Friday, February 5, 2021

Snort3 on Ubuntu 20 - Housekeeping - AppID, RNA, Performance Monitoring, Profiling, JSON Logging, Other config, etc.

Now that your Snort3 has been installed and you have confirmed all your tests are working as expected, and you then fed the pig, your next step is to configure Snort3 for your specific environment. This philosophy should also be the same for any security tool you are using. Let's customize Snort3 for our environment.

Note: After every (small) modification, you should test your configuration. No need to wait until the end to test. If you wait until the end, you will more than likely run into (probably a ton of) problems. Here are two ways to test your configuration.

Option 1. Being verbose.

securitynik@snort3:~/snort-files$ sudo snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
...
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Option 2. Being quiet.

securitynik@snort3:~/snort-files$ sudo snort -c /usr/local/etc/snort/snort.lua -q

If no information is returned, it is more likely your configuration is fine.

Let's edit the Snort3 configuration file. Change the HOME_NET from ...

HOME_NET = 'any'

... to reflect the networks you monitor and or own. For this purpose, let's say those are.

HOME_NET = [[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]]

Interestingly, in Snort2.x our EXTERNAL_NET is normally configured as EXTERNAL_NET = !$HOME_NET. However, it seems this might have changed in Snort3 and thus we leave EXTERNAL_NET = 'any'

Update: I recently saw in this document that we can use the following for External_NET.

EXTERNAL_NET = "!$HOME_NET"

Let's take advantage of reputation block list by removing "--[[" and "--]]" just before and after "reputation" respectively. This is what mine looks like after the change.

reputation =
{
    -- configure one or both of these, then uncomment reputation
    blacklist = BLACK_LIST_PATH .. "/default.blocklist"
    --whitelist = 'whitelist file name with ip lists'
}

Next up, let's make the configuration changes which allows us to take advantage of Hyperscan. This must be configured after reputation but before Section 3 configure bindings.

search_engine = { search_method = "hyperscan" } 

detection = { 
		hyperscan_literals = true, 
		pcre_to_regex = true 
	    } 

Let's now configure Snort3 to enable decoder and inspector alerts.

ips =
{
    mode = tap,
    -- use this to enable decoder and inspector alerts
    enable_builtin_rules = true,
    include = RULE_PATH .. "/local.rules",
    variables = default_variables
}

Because we may wish to send this data to other tools such as Elastic Stack, like we did with Zeek in this blog, let's enable logging in JSON format. 

In section "7. configure outputs", we add the following lines:

alert_json = 
{
    file = true, -- write the output to a file
    limit = 100, -- Create a new file after every 100M
    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \
    eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \
    pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \
    target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',
}

Note I used the continuation character "\" above for clarity, if you encounter any issues, remove those and put everything on one line:

Here is what a sample of your JSON output may look like once an alert is triggered.

securitynik@snort3:~$ sudo tail --lines 1 /var/log/snort/alert_json.txt
{ "seconds" : 1612230402, "action" : "allow", "class" : "none", "dir" : "UNK", \
 "dst_ap" : ":0", "eth_dst" : "52:54:00:12:35:02", "eth_len" : 42, \
 "eth_src" : "08:00:27:2A:BA:15", "eth_type" : "0x806", "gid" : 112, \
 "iface" : "securitynik-sample.pcap", "msg" : "(arp_spoof) unicast ARP request", \
 "pkt_gen" : "raw", "pkt_len" : 0, "pkt_num" : 21043, "priority" : 3, \
"proto" : "ARP", "rev" : 1, "rule" : "112:1:1", "service" : "unknown", \
 "sid" : 1, "src_ap" : ":0", "vlan" : 0, "timestamp" : "02/01-20:46:42.210696" }
....

{ "seconds" : 1612458702, "action" : "allow", "class" : "none", "dir" : "S2C",\
 "dst_addr" : "10.0.2.15", "dst_ap" : "10.0.2.15:38500", "dst_port" : 38500, \
"eth_dst" : "08:00:27:2A:BA:15", "eth_len" : 60, "eth_src" : "52:54:00:12:35:02",\
 "eth_type" : "0x800", "gid" : 119, "iface" : "enp0s3:enp0s8", "ip_id" : 888, \
"ip_len" : 20, "msg" : "(http_inspect) HTTP header line terminated by LF without a CR", \
 "mpls" : 0, "pkt_gen" : "raw", "pkt_len" : 40, "pkt_num" : 549, "priority" : 3,\
 "proto" : "TCP", "rev" : 1, "rule" : "119:13:1", "service" : "http", "sid" : 13,\
 "src_addr" : "172.217.1.179", "src_ap" : "172.217.1.179:443", "src_port" : 443,\
 "tcp_ack" : 2000257859, "tcp_flags" : "***A****", "tcp_len" : 20, "tcp_seq" : 179136002,\
 "tcp_win" : 65535, "tos" : 0, "ttl" : 64, "vlan" : 0, \
"timestamp" : "02/04-12:11:42.995132" }

If you are looking to profile your Snort3 deployment, you can enable profiling for rules, memory, modules, etc., by changing 

-- profiler = { }

to

profiler = { }

This will give you an output similar to ...

--------------------------------------------------
module profile (all, depth 255, sorted by total_time)
#                      module layer    checks   time(us)  avg/check  %/caller  %/total
=                      ====== =====    ======   ========  =========  ========  =======
 1                     eventq     1     22755    1036104         45     56.41    56.41
 2                      other     1     21044     277173         13     15.09    15.09
 3                        daq     1     21374     267906         12     14.59    14.59
 4                 stream_tcp     1     10155      63083          6      3.43     3.43
 5                     decode     1     21044      59652          2      3.25     3.25
...
 19              back_orifice     1       859        578          0      0.03     0.03
 20                 arp_spoof     1       256        470          1      0.03     0.03
 21                       ssl     1       131        225          1      0.01     0.01
--                      total    --     21044    1836589         87        --   100.00
--------------------------------------------------
memory profile (all, depth 255, sorted by total_used)
#                  module layer   allocs   used (kb) avg/allocation  %/caller  %/total
=                  ====== =====   ======   ========= ==============  ========  =======
 1             stream_tcp     1     2316     1673.50          739.9     50.54    50.54
 2                 stream     1      447     1121.50         2569.2     33.87    33.87
 3           http_inspect     1      544      292.25          550.1      8.83     8.83
 4                  appid     1      444      222.00          512.0      6.70     6.70
 5                    ssl     1       14        1.75          128.0      0.05     0.05
--                  total    --     3765     3311.00          900.5        --   100.00
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     4   5         1       1      1       262       262       262             0        0        0


Looking at the performance monitor statistics via perf_monitor, we change 

-- perf_monitor = { }

to enable everything via

perf_monitor = { }

Alternatively, we can be a bit more selective.

perf_monitor = {  
    modules = { },
    base = true,
    cpu = true,
    flow = true,
    flow_ip = true,
    packets = 10000,
    seconds = 60,
    flow_ports = 1023,
    output = console, 
    format = text,    
    summary = true,
    
    enable_flow_ip_profiling,
    
    packets = 10000,
    flow_tracker_creates,
    flow_tracker_total_deletes,
    flow_tracker_reload_deletes,
    flow_tracker_prunes
   }

Here is an example of some of those files.

securitynik@snort3:~/snort-files$ ls /var/log/snort/*.csv
/var/log/snort/perf_monitor_base.csv  /var/log/snort/perf_monitor_flow.csv
/var/log/snort/perf_monitor_cpu.csv   /var/log/snort/perf_monitor_flow_ip.csv

Here is the contents of one of the perf_monitor_flow_ip.csv

securitynik@snort3:~/snort-files$ sudo cat /var/log/snort/perf_monitor_flow_ip.csv
#timestamp,flow_ip.ip_a,flow_ip.ip_b,flow_ip.tcp_packets_a_b,flow_ip.tcp_bytes_a_b,flow_ip.tcp_packets_b_a,flow_ip.tcp_bytes_b_a,flow_ip.udp_packets_a_b,flow_ip.udp_bytes_a_b,flow_ip.udp_packets_b_a,flow_ip.udp_bytes_b_a,flow_ip.other_packets_a_b,flow_ip.other_bytes_a_b,flow_ip.other_packets_b_a,flow_ip.other_bytes_b_a,flow_ip.tcp_established,flow_ip.tcp_closed,flow_ip.udp_created
1612227193,10.0.2.15,91.189.89.199,0,0,0,0,12,1080,12,1080,0,0,0,0,0,0,12
1612227193,10.0.2.15,52.216.249.236,428,24196,225,307879,0,0,0,0,0,0,0,0,1,1,0
1612227193,10.0.2.15,140.82.112.4,566,32293,173,123010,0,0,0,0,0,0,0,0,2,2,0
1612227193,10.0.2.15,35.224.170.84,156,11527,145,12818,0,0,0,0,0,0,0,0,29,29,0
1612227193,10.0.2.15,99.86.62.122,5159,280212,2047,1390660,0,0,0,0,0,0,0,0,1,1,0
....

Obtaining and Installing Open AppID. I downloaded it to my workstation and then transferred it to my Snort3 box via SCP.

C:\users\securitynik\downloads>scp snort-openappid.tar.gz securitynik@10.0.0.116:~/snort-files`
securitynik@10.0.0.116's password:
snort-openappid.tar.gz                                 100%  409KB   4.6MB/s   00:00

Verify the hash which is posted online.

securitynik@snort3:~$ md5sum snort-openappid.tar.gz
3d407b77a0b58d71a14235e0960f86c4  snort-openappid.tar.gz

With the hash confirmed, extract the files.

securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort-openappid.tar.gz

Copy the "odp" directory to "/usr/local/etc/odp"

securitynik@snort3:~/snort-files$ sudo mkdir --parents /usr/local/etc/odp
securitynik@snort3:~/snort-files$ sudo cp odp/* /usr/local/etc/odp/ --recursive --verbose

Modify the "appid" section to point to the "odp" folder. Here is what my config looks like after the change

appid =
{
    -- appid requires this to use appids in rules
    app_detector_dir = '/usr/local/etc/'
}

appid_listener =
{
    json_logging = true,
    file = "/var/log/snort/appid_json.txt",
}

Next up, let's take advantage or Realtime Network Awareness (RNA) host discovery. This is a feature I really liked as part of supporting Sourcefire IPS. I'm happy to see this is now part of Snort3 also.

First let's create a config file named in "/usr/local/etc/rna.conf"

securitynik@snort3:~$ cat /usr/local/etc/rna.conf
-- Discover host information for any IPv4 and IPv6 hosts
-- As of this writing, only host discovery has been implemented
-- Hopefully soon they will implement application and user
-- Then again, we can get some of that application information
-- from the APPID we previously configured

config Analyze 0.0.0.0/0 -1
config Analyze ::/0 -1


Continuing to modifying our Snort config (snort.lua) to implement the RNA inspector. 

...
dce_http_proxy = { }
dce_http_server = { }

-- information for RNA
host_cache = { dump_file = '/var/log/snort/rna.dump'} -- Store discovered host infomration
rna = {
    rna_conf_path = '/usr/local/etc/rna.conf',  -- Configuration file path
    dump_file = '/var/log/snort/rna_mac_cache.dump',  -- Dump RNA MAC Cache on Shutdown
    icmp_bidirectional,                         -- Count bidirectional ICMP flows received
    icmp_new,                                   -- Count new ICMP flows
    ip_new,                                     -- Count of new IP flows received
    udp_bidirectional,                          -- Count bidirectional UDP flows
    tcp_syn,                                    -- Count the number of TCP SYNs received
    tcp_syn_ack,                                -- Count the number of TCP SYN-ACKs received
    other_packets,                              -- Count packets received withiut session tracking
    change_host_update                          -- Count number of change hosts events

}

Running snort to see the RNA config in effect.

securitynik@snort3:~$ sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua \
--snaplen 65535 -k none -l /var/log/snort -i enp0s3:enp0s8 -A cmg
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
        ...
        ftp_server
        port_scan
        rna
        dce_http_server
        ...

With RNA loaded, generate some traffic that Snort3 can see, then shutdown snort after a few minutes (or hours if you wish) and look at the stats on the console.

--------------------------------------------------
rna
             appid_change: 77
       icmp_bidirectional: 2
                 icmp_new: 2
        udp_bidirectional: 23
                  udp_new: 23
                  tcp_syn: 9
              tcp_syn_ack: 8
            other_packets: 12
--------------------------------------------------

Looks good! Let's look to see if the files were created and their contents.

securitynik@snort3:~$ ls /var/log/snort/*rna* -al
-rw------- 1 root root 1271 Feb  4 12:05 /var/log/snort/rna.dump
-rw------- 1 root root  178 Feb  4 12:23 /var/log/snort/rna_mac_cache.dump

Taking a peek at the rna.dump file, we see ...

securitynik@snort3:~$ sudo head --lines 11 /var/log/snort/rna.dump
Current host cache size: 2915 bytes, 5 trackers

IP: 172.217.1.19
    type: Host, ttl: 64, hops: 255, time: 2021-02-04 17:03:42
macs size: 1
    mac: 52:54:00:12:35:02, ttl: 64, primary: 0, time: 2021-02-04 17:01:21
services size: 1
    port: 80, proto: 6, appid: 676, vendor: ghs, vendor: GSE
network proto: 2048
transport proto: 1, 6
....

And peeking into the rna_mac_cache.dump file, we see two mac addresses.

securitynik@snort3:~$ sudo cat /var/log/snort/rna_mac_cache.dump
Current mac cache size: 228 bytes, 2 trackers

MAC: 52:54:00:12:35:02
 Key: 90520731923714
 Network proto: 2054

MAC: 08:00:27:2a:ba:15
 Key: 8796750133781
 Network proto: 2054

Let's move on from the snort.lua configuration file and setup PulledPork to run automatically.

securitynik@snort3:~$ crontab -l
no crontab for securitynik

securitynik@snort3:~$ crontab -e
no crontab for securitynik - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.tiny
  3. /bin/ed

Choose 1-3 [1]: 1



10 1 * * * /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP

crontab: installing new crontabcrontab: installing new crontab


Before configuring Snort3 to start as a service, let's look to see if the network card has any type of offloading configured.

securitynik@snort3:~$ ethtool --show-offload enp0s3 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]


securitynik@snort3:~$ ethtool --show-offload enp0s8 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]

Create a SystemD Service to ensure turning off the ones flagged as "on" above.

securitynik@snort3:~$ sudo touch /lib/systemd/system/ethtool.service

securitynik@snort3:~$ cat /lib/systemd/system/ethtool.service
[Unit]
Description=Ethtool Configration for Network Interface

[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K enp0s3 gro off
ExecStart=/sbin/ethtool -K enp0s3 lro off
ExecStart=/sbin/ethtool -K enp0s3 tso off
ExecStart=/sbin/ethtool -K enp0s3 gso off

ExecStart=/sbin/ethtool -K enp0s8 gro off
ExecStart=/sbin/ethtool -K enp0s8 lro off
ExecStart=/sbin/ethtool -K enp0s8 tso off
ExecStart=/sbin/ethtool -K enp0s8 gso off

[Install]
WantedBy=multi-user.target

We see below that various offloading features have been disabled ("off") for the interfaces I'm monitoring.

securitynik@snort3:~$ ethtool --show-offload enp0s3 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]

securitynik@snort3:~$ ethtool --show-offload enp0s8 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]

Enable and start the ethtool service.

securitynik@snort3:~$ sudo systemctl enable --now ethtool.service
Created symlink /etc/systemd/system/multi-user.target.wants/ethtool.service → /lib/systemd/system/ethtool.
service.

Before configuring the Snort3 service.

Create a group named "snort" to assign the "snort" user.

securitynik@snort3:~$ sudo groupadd snort
securitynik@snort3:~$ sudo useradd --system --shell /sbin/nologin --comment "Snort3_IDS/IPS User" --gid snort snort

Change the ownership and permission on the /var/log/snort folder and verify its ownership.

securitynik@snort3:~$ sudo chmod --recursive 5775 /var/log/snort/
securitynik@snort3:~$ sudo chown --recursive snort:snort /var/log/snort/

securitynik@snort3:~$ ls /var/log/snort/ -al
total 22292
drwsrwxr-t  2 snort snort      4096 Feb  3 14:52 .
drwxrwxr-x 14 root  syslog     4096 Feb  3 09:49 ..
-rwxrwxr-t  1 snort snort  22782434 Feb  3 14:52 alert_json.txt
...

Next up, create the Snort3 SystemD service

securitynik@snort3:~$ sudo vi /lib/systemd/system/snort3.service

securitynik@snort3:~$ cat /lib/systemd/system/snort3.service
[Unit]
Description=Snort3 NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --snaplen 65535 \
-k none -l /var/log/snort -D -u snort -g snort -i enp0s3:enp0s8 -m 0x1b --create-pidfile

[Install]
WantedBy=multi-user.target

Enable and start the Snort3 service.

securitynik@snort3:~$ sudo systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /lib/systemd/system/snort3.service.

securitynik@snort3:~$ systemctl status snort3.service
● snort3.service - Snort3 NIDS Daemon
     Loaded: loaded (/lib/systemd/system/snort3.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-02-03 16:30:24 EST; 41s ago
   Main PID: 77578 (snort)
      Tasks: 2 (limit: 4654)
     Memory: 114.6M
     CGroup: /system.slice/snort3.service
             └─77578 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --snaplen 65535 -k none -l /v>

Feb 03 16:30:24 snort3 systemd[1]: Started Snort3 NIDS Daemon.


Snort3 on Ubuntu 20 - Feeding and testing the pig - rules and PulledPork

Now that we have installed and configured Snort3, as well as learned a little about it, let's now looking at feeding the pig ... giving it rules ... and then testing those rules before we perform our housekeeping.

Let's create the directories for us to store our rules and block lists.

securitynik@snort3:~$ sudo mkdir /usr/local/etc/rules
securitynik@snort3:~$ sudo mkdir /usr/local/etc/so_rules/
securitynik@snort3:~$ sudo mkdir /usr/local/etc/lists/

Next let's created some required files.

securitynik@snort3:~$ sudo touch /usr/local/etc/rules/snort.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/rules/local.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/lists/default.blocklist

securitynik@snort3:~$ sudo mkdir /usr/local/etc/pulledpork

... and our directory to store our logs

securitynik@snort3:~$ sudo mkdir /var/log/snort

With those in place, let's create three sample rule to test the traffic in our PCAP file, using the Snort 2.x method of creating rules.

securitynik@snort3:~$ sudo gedit /usr/local/etc/rules/local.rules &

securitynik@snort3:~$ sudo cat /usr/local/etc/rules/local.rules 
alert tcp any any -> any any (msg:"SecurityNik Testing TCP"; sid:40000001;)
alert icmp any any -> any any (msg:"SecurityNik ICMP"; sid:40000002;)
alert udp any any -> any any (msg:"SecurityNik Testing UDP"; sid:40000003;) 

When this rule file is passed as input to Snort3, we see the first three alerts and notice we are once again leveraging the "--talos" tweaks.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none\
 -A "alert_full" -q -n 3 --talos
[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:06.999138 10.0.2.15:40793 -> 64.71.255.198:53
UDP TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF
Len: 58

[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:07.017818 64.71.255.198:53 -> 10.0.2.15:40793
UDP TTL:64 TOS:0x0 ID:47115 IpLen:20 DgmLen:198
Len: 170

[**] [1:40000001:0]  <securitynik-sample.pcap> "SecurityNik Testing TCP" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

[**] [1:1:0]  <securitynik-sample.pcap> "Nik Testing" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid    rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   ===    ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         140000003   0         2       2      2        10         5         5             0        0        0
2         140000001   0         1       1      1         4         4         4             0        0        0
3         1       1   0         1       1      1         0         0         0             0        0        0

Let's rewrite the above rules, using the Snort3 format adding some additional components and then run this against two different PCAPs.

alert http
(
	msg:"Looking for SecurityNik HTTP - wget and ragel traffic!"; 	# Message I would like the user to see
	flow:established, to_server;					# Monitor traffic for which 3-way handshake is completed and direction is from client to server
	http_method;							# Focus on the buffer containing the HTTP Method
	content:"|47 45 54|", offset 0, depth 3;			# Look for the hex bytes representing GET starting at offset 0 and span 3 bytes
	http_uri:path;	                                                # Look at the buffer containing the URI path
	content:"/files/ragel/ragel-6.10.tar.gz", distance 0, within 30; # Look for this content
	pcre:"/ragel\-\d{1,3}\.\d{1,3}\.tar\.gz/i"; # Use a regular expression pattern to look for the file above
 	http_header:field User-Agent;					# Look into the User Agent field in the HTTP Header
	content:"wget/1.20.3", nocase;					# Check to see if the user agent contains wget
	regex:"/wget\/\d{1,2}\.\d{2}\.{1,2}/i";				# My understanding is regex allows us to take advantage of Hyperscan. Notice above I used pcre instead.
	http_header:field Host;						# Look at the host field in the HTTP Header
	content:"www|2e|colm|2e|net", nocase; 				# Look for the hostname www.colm.net
	reference:URL, "www.securitynik.com";
	classtype:suspicious-filename-detect;				
	priority:1; 							# Give the rule a priority of 1. Max value 31
	rev: 5;								# Everytime the rule is updated the revision number should change
	sid:4;								# Every rule should have an ID
)




alert dns
(
	msg:"Looking for SecurityNik DNS traffic!";			# Message
	id:11471;							# Value in the IP ID Field
	content:"www|0B|securitynik|03|com", nocase;			# Content to search for. A mix of string and hex
	classtype:misc-attack;
	priority:4;
	rev: 3;
	sid:5;
)


 alert icmp
(
	msg:"Looking for SecurityNik ICMP traffic!";
	id:38446;			
	itype:8;							# ICMP Type
	icode:0;							# ICMP Code
	content:"|30 31 32 33 34 35 36 37|";				# Search for hex pattern
	classtype:malware-cnc;
	priority:20;
	rev: 2;	
	sid:6;
)

First run against securitynik-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A cmg  -q --talos | more
02/01-14:56:37.512330 [**] [1:4:5]  <securitynik-sample.pcap> "Looking for SecurityNik HTTP - wget and rage
l traffic!" [**] [Classification: A suspicious filename was detected] [Priority: 1] {TCP} 10.0.2.15:33478 -
> 192.155.89.46:80

http_inspect.http_method[3]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
47 45 54                                          GET
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_version[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
48 54 54 50 2F 31 2E 31                           HTTP/1.1 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_uri[30]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 66 69 6C 65 73 2F 72  61 67 65 6C 2F 72 61 67  /files/r agel/rag
65 6C 2D 36 2E 31 30 2E  74 61 72 2E 67 7A        el-6.10. tar.gz
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_header[119]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
55 73 65 72 2D 41 67 65  6E 74 3A 20 57 67 65 74  User-Age nt: Wget
2F 31 2E 32 30 2E 33 20  28 6C 69 6E 75 78 2D 67  /1.20.3  (linux-g
6E 75 29 0D 0A 41 63 63  65 70 74 3A 20 2A 2F 2A  nu)..Acc ept: */*
0D 0A 41 63 63 65 70 74  2D 45 6E 63 6F 64 69 6E  ..Accept -Encodin
67 3A 20 69 64 65 6E 74  69 74 79 0D 0A 48 6F 73  g: ident ity..Hos
74 3A 20 77 77 77 2E 63  6F 6C 6D 2E 6E 65 74 0D  t: www.c olm.net.
0A 43 6F 6E 6E 65 63 74  69 6F 6E 3A 20 4B 65 65  .Connect ion: Kee
70 2D 41 6C 69 76 65                             p-Alive
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     4   5         1       1      1       905       905       905             0        0        
0

Running it against the securitynik-other-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
 -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap \
 -k none -A cmg  -q --talos | more
02/02-13:39:01.871758 [**] [1:5:3]  <securitynik-other-sample.pcap> "Looking for SecurityNik DNS traffic!" 
[**] [Classification: Misc Attack] [Priority: 4] {UDP} 10.0.2.15:59456 -> 64.71.255.198:53
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x5A
10.0.2.15:59456 -> 64.71.255.198:53 UDP TTL:64 TOS:0x0 ID:11471 IpLen:20 DgmLen:76 DF
Len: 48

dns.raw[48]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
28 B8 01 00 00 01 00 00  00 00 00 01 03 77 77 77  (....... .....www
0B 73 65 63 75 72 69 74  79 6E 69 6B 03 63 6F 6D  .securit ynik.com
00 00 01 00 01 00 00 29  02 00 00 00 00 00 00 00  .......) ........
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

02/02-13:39:57.839673 [**] [1:6:2]  <securitynik-other-sample.pcap> "Looking for SecurityNik ICMP traffic!"
 [**] [Classification: Known malware command and control traffic] [Priority: 20] {ICMP} 10.0.2.15 -> 172.21
7.164.211
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x62
10.0.2.15 -> 172.217.164.211 ICMP TTL:64 TOS:0x0 ID:38446 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:1   Seq:1  ECHO

snort.raw[56]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
7D 9C 19 60 00 00 00 00  C6 CF 0C 00 00 00 00 00  }..`.... ........
10 11 12 13 14 15 16 17  18 19 1A 1B 1C 1D 1E 1F  ........ ........
20 21 22 23 24 25 26 27  28 29 2A 2B 2C 2D 2E 2F   !"#$%&' ()*+,-./
30 31 32 33 34 35 36 37                           01234567 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     6   2         2       1      1        59        29        58             1        0        
0
2         1     5   3         4       1      1        15         3        12             1        0        
0

Before configuring PulledPork, maybe you wish to see output from snort in CSV format.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A csv -q | more
[sudo] password for securitynik: 
02/01-14:56:37.512330, 1206, TCP, stream_tcp, 119, C2S, 10.0.2.15:33478, 192.155.89.46:80, 1:4:5, allow

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap -k none -A csv -q | more
02/02-13:39:01.871758, 214, UDP, raw, 76, C2S, 10.0.2.15:59456, 64.71.255.198:53, 1:5:3, allow
02/02-13:39:57.839673, 255, ICMP, raw, 84, C2S, 10.0.2.15:0, 172.217.164.211:0, 1:6:2, allow

At this point, we know our Snort3 installation is working with our local rules. Now let's feed the pig via Pulledpork.

First up, preprequisites

If you wish, you can register at snort.org to get an OINK code. Once you have that, you can gain access to the registered rules. If not, you can use the community rules.

Next install the software preprequieistes. 

securitynik@snort3:~$ cd ~/snort-files/
securitynik@snort3:~$ sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Next up, clone Pulledpork, copy the pulledpork.pl file to /usr/local/bin and make it executable. Then copy the config file (pulledpork.conf) to /usr/local/etc/pulledpork.

securitynik@snort3:~/snort-files$ git clone https://github.com/shirkdog/pulledpork.git

securitynik@snort3:~/snort-files$ cd pulledpork/
securitynik@snort3:~/snort-files/pulledpork$ sudo cp pulledpork.pl /usr/local/bin/ -v
'pulledpork.pl' -> '/usr/local/bin/pulledpork.pl'
securitynik@snort3:~/snort-files/pulledpork$ sudo chmod +x /usr/local/bin/pulledpork.pl 
securitynik@snort3:~/snort-files/pulledpork$ sudo cp etc/*.conf /usr/local/etc/pulledpork/

Verifying that pulledpork is configured and working properly.

securitynik@snort3:~/snort-files/pulledpork$ pulledpork.pl -V
PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!

Let's now modify the pulledpork.conf file. As always, before modifying a config file, I like to make a copy of it.

securitynik@snort3:~/snort-files/pulledpork$ sudo cp /usr/local/etc/pulledpork/pulledpork.conf /usr/local/etc/pulledpork/pulledpork.conf.ORIG

Change line 19 from ...

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

... to

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|4aabb98....bd138aFF

If you have an OINK code, change line 21 from ...

 21. rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

... to below by commenting (#) out this line. Note if you do not have an OINK code for line 19, you should leave this to get the community rules while commenting out line 19. If you do have an OINK code, comment this as the community rules are part of the registered rules.

21. #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Change line 72 from ...

72. rule_path=/usr/local/etc/snort/rules/snort.rules

... to reflect the path of the files we created above.

72. rule_path=/usr/local/etc/rules/snort.rules

Change line 87 from ...

87. local_rules=/usr/local/etc/snort/rules/local.rules

... to

87. local_rules=/usr/local/etc/rules/local.rules

Change line 94 from ...

94. sid_msg_version=1

... to

94. sid_msg_version=2

Change line 110 from ...

110. sorule_path=/usr/local/lib/snort_dynamicrules/

... to

110. sorule_path=/usr/local/etc/so_rules/

Change line 117 from ...

117. config_path=/usr/local/etc/snort/snort.conf

... to

117. config_path=/usr/local/etc/snort/snort.lua

Change line 134 from ...

134. distro=FreeBSD-12

... to

134. distro=Ubuntu-18-4

Change line 142 from ...

142. block_list=/usr/local/etc/snort/rules/iplists/default.blocklist

... to

142. block_list=/usr/local/etc/lists/default.blocklist

Change line 151 from ...

151. IPRVersion=/usr/local/etc/snort/rules/iplists

... to

151. IPRVersion=/usr/local/etc/lists


Change line 186 from ...

186. pid_path=/var/run/snort_eth0.pid

... to

186. pid_path=/var/log/snort/snort.pid

Changed the snort version on line 196 from ...

# snort_version=2.9.0.0

... to

snort_version=3.0.0.0

Finally, lets uncomment line 209, changing it from ...

# ips_policy=security

... to

ips_policy=security

With those steps completed, let's run PulledPork

securitynik@snort3:~$ sudo pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -PEl

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-3000.tar.gz....
Rules tarball download of snortrules-snapshot-3000.tar.gz....
        They Match
        Done!
IP Blocklist download of https://snort.org/downloads/ip-block-list....
Reading IP List...
Prepping rules from snortrules-snapshot-3000.tar.gz for work....
        Done!
....

Rule Stats...
        New:-------15151
        Deleted:---0
        Enabled Rules:----15151
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------15151
IP Blocklist Stats...
        Total IPs:-----816

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Run snort again against one of our PCAPs using the new rules information. 

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua --tweaks talos --pcap-list securitynik-sample.pcap -R /usr/local/etc/rules/snort.rules
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading talos.lua:
Finished talos.lua:
        ssh
        hosts
        ....
Loading rule args:
Loading /usr/local/etc/rules/snort.rules:
Finished /usr/local/etc/rules/snort.rules:
Finished rule args:
--------------------------------------------------
rule counts
       total rules loaded: 15151
               text rules: 15151
            option chains: 15151
            chain headers: 332
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     222       9       7       3
     src    5852      24       0       0
     dst    8852     191       0       0
    both       2       3       0       0
   total   14928     227       7       3
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0   15151       0   15151    /usr/local/etc/snort/snort.lua
--------------------------------------------------


....

Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Flows      Clients    Users      Payloads   Misc       Incompat.  Failed
                  unknown: 323        0          0          0          0          0          0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.667893
                 pkts/sec: 21044
                Mbits/sec: 124
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1 34937   2       235       0      0       716         3         0             3        0        0
2         1 53975   2       321       0      0       290         0         0             0        0        0
3         1 37730   5       321       0      0       262         0         0             0        0        0
4         1 37731   5       353       0      0        94         0         0             0        0        0
5         1 55704   2        34       0      0        78         2         0             2        0        0
6         1 53264   1        26       0      0        61         2         0             2        0        0
7         1 47030   1         5       0      0         7         1         0             1        0        0
8         1 32005   8         1       0      0         4         4         0             4        0        0
9         1 32406   3         1       0      0         3         3         0             3        0        0
10        1 32405   3         1       0      0         2         2         0             2        0        0
o")~   Snort exiting

Ok, now we have fed the pig and it gave it enough wings to fly. Let's wrap up this 4 part series with some important house keeping activities. See you in the next post.


References:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://github.com/shirkdog/pulledpork

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/004/026/original/Snort_3_GA_on_OracleLinux_8.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/131/original/Snort_3_on_openSUSE_Leap_42.3.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/176/original/Snort_3_on_FreeBSD_11.pdf



Snort3 on Ubuntu 20 - Learning a little about our installation - Getting Help, Running Snort3, etc

In the previous post, we performed the install of Snort3. In this post, we learn a little about Snort3 before we start feeding it via rules and then perform some housekeeping.

Getting help!

securitynik@snort3:~$ snort --help

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
....

To get help for a particular component, we can then say.

securitynik@snort3:~$ snort --help-commands
appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
appid.disable_debug(): disable appid debugging
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors
host_cache.dump(file_name): dump host cache
...

To learn about the plugins

securitynik@snort3:~$ snort --list-plugins | more
codec::arp v0 static
codec::auth v0 static
codec::bad_proto v0 static
codec::ciscometadata v0 static
codec::erspan2 v0 static
codec::erspan3 v0 static
codec::esp v0 static
codec::eth v0 static
codec::fabricpath v0 static
codec::gre v0 static
....

To see some of the command line options available, you can look at the --help-options.

securitynik@snort3:~$ snort --help-options
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
...

While this system has tcpdump installed by default, let's also install TShark.

securitynik@snort3:~$ sudo apt-get install tshark

Using tcpdump I captured over 21,044 packets, using the following.

securitynik@snort3:~$ securitynik@snort3:~$ sudo tcpdump -n --interface enp0s3 -v -w securitynik-sample.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Got 1448

Got 1448
^C21044 packets captured
21044 packets received by filter
0 packets dropped by kernel

Using TShark, let's now see what is in this file.

securitynik@snort3:~$ tshark -n -r securitynik-sample.pcap -q -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:21044 bytes:178288931
  ip                                     frames:20780 bytes:178275019
    udp                                  frames:851 bytes:118457
      dns                                frames:819 bytes:115601
      ntp                                frames:24 bytes:2160
      mdns                               frames:8 bytes:696
    tcp                                  frames:19929 bytes:178156562
      http                               frames:156 bytes:28081
        media                            frames:1 bytes:1448
          tcp.segments                   frames:1 bytes:1448
      tls                                frames:7855 bytes:164523943
        tcp.segments                     frames:7572 bytes:164188303
          tls                            frames:7555 bytes:163997610
  arp                                    frames:256 bytes:13056
  ipv6                                   frames:8 bytes:856
    udp                                  frames:8 bytes:856
      mdns                               frames:8 bytes:856
===================================================================

Doing some basic processing on the file with Snort3, we see 1 PCAP with 21,044 records received and analyzed, just as we captured. We also got information on the timing for the processing of these packets. Looks like Snort3 processed all 21,044 packets in under 1 second.

securitynik@snort3:~$  snort --pcap-list securitynik-sample.pcap 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
-- [0] securitynik-sample.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 21044
                 analyzed: 21044
                    allow: 21044
                 rx_bytes: 16259569
--------------------------------------------------
codec
                    total: 21044       	(100.000%)
                 discards: 17392       	( 82.646%)
                      arp: 256         	(  1.216%)
                      eth: 21044       	(100.000%)
                     ipv4: 20780       	( 98.745%)
                     ipv6: 8           	(  0.038%)
                      tcp: 11046       	( 52.490%)
                      udp: 859         	(  4.082%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 21044
--------------------------------------------------
tcp
        bad_tcp4_checksum: 8071
--------------------------------------------------
udp
        bad_udp4_checksum: 430
        bad_udp6_checksum: 8
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.486754
                 pkts/sec: 21044
                Mbits/sec: 124
o")~   Snort exiting

If you wish to dump contents of the PCAP file add the "-L dump" option or go even further by adding the "-d" to dump the application data. In this case I will add "-n" to only show 1 packet.

securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -L dump -d -n 1 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
pkt:1	
eth(DLT):  08:00:27:2A:BA:15 -> 52:54:00:12:35:02  type:0x0800
ipv4(0x0800):  10.0.2.15 -> 64.71.255.198
	Next:0x11 TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF

snort.raw[66]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
9F 59 00 35 00 42 4C 70  9C 9D 01 00 00 01 00 00  .Y.5.BLp ........
00 00 00 01 12 63 6F 6E  6E 65 63 74 69 76 69 74  .....con nectivit
79 2D 63 68 65 63 6B 06  75 62 75 6E 74 75 03 63  y-check. ubuntu.c
6F 6D 00 00 01 00 01 00  00 29 02 00 00 00 00 00  om...... .)......
00 00                                             ..
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

While reading back data from a PCAP file is cool, Snort3 is more than likely going to be running in live mode most of the time. Here is what it looks like once you decide to run snort from the command line.

First off, decide on the interface or interfaces you wish to capture traffic on. Here are my list of interfaces on my VM.

securitynik@snort3:~$  ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:2a:ba:15 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 59259sec preferred_lft 59259sec
    inet6 fe80::8adb:ccd9:2479:82c3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:eb:40:cd brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.116/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s8
       valid_lft 459sec preferred_lft 459sec
    inet6 fe80::2cf1:a00b:bcce:f58c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Let's tell Snort3 to capture traffic on the two non-loopback interfaces. Note, while I'm using two interfaces separated by colon, you can instead use 1 interface as would be the case on most installs of an IDS.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8
[sudo] password for securitynik: 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s3:enp0s8
...

You might notice above that "DAQ configured for passive". To enable inline mode operations, leverage the -Q option within your configuration.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
...

You more than likely want to run snort in IDS or IPS mode. Thus you would take advantage of a configuration file. Let's use the default one which comes with Snort3 and which we used in the previous post.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
....

Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua
--------------------------------------------------
.....
stream_tcp:
             flush_factor: 0
                  max_pdu: 16384
               max_window: 0
                   no_ack: disabled
            overlap_limit: 0
                   policy: bsd
              queue_limit: { max_bytes = 1048576, max_segments = 2621 }
         reassemble_async: enabled
             require_3whs: -1 (disabled)
          session_timeout: 30
           small_segments: { count = 0, maximum_size = 0 }
               track_only: disabled
--------------------------------------------------
stream_udp:
          session_timeout: 30
--------------------------------------------------
stream_user:
          session_timeout: 30
--------------------------------------------------
telnet:
        ayt_attack_thresh: -1
          check_encrypted: disabled
        encrypted_traffic: disabled
                normalize: disabled
--------------------------------------------------
wizard:
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64

Let's see now what the "--talos" option shows us. The Snort reference manual is not very verbose on this. It simply says it "enables Talos tweak", whatever that means. Additionally, instead of using "--talos", you can use "--tweaks talos".

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -Q -c /usr/local/etc/snort/snort.lua \
--tweaks talos --pcap-list securitynik-sample.pcap -R local.rules -q

##### securitynik-sample.pcap #####
	[1:1:0] Nik Testing (alerts: 2825)
#####
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     1   0      2908    2908   2825      1863         0         0             0        0        0

We see above information on our test rule. Not to worry, we will look at rules in the  next post where we feed the pig. Remember, rules gives the pig wings :-)

References: