 297572 43988 ?        Ssl  03:15   0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
user      1314  0.0  0.0   4444   824 pts/0    S+   03:17   0:00 grep --color=auto snort
user@snortserver:~$ sudo kill 1296

user@snortserver:~$ ps aux | grep barnyard2
snort     1298  0.0  2.1 297572 43988 ?        Ssl  03:15   0:00 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
user      1316  0.0  0.0   4444   824 pts/0    S+   03:17   0:00 grep --color=auto barnyard2
user@snortserver:~$ sudo kill 1298

Note: Snort needs to be reloaded to see the new rules. This can be done with kill -SIGHUP snort-pid, or you can restart the snort service (once that’s created in a later part of this guide).

Additional note about shared object rules: In addition to regular rules, The above section will download Shared object rules. Shared object rules are also known as ”Shared Object rules”, ”SO rules”, ”pre-compiled rules”, or ”Shared Objects”. These are detection rules that are written in the Shared Object rule language, which is similar to C.

These rules are pre-compiled by the provider of the rules, and allow for more complicated rules, and allow for obfuscation of rules (say to detect attacks that haven’t been patched yet, but the vendor wants to allow detection without revealing the vulnerability). These rules are compiled by the vendor for specific systems. One of these systems is Ubuntu 12, and luckily these rules also work on Ubuntu 14 and 15.

Congratulations, if you have output similar to the above then you have successfully Configured PulledPork. Continue to the next section to install startup scripts for Snort and Barnyard2. Choose one of the two following links, depending on your version of Ubuntu. You will create an Upstart scripts for Ubuntu 12 and 14, and a systemD scripts for Ubuntu 15.

Choose One of the following to continue:
Ubuntu 14: Creating Upstart Scripts for Snort and Barnyard2
Ubuntu 16: Creating systemD Scripts for Snort

Snort 2.9.9.x on Ubuntu – Part 4: Installing Barnyard2

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Installing Barnyard2

In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure Barnyard2, which is a dedicated spooler that will help reduce the load on the Snort server.

Notes

You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below.

Onward

First, we need to install some pre-requisites:

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

You will be prompted for the MySQL root password. We choose MYSQLROOTPASSWORD for the below examples.

Next, we need to edit the snort.conf:

sudo vi /etc/snort/snort.conf

We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file:

output unified2: filename snort.u2, limit 128

This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts).

Next we need to get, configure, and install Barnyard2.

Note on Barnyard2 Version: In the commands below, we will be downloading the current head release of Barnyard2 rather than a specific release number, which at this time is 2.1.14. Now download and prepare to install:

cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
tar zxvf barnyard2-Master.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4

Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier. However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h so there are no issues:

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig

Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

Then continue with the install:

make
sudo make install

Barnyard2 is now installed to /usr/local/bin/barnyard2. Test to ensure that Barnyard2 installed properly by running:

user@snortserver$ /usr/local/bin/barnyard2 -V

To configure Snort to use Barnyard2, we need to copy a few files from the source package:

sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/

# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a ‘snort’ MySQL user to access that database. Run the following commands to create the database and MySQL user.

When prompted for a password, use the MYSQLROOTPASSWORD . You will also be setting the MySQL snort user password in the fourth mysql command (to MYSQLSNORTPASSWORD), so change it there as well.

$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD';
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit

Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. Edit the Barnyard2 configuration file:

sudo vi /etc/snort/barnyard2.conf

and at the end of the file, append this line:

output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost sensor name=sensor01

Since the password is in the barnyard2.conf file, we should prevent other users from reading it:

sudo chmod o-r /etc/snort/barnyard2.conf

Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts.  First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file called snort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.

Now we want to tell Barnyard2 to look at these events and load into the snort database instance. We run Barnyard2 with the following flags:

-c /etc/snort/barnyard2.conf        the Barnyard2 configuration file
-d /var/log/snort                   the location to look for the snort binary output file
-f snort.u2                         the name of the file to look for.
-w /var/log/snort/barnyard2.waldo   the path to the waldo file (checkpoint file).
-u snort                            run Barnyard2 as the following user after startup
-g snort                            run Barnyard2 as the following group after startup

Run the following command:

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

you should see output similar to the below:

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.14 (Build 336)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1412527313
    record_idx      = 16
Opened spool file '/var/log/snort/snort.u2.1412527313'
Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records
Opened spool file '/var/log/snort/snort.u2.1412528990'
Waiting for new data

Use ctrl-c to stop barnyard2 from running, then stop the snort Daemon using ps to find and terminate it as in the example below):

user@snortserver:~$ ps aux | grep snort
      snort     1296  0.0  2.1 297572 43988 ?        Ssl  03:15   0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
      user      1314  0.0  0.0   4444   824 pts/0    S+   03:17   0:00 grep --color=auto snort
user@snortserver:~$ sudo kill 1296
user@snortserver:~$

Congratulations, if you have output similar to the above then you have successfully Configured Barnyard2. Continue to the next section to install PulledPork

Snort 2.9.9.x on Ubuntu – Part 3: Writing and Testing a Single Rule With Snort

  1. Installing Snort
  2. Configuring Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort on Ubuntu 14
  7. Creating systemD Scripts for Snort on Ubuntu 16
  8. Installing BASE
  9. Conclusion

Writing and Testing a Single Rule With Snort

In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a much better understanding of how Snort rules are created and loaded.

Onward

In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to tell Snort to load this local.rules file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.

First, we need to edit the local.rules file:

sudo vi /etc/snort/rules/local.rules

input the following text and save the file:

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)

What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test. The other information here (GID, REV, classtype) are used group the rule, and will be helpful when you install BASE.

Barnyard2 doesn’t read meta-information about alerts from the local.rules file. Without this information, Barnyard2 won’t know any details about the rule that triggered the alert, and will generate non-fatal errors when adding new rules with PulledPork (done in a later step). To make sure that barnyard2 knows that the rule we created with unique identifier 10000001 has the message ”ICMP Test Detected”, as well as some other information (please see this blog post for more information). We add the following two lines to the /etc/snort/sid-msg.map file:

#v2
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

(the #v2 tells barnyard2 that the next line is the version 2 format, rather than v1)

Since we have made changes to the file that snort loads (local.rules), it is a good idea to test the configuration file again:

sudo snort -T -c /etc/snort/snort.conf -i eth0

If successful, you should be able to scroll up through the output and see that Snort has loaded our rule:

		+++++++++++++++++++++++++++++++++++++++++++++++++++
		Initializing rule chains...
		1 Snort rules read
			1 detection rules
			0 decoder rules
			0 preprocessor rules
		1 Option Chains linked into 1 Chain Headers
		0 Dynamic rules
		+++++++++++++++++++++++++++++++++++++++++++++++++++

		+-------------------[Rule Port Counts]---------------------------------------
		|             tcp     udp    icmp      ip
		|     src       0       0       0       0
		|     dst       0       0       0       0
		|     any       0       0       1       0
		|      nc       0       0       1       0
		|     s+d       0       0       0       0
		+----------------------------------------------------------------------------

Now to test the rule.  We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:

-A console                    the console option prints fast mode alerts to stdout
-q                            Quiet. Don't show banner and status report.
-u snort                      run snort as the following user after startup
-g snort                      run snort as the following group after startup
-c /etc/snort/snort.conf      the path to our snort.conf file
-i eth0                       the interface to listen on

Run Snort with the command below, modifying the parameters as required specific for your configuration:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Note: If you are running Ubuntu 16, remember that your interface name is not eth0.

Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on.  You should see output similar to the below on the terminal of the Snort machine:

10/31-02:27:19.663643  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:19.663675  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:20.658378  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:20.658404  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:21.766521  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:21.766551  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:22.766167  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:22.766197  [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
^C*** Caught Int-Signal

You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.

Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.