Install Snort 3 di Ubuntu 18.04 Server
Tutorial ini saya tulis, dengan cara melalukan install Snort pada 21 Nopember 2020. Instalasi ini tidak menggunakan Snort bawaan ubuntu yang bisa dilakukan secara cepat dengan perintah:
$ sudo apt install snort
Mengapa, karena aplikasi Snort yang kami pasang ini akan di integrasikan dengan:
- Opsi SPLUNK
- Opsi Elasticsearch Logstash dan Kibana (elk).
#Persiapan
sudo apt-get update && sudo apt-get dist-upgrade -y
#Setting Time Zone kita, Asia/Jakarta
sudo dpkg-reconfigure tzdata
#Lokasi source tarballs and other source files in one folder :
mkdir ~/snort_src
cd ~/snort_src
#Install the Snort3 prerequisites
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev \
libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev \
cmake
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest \
libsqlite3-dev uuid-dev
sudo apt-get install -y asciidoc dblatex source-highlight w3m
sudo apt-get install -y libtool git autoconf
sudo apt-get install -y bison flex libcmocka-dev
sudo apt-get install -y libnetfilter-queue-dev libmnl-dev
cd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v08112019/libsafec-08112019.0-gad76c7.tar.gz
tar - x zvf libsafec- 08 112019.0- gad76c7.tar.gz
cd libsafec-08112019.0-gad76c7/
./configure
make
sudo make install
cd ~/snort_src/
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
tar -xzvf pcre-8.43.tar.gz
cd pcre-8.43
./configure
make
sudo make install
sudo apt-get install -y libunwind-dev
cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.7.90/gperftools-2.7.90.tar.gz
tar -xzvf gperftools- 2.7.90.tar.gz
cd gperftools-2.7.90
./configure
make
sudo make install
cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar - x zvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install
cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.72.0/source/boost_1_72_0.tar.gz
tar -xvzf boost_1_72_0.tar.gz
DONOT INSTALL
cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/v5.2.1.tar.gz
tar -xvzf v5.2.1.tar.gz
mkdir ~/snort_src/hyperscan-5.2.1-build
cd hyperscan-5.2.1-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_72_0/ ../hyperscan-5.2.1
make ==> Prosesnya Lama.
sudo make install
cd ~/snort_src/hyperscan-5.2.1-build/
./bin/unit-hyperscan
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/v1.12.0.tar.gz \
-O flatbuffers-v1.12.0.tar.gz
tar -xzvf flatbuffers-v1.12.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.12.0
make
sudo make install
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make ( g nor e the er r or dur i ng cmake for “not a g i t r ep osi tor y”)
sudo make install
#Update shared libraries:
sudo ldconfig
#Snort3
cd ~/snort_src
git clone git://github.com/snortadmin/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
#Verify...
/usr/local/bin/snort -V
#Output
,,_- *> Snort++ <*-o")~
Version 3.0.1 (B uild 2)
''''
By Martin Roesch & The Snort Team
http ://snort.org/contact#team
Cop yright (C) 2014- 2020 Cisco and/or its affiliates. All
rights reserved.
Cop yright (C) 1998 - 2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.0
Using LuaJIT version 2.1.0- beta3
Using Op enSSL 1.1.1f
31 Mar 2020
Using libp cap
version 1.9.1 (with TP ACKET_V3)
Using P CRE version 8 .43 2019- 02- 23
Using ZLIB
version 1.2.11
Using FlatB uffers 1.12.0
Using Hyp erscan version 5.2.1 2020- 04- 25
Using LZMA version 5.2.4
#test Snort with the default configuration file:
snort -c /usr/local/etc/snort/snort.lua
#output that finishes with the following :
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
ip address show
sudo ethtool -k ens33 | grep receive-offload
#output
generic-receive-offload: on
large-receive-offload: off [fixed]
#Configuring Network Cards
ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.1.201.17/24 brd 10.1.201.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febe:6274/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff
inet 10.1.99.17/24 brd 10.1.99.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febe:5ce9/64 scope link
valid_lft forever preferred_lft forever
# Check GRO & LRO
sudo ethtool -k ens33 | grep receive-offload
# Output
generic-receive-offload: on
large-receive-offload: off [fixed]
#Disable GRO via SystemD.
sudo nano /lib/systemd/system/ethtool.service
#Ganti ens33 dengan
[Unit]
Description=Ethtool Configuration for Network Interface
[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K ens33 gro off
ExecStart=/sbin/ethtool -K ens33 lro off
[Install]
WantedBy=multi-user.target
#Enable Service
sudo systemctl enable ethtool
#Output
Created symlink /etc/systemd/system/multi-user.target.wants/ethtool.service → /lib/systemd/system/ethtool.service.
sudo service ethtool start
#Re-Check Result
sudo ethtool -k ens33 | grep receive-offload
#Output
generic-receive-offload: off
large-receive-offload: off [fixed]
#Installing OpenAppID
cd ~/snort_src/
wget https://snort.org/downloads/openappid/15607 -O OpenAppId-15607.tgz
tar -xzvf OpenAppId-15607.tgz
sudo cp -R odp /usr/local/lib/
#Edit Snort Configuration
sudo nano /usr/local/etc/snort/snort.lua
#Edit seperti ini
appid =
{
−− appid requires this to use appids in rules (4 spasi)
app_detector_dir = '/usr/local/lib',
}
#test that the configuration file loads correctly
snort -c /usr/local/etc/snort/snort.lua --warn-all
#Output
.....
Finished /usr/local/etc/snort/snort.lua:
WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
WARNING: appid: no entry for 2312 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2312
WARNING: appid: no entry for 2314 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2314
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 5 warnings).
o")~ Snort exiting
#create a simple rule to test that OpenAppID is working correctly:
sudo mkdir /usr/local/etc/rules
sudo touch /usr/local/etc/rules/local.rules
sudo nano /usr/local/etc/rules/local.rules
#Masukkan 2 baris rules berikut
alert tcp any any -> any any (msg:"Facebook Detected"; appids:"Facebook"; sid:10000001;)
alert icmp any any -> any any (msg:"ICMP Traffic Detected"; sid:10000002;)
#Test Load File
snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules
#Output
.....
Finished /usr/local/etc/snort/snort.lua:
Loading rule args:
Loading /usr/local/etc/rules/local.rules:
Finished /usr/local/etc/rules/local.rules:
Finished rule args:
--------------------------------------------------
rule counts
total rules loaded: 2
text rules: 2
option chains: 2
chain headers: 2
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 1 0 1 0
total 1 0 1 0
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 2 0 2 /usr/local/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
sudo apt-get update && sudo apt-get dist-upgrade -y
#Setting Time Zone kita, Asia/Jakarta
sudo dpkg-reconfigure tzdata
#Lokasi source tarballs and other source files in one folder :
mkdir ~/snort_src
cd ~/snort_src
#Install the Snort3 prerequisites
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev \
libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev \
cmake
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest \
libsqlite3-dev uuid-dev
sudo apt-get install -y asciidoc dblatex source-highlight w3m
sudo apt-get install -y libtool git autoconf
sudo apt-get install -y bison flex libcmocka-dev
sudo apt-get install -y libnetfilter-queue-dev libmnl-dev
cd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v08112019/libsafec-08112019.0-gad76c7.tar.gz
tar - x zvf libsafec- 08 112019.0- gad76c7.tar.gz
cd libsafec-08112019.0-gad76c7/
./configure
make
sudo make install
cd ~/snort_src/
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
tar -xzvf pcre-8.43.tar.gz
cd pcre-8.43
./configure
make
sudo make install
sudo apt-get install -y libunwind-dev
cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.7.90/gperftools-2.7.90.tar.gz
tar -xzvf gperftools- 2.7.90.tar.gz
cd gperftools-2.7.90
./configure
make
sudo make install
cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar - x zvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make install
cd ~/snort_src
wget https://dl.bintray.com/boostorg/release/1.72.0/source/boost_1_72_0.tar.gz
tar -xvzf boost_1_72_0.tar.gz
DONOT INSTALL
cd ~/snort_src
wget https://github.com/intel/hyperscan/archive/v5.2.1.tar.gz
tar -xvzf v5.2.1.tar.gz
mkdir ~/snort_src/hyperscan-5.2.1-build
cd hyperscan-5.2.1-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_72_0/ ../hyperscan-5.2.1
make ==> Prosesnya Lama.
sudo make install
cd ~/snort_src/hyperscan-5.2.1-build/
./bin/unit-hyperscan
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/v1.12.0.tar.gz \
-O flatbuffers-v1.12.0.tar.gz
tar -xzvf flatbuffers-v1.12.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-1.12.0
make
sudo make install
cd ~/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make ( g nor e the er r or dur i ng cmake for “not a g i t r ep osi tor y”)
sudo make install
#Update shared libraries:
sudo ldconfig
#Snort3
cd ~/snort_src
git clone git://github.com/snortadmin/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
#Verify...
/usr/local/bin/snort -V
#Output
,,_- *> Snort++ <*-o")~
Version 3.0.1 (B uild 2)
''''
By Martin Roesch & The Snort Team
http ://snort.org/contact#team
Cop yright (C) 2014- 2020 Cisco and/or its affiliates. All
rights reserved.
Cop yright (C) 1998 - 2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.0
Using LuaJIT version 2.1.0- beta3
Using Op enSSL 1.1.1f
31 Mar 2020
Using libp cap
version 1.9.1 (with TP ACKET_V3)
Using P CRE version 8 .43 2019- 02- 23
Using ZLIB
version 1.2.11
Using FlatB uffers 1.12.0
Using Hyp erscan version 5.2.1 2020- 04- 25
Using LZMA version 5.2.4
#test Snort with the default configuration file:
snort -c /usr/local/etc/snort/snort.lua
#output that finishes with the following :
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting
ip address show
sudo ethtool -k ens33 | grep receive-offload
#output
generic-receive-offload: on
large-receive-offload: off [fixed]
#Configuring Network Cards
ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.1.201.17/24 brd 10.1.201.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febe:6274/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff
inet 10.1.99.17/24 brd 10.1.99.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febe:5ce9/64 scope link
valid_lft forever preferred_lft forever
# Check GRO & LRO
sudo ethtool -k ens33 | grep receive-offload
# Output
generic-receive-offload: on
large-receive-offload: off [fixed]
#Disable GRO via SystemD.
sudo nano /lib/systemd/system/ethtool.service
#Ganti ens33 dengan
[Unit]
Description=Ethtool Configuration for Network Interface
[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K ens33 gro off
ExecStart=/sbin/ethtool -K ens33 lro off
[Install]
WantedBy=multi-user.target
#Enable Service
sudo systemctl enable ethtool
#Output
Created symlink /etc/systemd/system/multi-user.target.wants/ethtool.service → /lib/systemd/system/ethtool.service.
sudo service ethtool start
#Re-Check Result
sudo ethtool -k ens33 | grep receive-offload
#Output
generic-receive-offload: off
large-receive-offload: off [fixed]
#Installing OpenAppID
cd ~/snort_src/
wget https://snort.org/downloads/openappid/15607 -O OpenAppId-15607.tgz
tar -xzvf OpenAppId-15607.tgz
sudo cp -R odp /usr/local/lib/
#Edit Snort Configuration
sudo nano /usr/local/etc/snort/snort.lua
#Edit seperti ini
appid =
{
−− appid requires this to use appids in rules (4 spasi)
app_detector_dir = '/usr/local/lib',
}
#test that the configuration file loads correctly
snort -c /usr/local/etc/snort/snort.lua --warn-all
#Output
.....
Finished /usr/local/etc/snort/snort.lua:
WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
WARNING: appid: no entry for 2312 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2312
WARNING: appid: no entry for 2314 in appMapping.data; no rule support for this ID.
WARNING: appid: no entry in appMapping.data for 2314
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 5 warnings).
o")~ Snort exiting
#create a simple rule to test that OpenAppID is working correctly:
sudo mkdir /usr/local/etc/rules
sudo touch /usr/local/etc/rules/local.rules
sudo nano /usr/local/etc/rules/local.rules
#Masukkan 2 baris rules berikut
alert tcp any any -> any any (msg:"Facebook Detected"; appids:"Facebook"; sid:10000001;)
alert icmp any any -> any any (msg:"ICMP Traffic Detected"; sid:10000002;)
#Test Load File
snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules
#Output
.....
Finished /usr/local/etc/snort/snort.lua:
Loading rule args:
Loading /usr/local/etc/rules/local.rules:
Finished /usr/local/etc/rules/local.rules:
Finished rule args:
--------------------------------------------------
rule counts
total rules loaded: 2
text rules: 2
option chains: 2
chain headers: 2
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 1 0 1 0
total 1 0 1 0
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 2 0 2 /usr/local/etc/snort/snort.lua
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration (with 0 warnings).
o")~ Snort exiting