Snort on Ubuntu

# Snort on Ubuntu Voici les étapes pour installer Snort v3 sur Debian, le configurer et ajouter les règles communautaires : ## Installation de Snort v3 S'assurez-vous que votre système Debian est à jour et a les paquets nécessaires installés : ``` sudo apt update sudo apt upgrade -y sudo apt install -y build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev cmake bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev automake libtool ``` Télécharger les deux packages nécessaires ``` sudo git clone https://github.com/snort3/snort3.git sudo git clone https://github.com/snort3/libdaq.git ``` Compiler libdaq ``` cd libdaq sudo ./bootstrap sudo ./configure sudo make install ``` Compiler snort ``` cd .. cd snort3 sudo ./configure_cmake.sh cd build sudo make -j $(nproc) sudo make install ldconfig ``` ## Configuration de snort avec les règles intégrées ``` snort -c lua/snort.lua -R local.rules \ --lua 'ips.enable_builtin_rules = true' ``` ## Ajout des règles communautaires Télécharger les règles communautaires de Snort sur le [site officiel de Snort](https://www.snort.org/downloads/community/community-rules.tar.gz) : ``` sudo wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz ``` Extraire le fichier : ``` sudo tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules ``` Editer le fichier de configuration de Snort pour inclure les règles communautaires : ``` sudo nano /usr/local/snort/etc/snort/snort.lua ``` Ajouter la ligne suivante à la section " ips " : ``` include /usr/local/etc/rules/snort3-community-rules ``` ``` ips = { -- use this to enable decoder and inspector alerts --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/rules/snort3-community-rules/snort3-community.rules include /usr/local/etc/rules/local.rules ]] } ``` Verifier la syntaxe du fichier de configuration pour détecter les erreurs : ``` sudo /usr/local/snort/bin/snort -T -c usr/usr/local/snort/etc/snort/snort.lua ``` ## Test d'une règle locale Ne pas oublier d'ajouter le lien symbolique pour lancer snort sans renseigner le path *`sudo ln -s /usr/local/snort/bin/snort /usr/local/bin/snort`* ``` sudo nano /usr/local/etc/rules/local.rules ``` Mettre dans le fichier ``` alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;) ``` Tester la syntaxe ``` snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules ``` Lancer la règle pour tester ``` snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens32 -A alert_fast -s 65535 -k none ``` On ping via une autre machine et snort nous renvoie ces logs ![](https://hackmd.io/_uploads/BJQpu4uP3.png) ## Installer OpenAppID ``` wget https://www.snort.org/downloads/openappid/26425 -O openappid.tar.gz ``` ``` tar -xzvf openappid.tar.gz ``` ``` sudo cp -R odp /usr/local/lib/ ``` ``` sudo nano /usr/local/snort/etc/snort/snort.lua ``` ajouter au fichier ``` appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' app_detector_dir = '/usr/local/lib', log_stats = true, } ``` fichier lgos ``` sudo mkdir /var/log/snort ``` valider syntaxe ``` snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules ``` ## LOG de snort Activer le logging de snort ``` sudo nano /usr/local/snort/etc/snort/snort.lua ``` Ajouter les outputs au lua ``` --------------------------------------------------------------------------- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A -- uncomment below to set non-default configs --alert_csv = { } alert_fast = { file = true, packet = false, limit = 10, } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } ``` Verifier la syntaxte de la configuration ``` snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules ``` Tester la règle ``` sudo snort -c /usr/local/snort/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i enp0s8 -s 65535 -k none -l /var/log/snort/ ``` On verifie que les logs arivent bien dans le fichier ``` sudo tail -f /var/log/snort/alert_fast.txt ``` ![](https://hackmd.io/_uploads/rJdfmB_w3.png) Ajouter la local rules au lua ``` sudo nano /usr/local/snort/etc/snort/snort.lua ``` ``` ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files variables = default_variables, rules = [[ include $RULE_PATH/snort3-community-rules/snort3-community.rules include $RULE_PATH/local.rules ]] } ``` Ajouter snort comme service ``` useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort ``` Creation du sytemd ``` sudo nano /etc/systemd/system/snort3.service ``` ``` [Unit] Description=Snort 3 NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -c /usr/local/snort/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens33 -m 0x1b -u snort -g snort ExecStop=/bin/kill -9 $MAINPID [Install] WantedBy=multi-user.target ``` Redemarer le daemon ``` sudo systemctl daemon-reload ``` Donner les droits au fichier ``` sudo chmod -R 5775 /var/log/snort ``` ``` sudo chown -R snort:snort /var/log/snort ``` Activer le deamon ``` sudo systemctl enable --now snort3 ``` ## Créer une alerte d'une connexion au site facebook Ajouter cette règle aux local rules ``` drop tcp any any -> $HOME_NET any (msg:"Blocking Facebook";appid:"11"; sid:1000001;) ``` ![](https://hackmd.io/_uploads/SkYY-udP2.png)