Widget HTML Atas

Iklan Layanan kepada Masyarakat

Badan Siber dan Sandi Negara

Install Snort 3 di Ubuntu 18.04 Server

 Tutorial ini saya tulis, dengan cara melalukan install Snort pada 21 Nopember 2020. Instalasi ini tidak menggunakan Snort bawaan ubuntu yang bisa dilakukan secara cepat dengan perintah:

$ sudo apt install snort 

Mengapa, karena aplikasi Snort yang kami pasang ini akan di integrasikan dengan:

  1. Opsi SPLUNK
  2. Opsi Elasticsearch Logstash dan Kibana (elk).


#Persiapan
sudo apt-get update && sudo apt-get dist-upgrade -y

#Setting Time Zone kita, Asia/Jakarta
sudo dpkg-reconfigure tzdata

#Lokasi source tarballs and other source files in one folder :
mkdir ~/snort_src
cd ~/snort_src

#Install the Snort3 prerequisites
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev \
libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev \
cmake

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest \
libsqlite3-dev uuid-dev

sudo apt-get install -y asciidoc dblatex source-highlight w3m

sudo apt-get install -y libtool git autoconf

sudo apt-get install -y bison flex libcmocka-dev

sudo apt-get install -y libnetfilter-queue-dev libmnl-dev

cd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v08112019/libsafec-08112019.0-gad76c7.tar.gz
tar - x zvf libsafec- 08 112019.0- gad76c7.tar.gz
cd libsafec-08112019.0-gad76c7/
./configure
make
sudo make install

cd ~/snort_src/
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
tar -xzvf pcre-8.43.tar.gz
cd pcre-8.43
./configure
make
sudo make install


sudo apt-get install -y libunwind-dev

cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.7.90/gperftools-2.7.90.tar.gz
tar -xzvf gperftools- 2.7.90.tar.gz
cd gperftools-2.7.90
./configure
make
sudo make install

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar - x zvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install

cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.72.0/source/boost_1_72_0.tar.gz
tar -xvzf boost_1_72_0.tar.gz
DONOT INSTALL

cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/v5.2.1.tar.gz
tar -xvzf v5.2.1.tar.gz

mkdir ~/snort_src/hyperscan-5.2.1-build
cd hyperscan-5.2.1-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_72_0/ ../hyperscan-5.2.1
make ==> Prosesnya Lama.
sudo make install  


cd ~/snort_src/hyperscan-5.2.1-build/
./bin/unit-hyperscan

cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/v1.12.0.tar.gz \
-O flatbuffers-v1.12.0.tar.gz
tar -xzvf flatbuffers-v1.12.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.12.0
make
sudo make install

cd ~/snort_src
git clone https://github.com/snort3/libdaq.git

cd libdaq
./bootstrap
./configure
make ( g nor e the er r or dur i ng cmake for “not a g i t r ep osi tor y”)
sudo make install

#Update shared libraries:
sudo ldconfig

#Snort3
cd ~/snort_src
git clone git://github.com/snortadmin/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install

#Verify...
/usr/local/bin/snort -V
#Output
,,_- *> Snort++ <*-o")~
Version 3.0.1 (B uild 2)
''''
By Martin Roesch & The Snort Team
http ://snort.org/contact#team
Cop yright (C) 2014- 2020 Cisco and/or its affiliates. All
rights reserved.
Cop yright (C) 1998 - 2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.0
Using LuaJIT version 2.1.0- beta3
Using Op enSSL 1.1.1f
31 Mar 2020
Using libp cap
version 1.9.1 (with TP ACKET_V3)
Using P CRE version 8 .43 2019- 02- 23
Using ZLIB
version 1.2.11
Using FlatB uffers 1.12.0
Using Hyp erscan version 5.2.1 2020- 04- 25
Using LZMA version 5.2.4

#test Snort with the default configuration file:
snort -c /usr/local/etc/snort/snort.lua

#output that finishes with the following :
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting

ip address show

sudo ethtool -k ens33 | grep receive-offload
#output
generic-receive-offload: on
large-receive-offload: off [fixed]


#Configuring Network Cards
 ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.1.201.17/24 brd 10.1.201.255 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febe:6274/64 scope link
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff
    inet 10.1.99.17/24 brd 10.1.99.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febe:5ce9/64 scope link
       valid_lft forever preferred_lft forever

# Check GRO & LRO
sudo ethtool -k ens33 | grep receive-offload
# Output
generic-receive-offload: on
large-receive-offload: off [fixed]

#Disable GRO via SystemD.
sudo nano /lib/systemd/system/ethtool.service

#Ganti ens33 dengan
[Unit]
Description=Ethtool Configuration for Network Interface

[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K ens33 gro off
ExecStart=/sbin/ethtool -K ens33 lro off

[Install]
WantedBy=multi-user.target

#Enable Service
sudo systemctl enable ethtool
#Output
Created symlink /etc/systemd/system/multi-user.target.wants/ethtool.service → /lib/systemd/system/ethtool.service.

sudo service ethtool start

#Re-Check Result
sudo ethtool -k ens33 | grep receive-offload
#Output
generic-receive-offload: off
large-receive-offload: off [fixed]


#Installing OpenAppID
cd ~/snort_src/
wget https://snort.org/downloads/openappid/15607 -O OpenAppId-15607.tgz
tar -xzvf OpenAppId-15607.tgz
sudo cp -R odp /usr/local/lib/

#Edit Snort Configuration
sudo nano /usr/local/etc/snort/snort.lua

#Edit seperti ini
appid =
{
    −− appid requires this to use appids in rules (4 spasi)
    app_detector_dir = '/usr/local/lib',
}

#test that the configuration file loads correctly
snort -c /usr/local/etc/snort/snort.lua --warn-all
#Output
.....
Finished /usr/local/etc/snort/snort.lua:
WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
WARNING: appid: no entry for 2312 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2312
WARNING: appid: no entry for 2314 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2314
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 5 warnings).
o")~   Snort exiting

#create a simple rule to test that OpenAppID is working correctly:
sudo mkdir /usr/local/etc/rules
sudo touch /usr/local/etc/rules/local.rules
sudo nano /usr/local/etc/rules/local.rules

#Masukkan 2 baris rules berikut
alert tcp any any -> any any (msg:"Facebook Detected"; appids:"Facebook"; sid:10000001;)
alert icmp any any -> any any (msg:"ICMP Traffic Detected"; sid:10000002;)

#Test Load File
snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules

#Output
.....
Finished /usr/local/etc/snort/snort.lua:
Loading rule args:
Loading /usr/local/etc/rules/local.rules:
Finished /usr/local/etc/rules/local.rules:
Finished rule args:
--------------------------------------------------
rule counts
       total rules loaded: 2
               text rules: 2
            option chains: 2
            chain headers: 2
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any       1       0       1       0
   total       1       0       1       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0       2       0       2    /usr/local/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting
 

Iklan Layanan Masyarakat
Hentikan Penyebaran virus corona
Sumber: https://covid19.kemkes.go.id/wp-content/uploads/2020/03/Aman-di-rumah.gif