Friday, February 5, 2021

Snort3 on Ubuntu 20 - Housekeeping - AppID, RNA, Performance Monitoring, Profiling, JSON Logging, Other config, etc.

Now that your Snort3 has been installed and you have confirmed all your tests are working as expected, and you then fed the pig, your next step is to configure Snort3 for your specific environment. This philosophy should also be the same for any security tool you are using. Let's customize Snort3 for our environment.

Note: After every (small) modification, you should test your configuration. No need to wait until the end to test. If you wait until the end, you will more than likely run into (probably a ton of) problems. Here are two ways to test your configuration.

Option 1. Being verbose.

securitynik@snort3:~/snort-files$ sudo snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
...
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Option 2. Being quiet.

securitynik@snort3:~/snort-files$ sudo snort -c /usr/local/etc/snort/snort.lua -q

If no information is returned, it is more likely your configuration is fine.

Let's edit the Snort3 configuration file. Change the HOME_NET from ...

HOME_NET = 'any'

... to reflect the networks you monitor and or own. For this purpose, let's say those are.

HOME_NET = [[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]]

Interestingly, in Snort2.x our EXTERNAL_NET is normally configured as EXTERNAL_NET = !$HOME_NET. However, it seems this might have changed in Snort3 and thus we leave EXTERNAL_NET = 'any'

Update: I recently saw in this document that we can use the following for External_NET.

EXTERNAL_NET = "!$HOME_NET"

Let's take advantage of reputation block list by removing "--[[" and "--]]" just before and after "reputation" respectively. This is what mine looks like after the change.

reputation =
{
    -- configure one or both of these, then uncomment reputation
    blacklist = BLACK_LIST_PATH .. "/default.blocklist"
    --whitelist = 'whitelist file name with ip lists'
}

Next up, let's make the configuration changes which allows us to take advantage of Hyperscan. This must be configured after reputation but before Section 3 configure bindings.

search_engine = { search_method = "hyperscan" } 

detection = { 
		hyperscan_literals = true, 
		pcre_to_regex = true 
	    } 

Let's now configure Snort3 to enable decoder and inspector alerts.

ips =
{
    mode = tap,
    -- use this to enable decoder and inspector alerts
    enable_builtin_rules = true,
    include = RULE_PATH .. "/local.rules",
    variables = default_variables
}

Because we may wish to send this data to other tools such as Elastic Stack, like we did with Zeek in this blog, let's enable logging in JSON format. 

In section "7. configure outputs", we add the following lines:

alert_json = 
{
    file = true, -- write the output to a file
    limit = 100, -- Create a new file after every 100M
    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \
    eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \
    pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \
    target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',
}

Note I used the continuation character "\" above for clarity, if you encounter any issues, remove those and put everything on one line:

Here is what a sample of your JSON output may look like once an alert is triggered.

securitynik@snort3:~$ sudo tail --lines 1 /var/log/snort/alert_json.txt
{ "seconds" : 1612230402, "action" : "allow", "class" : "none", "dir" : "UNK", \
 "dst_ap" : ":0", "eth_dst" : "52:54:00:12:35:02", "eth_len" : 42, \
 "eth_src" : "08:00:27:2A:BA:15", "eth_type" : "0x806", "gid" : 112, \
 "iface" : "securitynik-sample.pcap", "msg" : "(arp_spoof) unicast ARP request", \
 "pkt_gen" : "raw", "pkt_len" : 0, "pkt_num" : 21043, "priority" : 3, \
"proto" : "ARP", "rev" : 1, "rule" : "112:1:1", "service" : "unknown", \
 "sid" : 1, "src_ap" : ":0", "vlan" : 0, "timestamp" : "02/01-20:46:42.210696" }
....

{ "seconds" : 1612458702, "action" : "allow", "class" : "none", "dir" : "S2C",\
 "dst_addr" : "10.0.2.15", "dst_ap" : "10.0.2.15:38500", "dst_port" : 38500, \
"eth_dst" : "08:00:27:2A:BA:15", "eth_len" : 60, "eth_src" : "52:54:00:12:35:02",\
 "eth_type" : "0x800", "gid" : 119, "iface" : "enp0s3:enp0s8", "ip_id" : 888, \
"ip_len" : 20, "msg" : "(http_inspect) HTTP header line terminated by LF without a CR", \
 "mpls" : 0, "pkt_gen" : "raw", "pkt_len" : 40, "pkt_num" : 549, "priority" : 3,\
 "proto" : "TCP", "rev" : 1, "rule" : "119:13:1", "service" : "http", "sid" : 13,\
 "src_addr" : "172.217.1.179", "src_ap" : "172.217.1.179:443", "src_port" : 443,\
 "tcp_ack" : 2000257859, "tcp_flags" : "***A****", "tcp_len" : 20, "tcp_seq" : 179136002,\
 "tcp_win" : 65535, "tos" : 0, "ttl" : 64, "vlan" : 0, \
"timestamp" : "02/04-12:11:42.995132" }

If you are looking to profile your Snort3 deployment, you can enable profiling for rules, memory, modules, etc., by changing 

-- profiler = { }

to

profiler = { }

This will give you an output similar to ...

--------------------------------------------------
module profile (all, depth 255, sorted by total_time)
#                      module layer    checks   time(us)  avg/check  %/caller  %/total
=                      ====== =====    ======   ========  =========  ========  =======
 1                     eventq     1     22755    1036104         45     56.41    56.41
 2                      other     1     21044     277173         13     15.09    15.09
 3                        daq     1     21374     267906         12     14.59    14.59
 4                 stream_tcp     1     10155      63083          6      3.43     3.43
 5                     decode     1     21044      59652          2      3.25     3.25
...
 19              back_orifice     1       859        578          0      0.03     0.03
 20                 arp_spoof     1       256        470          1      0.03     0.03
 21                       ssl     1       131        225          1      0.01     0.01
--                      total    --     21044    1836589         87        --   100.00
--------------------------------------------------
memory profile (all, depth 255, sorted by total_used)
#                  module layer   allocs   used (kb) avg/allocation  %/caller  %/total
=                  ====== =====   ======   ========= ==============  ========  =======
 1             stream_tcp     1     2316     1673.50          739.9     50.54    50.54
 2                 stream     1      447     1121.50         2569.2     33.87    33.87
 3           http_inspect     1      544      292.25          550.1      8.83     8.83
 4                  appid     1      444      222.00          512.0      6.70     6.70
 5                    ssl     1       14        1.75          128.0      0.05     0.05
--                  total    --     3765     3311.00          900.5        --   100.00
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     4   5         1       1      1       262       262       262             0        0        0


Looking at the performance monitor statistics via perf_monitor, we change 

-- perf_monitor = { }

to enable everything via

perf_monitor = { }

Alternatively, we can be a bit more selective.

perf_monitor = {  
    modules = { },
    base = true,
    cpu = true,
    flow = true,
    flow_ip = true,
    packets = 10000,
    seconds = 60,
    flow_ports = 1023,
    output = console, 
    format = text,    
    summary = true,
    
    enable_flow_ip_profiling,
    
    packets = 10000,
    flow_tracker_creates,
    flow_tracker_total_deletes,
    flow_tracker_reload_deletes,
    flow_tracker_prunes
   }

Here is an example of some of those files.

securitynik@snort3:~/snort-files$ ls /var/log/snort/*.csv
/var/log/snort/perf_monitor_base.csv  /var/log/snort/perf_monitor_flow.csv
/var/log/snort/perf_monitor_cpu.csv   /var/log/snort/perf_monitor_flow_ip.csv

Here is the contents of one of the perf_monitor_flow_ip.csv

securitynik@snort3:~/snort-files$ sudo cat /var/log/snort/perf_monitor_flow_ip.csv
#timestamp,flow_ip.ip_a,flow_ip.ip_b,flow_ip.tcp_packets_a_b,flow_ip.tcp_bytes_a_b,flow_ip.tcp_packets_b_a,flow_ip.tcp_bytes_b_a,flow_ip.udp_packets_a_b,flow_ip.udp_bytes_a_b,flow_ip.udp_packets_b_a,flow_ip.udp_bytes_b_a,flow_ip.other_packets_a_b,flow_ip.other_bytes_a_b,flow_ip.other_packets_b_a,flow_ip.other_bytes_b_a,flow_ip.tcp_established,flow_ip.tcp_closed,flow_ip.udp_created
1612227193,10.0.2.15,91.189.89.199,0,0,0,0,12,1080,12,1080,0,0,0,0,0,0,12
1612227193,10.0.2.15,52.216.249.236,428,24196,225,307879,0,0,0,0,0,0,0,0,1,1,0
1612227193,10.0.2.15,140.82.112.4,566,32293,173,123010,0,0,0,0,0,0,0,0,2,2,0
1612227193,10.0.2.15,35.224.170.84,156,11527,145,12818,0,0,0,0,0,0,0,0,29,29,0
1612227193,10.0.2.15,99.86.62.122,5159,280212,2047,1390660,0,0,0,0,0,0,0,0,1,1,0
....

Obtaining and Installing Open AppID. I downloaded it to my workstation and then transferred it to my Snort3 box via SCP.

C:\users\securitynik\downloads>scp snort-openappid.tar.gz securitynik@10.0.0.116:~/snort-files`
securitynik@10.0.0.116's password:
snort-openappid.tar.gz                                 100%  409KB   4.6MB/s   00:00

Verify the hash which is posted online.

securitynik@snort3:~$ md5sum snort-openappid.tar.gz
3d407b77a0b58d71a14235e0960f86c4  snort-openappid.tar.gz

With the hash confirmed, extract the files.

securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort-openappid.tar.gz

Copy the "odp" directory to "/usr/local/etc/odp"

securitynik@snort3:~/snort-files$ sudo mkdir --parents /usr/local/etc/odp
securitynik@snort3:~/snort-files$ sudo cp odp/* /usr/local/etc/odp/ --recursive --verbose

Modify the "appid" section to point to the "odp" folder. Here is what my config looks like after the change

appid =
{
    -- appid requires this to use appids in rules
    app_detector_dir = '/usr/local/etc/'
}

appid_listener =
{
    json_logging = true,
    file = "/var/log/snort/appid_json.txt",
}

Next up, let's take advantage or Realtime Network Awareness (RNA) host discovery. This is a feature I really liked as part of supporting Sourcefire IPS. I'm happy to see this is now part of Snort3 also.

First let's create a config file named in "/usr/local/etc/rna.conf"

securitynik@snort3:~$ cat /usr/local/etc/rna.conf
-- Discover host information for any IPv4 and IPv6 hosts
-- As of this writing, only host discovery has been implemented
-- Hopefully soon they will implement application and user
-- Then again, we can get some of that application information
-- from the APPID we previously configured

config Analyze 0.0.0.0/0 -1
config Analyze ::/0 -1


Continuing to modifying our Snort config (snort.lua) to implement the RNA inspector. 

...
dce_http_proxy = { }
dce_http_server = { }

-- information for RNA
host_cache = { dump_file = '/var/log/snort/rna.dump'} -- Store discovered host infomration
rna = {
    rna_conf_path = '/usr/local/etc/rna.conf',  -- Configuration file path
    dump_file = '/var/log/snort/rna_mac_cache.dump',  -- Dump RNA MAC Cache on Shutdown
    icmp_bidirectional,                         -- Count bidirectional ICMP flows received
    icmp_new,                                   -- Count new ICMP flows
    ip_new,                                     -- Count of new IP flows received
    udp_bidirectional,                          -- Count bidirectional UDP flows
    tcp_syn,                                    -- Count the number of TCP SYNs received
    tcp_syn_ack,                                -- Count the number of TCP SYN-ACKs received
    other_packets,                              -- Count packets received withiut session tracking
    change_host_update                          -- Count number of change hosts events

}

Running snort to see the RNA config in effect.

securitynik@snort3:~$ sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua \
--snaplen 65535 -k none -l /var/log/snort -i enp0s3:enp0s8 -A cmg
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
        ...
        ftp_server
        port_scan
        rna
        dce_http_server
        ...

With RNA loaded, generate some traffic that Snort3 can see, then shutdown snort after a few minutes (or hours if you wish) and look at the stats on the console.

--------------------------------------------------
rna
             appid_change: 77
       icmp_bidirectional: 2
                 icmp_new: 2
        udp_bidirectional: 23
                  udp_new: 23
                  tcp_syn: 9
              tcp_syn_ack: 8
            other_packets: 12
--------------------------------------------------

Looks good! Let's look to see if the files were created and their contents.

securitynik@snort3:~$ ls /var/log/snort/*rna* -al
-rw------- 1 root root 1271 Feb  4 12:05 /var/log/snort/rna.dump
-rw------- 1 root root  178 Feb  4 12:23 /var/log/snort/rna_mac_cache.dump

Taking a peek at the rna.dump file, we see ...

securitynik@snort3:~$ sudo head --lines 11 /var/log/snort/rna.dump
Current host cache size: 2915 bytes, 5 trackers

IP: 172.217.1.19
    type: Host, ttl: 64, hops: 255, time: 2021-02-04 17:03:42
macs size: 1
    mac: 52:54:00:12:35:02, ttl: 64, primary: 0, time: 2021-02-04 17:01:21
services size: 1
    port: 80, proto: 6, appid: 676, vendor: ghs, vendor: GSE
network proto: 2048
transport proto: 1, 6
....

And peeking into the rna_mac_cache.dump file, we see two mac addresses.

securitynik@snort3:~$ sudo cat /var/log/snort/rna_mac_cache.dump
Current mac cache size: 228 bytes, 2 trackers

MAC: 52:54:00:12:35:02
 Key: 90520731923714
 Network proto: 2054

MAC: 08:00:27:2a:ba:15
 Key: 8796750133781
 Network proto: 2054

Let's move on from the snort.lua configuration file and setup PulledPork to run automatically.

securitynik@snort3:~$ crontab -l
no crontab for securitynik

securitynik@snort3:~$ crontab -e
no crontab for securitynik - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.tiny
  3. /bin/ed

Choose 1-3 [1]: 1



10 1 * * * /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP

crontab: installing new crontabcrontab: installing new crontab


Before configuring Snort3 to start as a service, let's look to see if the network card has any type of offloading configured.

securitynik@snort3:~$ ethtool --show-offload enp0s3 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]


securitynik@snort3:~$ ethtool --show-offload enp0s8 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: on
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]

Create a SystemD Service to ensure turning off the ones flagged as "on" above.

securitynik@snort3:~$ sudo touch /lib/systemd/system/ethtool.service

securitynik@snort3:~$ cat /lib/systemd/system/ethtool.service
[Unit]
Description=Ethtool Configration for Network Interface

[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K enp0s3 gro off
ExecStart=/sbin/ethtool -K enp0s3 lro off
ExecStart=/sbin/ethtool -K enp0s3 tso off
ExecStart=/sbin/ethtool -K enp0s3 gso off

ExecStart=/sbin/ethtool -K enp0s8 gro off
ExecStart=/sbin/ethtool -K enp0s8 lro off
ExecStart=/sbin/ethtool -K enp0s8 tso off
ExecStart=/sbin/ethtool -K enp0s8 gso off

[Install]
WantedBy=multi-user.target

We see below that various offloading features have been disabled ("off") for the interfaces I'm monitoring.

securitynik@snort3:~$ ethtool --show-offload enp0s3 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]

securitynik@snort3:~$ ethtool --show-offload enp0s8 | grep --perl-regexp "^generic|^tcp-segmentation|^large"
tcp-segmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]

Enable and start the ethtool service.

securitynik@snort3:~$ sudo systemctl enable --now ethtool.service
Created symlink /etc/systemd/system/multi-user.target.wants/ethtool.service → /lib/systemd/system/ethtool.
service.

Before configuring the Snort3 service.

Create a group named "snort" to assign the "snort" user.

securitynik@snort3:~$ sudo groupadd snort
securitynik@snort3:~$ sudo useradd --system --shell /sbin/nologin --comment "Snort3_IDS/IPS User" --gid snort snort

Change the ownership and permission on the /var/log/snort folder and verify its ownership.

securitynik@snort3:~$ sudo chmod --recursive 5775 /var/log/snort/
securitynik@snort3:~$ sudo chown --recursive snort:snort /var/log/snort/

securitynik@snort3:~$ ls /var/log/snort/ -al
total 22292
drwsrwxr-t  2 snort snort      4096 Feb  3 14:52 .
drwxrwxr-x 14 root  syslog     4096 Feb  3 09:49 ..
-rwxrwxr-t  1 snort snort  22782434 Feb  3 14:52 alert_json.txt
...

Next up, create the Snort3 SystemD service

securitynik@snort3:~$ sudo vi /lib/systemd/system/snort3.service

securitynik@snort3:~$ cat /lib/systemd/system/snort3.service
[Unit]
Description=Snort3 NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --snaplen 65535 \
-k none -l /var/log/snort -D -u snort -g snort -i enp0s3:enp0s8 -m 0x1b --create-pidfile

[Install]
WantedBy=multi-user.target

Enable and start the Snort3 service.

securitynik@snort3:~$ sudo systemctl enable --now snort3
Created symlink /etc/systemd/system/multi-user.target.wants/snort3.service → /lib/systemd/system/snort3.service.

securitynik@snort3:~$ systemctl status snort3.service
● snort3.service - Snort3 NIDS Daemon
     Loaded: loaded (/lib/systemd/system/snort3.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-02-03 16:30:24 EST; 41s ago
   Main PID: 77578 (snort)
      Tasks: 2 (limit: 4654)
     Memory: 114.6M
     CGroup: /system.slice/snort3.service
             └─77578 /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --snaplen 65535 -k none -l /v>

Feb 03 16:30:24 snort3 systemd[1]: Started Snort3 NIDS Daemon.


Snort3 on Ubuntu 20 - Feeding and testing the pig - rules and PulledPork

Now that we have installed and configured Snort3, as well as learned a little about it, let's now looking at feeding the pig ... giving it rules ... and then testing those rules before we perform our housekeeping.

Let's create the directories for us to store our rules and block lists.

securitynik@snort3:~$ sudo mkdir /usr/local/etc/rules
securitynik@snort3:~$ sudo mkdir /usr/local/etc/so_rules/
securitynik@snort3:~$ sudo mkdir /usr/local/etc/lists/

Next let's created some required files.

securitynik@snort3:~$ sudo touch /usr/local/etc/rules/snort.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/rules/local.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/lists/default.blocklist

securitynik@snort3:~$ sudo mkdir /usr/local/etc/pulledpork

... and our directory to store our logs

securitynik@snort3:~$ sudo mkdir /var/log/snort

With those in place, let's create three sample rule to test the traffic in our PCAP file, using the Snort 2.x method of creating rules.

securitynik@snort3:~$ sudo gedit /usr/local/etc/rules/local.rules &

securitynik@snort3:~$ sudo cat /usr/local/etc/rules/local.rules 
alert tcp any any -> any any (msg:"SecurityNik Testing TCP"; sid:40000001;)
alert icmp any any -> any any (msg:"SecurityNik ICMP"; sid:40000002;)
alert udp any any -> any any (msg:"SecurityNik Testing UDP"; sid:40000003;) 

When this rule file is passed as input to Snort3, we see the first three alerts and notice we are once again leveraging the "--talos" tweaks.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none\
 -A "alert_full" -q -n 3 --talos
[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:06.999138 10.0.2.15:40793 -> 64.71.255.198:53
UDP TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF
Len: 58

[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:07.017818 64.71.255.198:53 -> 10.0.2.15:40793
UDP TTL:64 TOS:0x0 ID:47115 IpLen:20 DgmLen:198
Len: 170

[**] [1:40000001:0]  <securitynik-sample.pcap> "SecurityNik Testing TCP" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

[**] [1:1:0]  <securitynik-sample.pcap> "Nik Testing" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid    rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   ===    ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         140000003   0         2       2      2        10         5         5             0        0        0
2         140000001   0         1       1      1         4         4         4             0        0        0
3         1       1   0         1       1      1         0         0         0             0        0        0

Let's rewrite the above rules, using the Snort3 format adding some additional components and then run this against two different PCAPs.

alert http
(
	msg:"Looking for SecurityNik HTTP - wget and ragel traffic!"; 	# Message I would like the user to see
	flow:established, to_server;					# Monitor traffic for which 3-way handshake is completed and direction is from client to server
	http_method;							# Focus on the buffer containing the HTTP Method
	content:"|47 45 54|", offset 0, depth 3;			# Look for the hex bytes representing GET starting at offset 0 and span 3 bytes
	http_uri:path;	                                                # Look at the buffer containing the URI path
	content:"/files/ragel/ragel-6.10.tar.gz", distance 0, within 30; # Look for this content
	pcre:"/ragel\-\d{1,3}\.\d{1,3}\.tar\.gz/i"; # Use a regular expression pattern to look for the file above
 	http_header:field User-Agent;					# Look into the User Agent field in the HTTP Header
	content:"wget/1.20.3", nocase;					# Check to see if the user agent contains wget
	regex:"/wget\/\d{1,2}\.\d{2}\.{1,2}/i";				# My understanding is regex allows us to take advantage of Hyperscan. Notice above I used pcre instead.
	http_header:field Host;						# Look at the host field in the HTTP Header
	content:"www|2e|colm|2e|net", nocase; 				# Look for the hostname www.colm.net
	reference:URL, "www.securitynik.com";
	classtype:suspicious-filename-detect;				
	priority:1; 							# Give the rule a priority of 1. Max value 31
	rev: 5;								# Everytime the rule is updated the revision number should change
	sid:4;								# Every rule should have an ID
)




alert dns
(
	msg:"Looking for SecurityNik DNS traffic!";			# Message
	id:11471;							# Value in the IP ID Field
	content:"www|0B|securitynik|03|com", nocase;			# Content to search for. A mix of string and hex
	classtype:misc-attack;
	priority:4;
	rev: 3;
	sid:5;
)


 alert icmp
(
	msg:"Looking for SecurityNik ICMP traffic!";
	id:38446;			
	itype:8;							# ICMP Type
	icode:0;							# ICMP Code
	content:"|30 31 32 33 34 35 36 37|";				# Search for hex pattern
	classtype:malware-cnc;
	priority:20;
	rev: 2;	
	sid:6;
)

First run against securitynik-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A cmg  -q --talos | more
02/01-14:56:37.512330 [**] [1:4:5]  <securitynik-sample.pcap> "Looking for SecurityNik HTTP - wget and rage
l traffic!" [**] [Classification: A suspicious filename was detected] [Priority: 1] {TCP} 10.0.2.15:33478 -
> 192.155.89.46:80

http_inspect.http_method[3]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
47 45 54                                          GET
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_version[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
48 54 54 50 2F 31 2E 31                           HTTP/1.1 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_uri[30]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 66 69 6C 65 73 2F 72  61 67 65 6C 2F 72 61 67  /files/r agel/rag
65 6C 2D 36 2E 31 30 2E  74 61 72 2E 67 7A        el-6.10. tar.gz
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_header[119]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
55 73 65 72 2D 41 67 65  6E 74 3A 20 57 67 65 74  User-Age nt: Wget
2F 31 2E 32 30 2E 33 20  28 6C 69 6E 75 78 2D 67  /1.20.3  (linux-g
6E 75 29 0D 0A 41 63 63  65 70 74 3A 20 2A 2F 2A  nu)..Acc ept: */*
0D 0A 41 63 63 65 70 74  2D 45 6E 63 6F 64 69 6E  ..Accept -Encodin
67 3A 20 69 64 65 6E 74  69 74 79 0D 0A 48 6F 73  g: ident ity..Hos
74 3A 20 77 77 77 2E 63  6F 6C 6D 2E 6E 65 74 0D  t: www.c olm.net.
0A 43 6F 6E 6E 65 63 74  69 6F 6E 3A 20 4B 65 65  .Connect ion: Kee
70 2D 41 6C 69 76 65                             p-Alive
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     4   5         1       1      1       905       905       905             0        0        
0

Running it against the securitynik-other-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
 -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap \
 -k none -A cmg  -q --talos | more
02/02-13:39:01.871758 [**] [1:5:3]  <securitynik-other-sample.pcap> "Looking for SecurityNik DNS traffic!" 
[**] [Classification: Misc Attack] [Priority: 4] {UDP} 10.0.2.15:59456 -> 64.71.255.198:53
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x5A
10.0.2.15:59456 -> 64.71.255.198:53 UDP TTL:64 TOS:0x0 ID:11471 IpLen:20 DgmLen:76 DF
Len: 48

dns.raw[48]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
28 B8 01 00 00 01 00 00  00 00 00 01 03 77 77 77  (....... .....www
0B 73 65 63 75 72 69 74  79 6E 69 6B 03 63 6F 6D  .securit ynik.com
00 00 01 00 01 00 00 29  02 00 00 00 00 00 00 00  .......) ........
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

02/02-13:39:57.839673 [**] [1:6:2]  <securitynik-other-sample.pcap> "Looking for SecurityNik ICMP traffic!"
 [**] [Classification: Known malware command and control traffic] [Priority: 20] {ICMP} 10.0.2.15 -> 172.21
7.164.211
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x62
10.0.2.15 -> 172.217.164.211 ICMP TTL:64 TOS:0x0 ID:38446 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:1   Seq:1  ECHO

snort.raw[56]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
7D 9C 19 60 00 00 00 00  C6 CF 0C 00 00 00 00 00  }..`.... ........
10 11 12 13 14 15 16 17  18 19 1A 1B 1C 1D 1E 1F  ........ ........
20 21 22 23 24 25 26 27  28 29 2A 2B 2C 2D 2E 2F   !"#$%&' ()*+,-./
30 31 32 33 34 35 36 37                           01234567 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     6   2         2       1      1        59        29        58             1        0        
0
2         1     5   3         4       1      1        15         3        12             1        0        
0

Before configuring PulledPork, maybe you wish to see output from snort in CSV format.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \
-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A csv -q | more
[sudo] password for securitynik: 
02/01-14:56:37.512330, 1206, TCP, stream_tcp, 119, C2S, 10.0.2.15:33478, 192.155.89.46:80, 1:4:5, allow

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap -k none -A csv -q | more
02/02-13:39:01.871758, 214, UDP, raw, 76, C2S, 10.0.2.15:59456, 64.71.255.198:53, 1:5:3, allow
02/02-13:39:57.839673, 255, ICMP, raw, 84, C2S, 10.0.2.15:0, 172.217.164.211:0, 1:6:2, allow

At this point, we know our Snort3 installation is working with our local rules. Now let's feed the pig via Pulledpork.

First up, preprequisites

If you wish, you can register at snort.org to get an OINK code. Once you have that, you can gain access to the registered rules. If not, you can use the community rules.

Next install the software preprequieistes. 

securitynik@snort3:~$ cd ~/snort-files/
securitynik@snort3:~$ sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Next up, clone Pulledpork, copy the pulledpork.pl file to /usr/local/bin and make it executable. Then copy the config file (pulledpork.conf) to /usr/local/etc/pulledpork.

securitynik@snort3:~/snort-files$ git clone https://github.com/shirkdog/pulledpork.git

securitynik@snort3:~/snort-files$ cd pulledpork/
securitynik@snort3:~/snort-files/pulledpork$ sudo cp pulledpork.pl /usr/local/bin/ -v
'pulledpork.pl' -> '/usr/local/bin/pulledpork.pl'
securitynik@snort3:~/snort-files/pulledpork$ sudo chmod +x /usr/local/bin/pulledpork.pl 
securitynik@snort3:~/snort-files/pulledpork$ sudo cp etc/*.conf /usr/local/etc/pulledpork/

Verifying that pulledpork is configured and working properly.

securitynik@snort3:~/snort-files/pulledpork$ pulledpork.pl -V
PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!

Let's now modify the pulledpork.conf file. As always, before modifying a config file, I like to make a copy of it.

securitynik@snort3:~/snort-files/pulledpork$ sudo cp /usr/local/etc/pulledpork/pulledpork.conf /usr/local/etc/pulledpork/pulledpork.conf.ORIG

Change line 19 from ...

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

... to

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|4aabb98....bd138aFF

If you have an OINK code, change line 21 from ...

 21. rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

... to below by commenting (#) out this line. Note if you do not have an OINK code for line 19, you should leave this to get the community rules while commenting out line 19. If you do have an OINK code, comment this as the community rules are part of the registered rules.

21. #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Change line 72 from ...

72. rule_path=/usr/local/etc/snort/rules/snort.rules

... to reflect the path of the files we created above.

72. rule_path=/usr/local/etc/rules/snort.rules

Change line 87 from ...

87. local_rules=/usr/local/etc/snort/rules/local.rules

... to

87. local_rules=/usr/local/etc/rules/local.rules

Change line 94 from ...

94. sid_msg_version=1

... to

94. sid_msg_version=2

Change line 110 from ...

110. sorule_path=/usr/local/lib/snort_dynamicrules/

... to

110. sorule_path=/usr/local/etc/so_rules/

Change line 117 from ...

117. config_path=/usr/local/etc/snort/snort.conf

... to

117. config_path=/usr/local/etc/snort/snort.lua

Change line 134 from ...

134. distro=FreeBSD-12

... to

134. distro=Ubuntu-18-4

Change line 142 from ...

142. block_list=/usr/local/etc/snort/rules/iplists/default.blocklist

... to

142. block_list=/usr/local/etc/lists/default.blocklist

Change line 151 from ...

151. IPRVersion=/usr/local/etc/snort/rules/iplists

... to

151. IPRVersion=/usr/local/etc/lists


Change line 186 from ...

186. pid_path=/var/run/snort_eth0.pid

... to

186. pid_path=/var/log/snort/snort.pid

Changed the snort version on line 196 from ...

# snort_version=2.9.0.0

... to

snort_version=3.0.0.0

Finally, lets uncomment line 209, changing it from ...

# ips_policy=security

... to

ips_policy=security

With those steps completed, let's run PulledPork

securitynik@snort3:~$ sudo pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -PEl

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-3000.tar.gz....
Rules tarball download of snortrules-snapshot-3000.tar.gz....
        They Match
        Done!
IP Blocklist download of https://snort.org/downloads/ip-block-list....
Reading IP List...
Prepping rules from snortrules-snapshot-3000.tar.gz for work....
        Done!
....

Rule Stats...
        New:-------15151
        Deleted:---0
        Enabled Rules:----15151
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------15151
IP Blocklist Stats...
        Total IPs:-----816

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Run snort again against one of our PCAPs using the new rules information. 

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua --tweaks talos --pcap-list securitynik-sample.pcap -R /usr/local/etc/rules/snort.rules
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading talos.lua:
Finished talos.lua:
        ssh
        hosts
        ....
Loading rule args:
Loading /usr/local/etc/rules/snort.rules:
Finished /usr/local/etc/rules/snort.rules:
Finished rule args:
--------------------------------------------------
rule counts
       total rules loaded: 15151
               text rules: 15151
            option chains: 15151
            chain headers: 332
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     222       9       7       3
     src    5852      24       0       0
     dst    8852     191       0       0
    both       2       3       0       0
   total   14928     227       7       3
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0   15151       0   15151    /usr/local/etc/snort/snort.lua
--------------------------------------------------


....

Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Flows      Clients    Users      Payloads   Misc       Incompat.  Failed
                  unknown: 323        0          0          0          0          0          0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.667893
                 pkts/sec: 21044
                Mbits/sec: 124
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1 34937   2       235       0      0       716         3         0             3        0        0
2         1 53975   2       321       0      0       290         0         0             0        0        0
3         1 37730   5       321       0      0       262         0         0             0        0        0
4         1 37731   5       353       0      0        94         0         0             0        0        0
5         1 55704   2        34       0      0        78         2         0             2        0        0
6         1 53264   1        26       0      0        61         2         0             2        0        0
7         1 47030   1         5       0      0         7         1         0             1        0        0
8         1 32005   8         1       0      0         4         4         0             4        0        0
9         1 32406   3         1       0      0         3         3         0             3        0        0
10        1 32405   3         1       0      0         2         2         0             2        0        0
o")~   Snort exiting

Ok, now we have fed the pig and it gave it enough wings to fly. Let's wrap up this 4 part series with some important house keeping activities. See you in the next post.


References:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://github.com/shirkdog/pulledpork

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/004/026/original/Snort_3_GA_on_OracleLinux_8.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/131/original/Snort_3_on_openSUSE_Leap_42.3.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/176/original/Snort_3_on_FreeBSD_11.pdf



Snort3 on Ubuntu 20 - The Initial Setup

Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.

Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.

Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.

For this post, we will leverage my previous post in conjunction with Snort 3.1.0.0 on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the snort.org website as well as additional information from other sources.

This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.

1
2
3
4
5
6
securitynik@snort3:~$ lsb_release --all
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Note: If you choose to install VirtualBox tools from the "CD", you may get an error about  "**This system is currently not set up to build kernel modules.". To resolve, this execute:

1
securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms

As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:

1
securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

Depending on your install you may also need to install gcc and make

1
securitynik@snort3:~$ sudo apt-get install gcc make

Time if of great importance. To ensure your system time reflects your time zone, use the following commands. Note, also that you should consider taking advantage of NTP as I've done below, rather than manually configuring your time.

First list the available time zones

securitynik@snort3:~$ sudo timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Algiers

....
America/Tijuana
America/Toronto
America/Vancouver
America/Whitehorse
America/Winnipeg
....

I will set mine as America/Toronto, while I set my time to UTC time and use a NTP server. Local time can be problematic when using NTP, as the time may not be properly updated during shifts to and from daylight saving time.

securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto
securitynik@snort3:~$ sudo timedatectl set-local-rtc False
securitynik@snort3:~$ sudo timedatectl set-ntp True

Verifying the time configuration.

securitynik@snort3:~$ sudo timedatectl 
               Local time: Wed 2021-01-27 11:14:29 EST 
           Universal time: Wed 2021-01-27 16:14:29 UTC 
                 RTC time: Wed 2021-01-27 16:14:29     
                Time zone: America/Toronto (EST, -0500)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones. 

With time properly configured, let's now install Snort3 by starting with its dependencies.

In my previous install, I did a lot of compiling of code. It looks like that is still the case at this time and will probably be that way for a while. I hope sooner rather than later, it is incorporated within a package manager.

Let's first create a directory to store our downloaded files

securitynik@snort3:~$ pwd
/home/securitynik
securitynik@snort3:~$ mkdir snort-files
securitynik@snort3:~$ cd snort-files/

Now that we are inside the snort-files folder, let's grab the pre-requisites.

securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \ 
autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \
pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \ 
libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \
libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Next install Safe C Library (safeclib) from GitHub.

securitynik@snort3:~/snort-files$ git clone https://github.com/rurban/safeclib.git
securitynik@snort3:~/snort-files$ cd safeclib/
securitynik@snort3:~/snort-files/safeclib$ build-aux/autogen.sh
securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install

Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.

securitynik@snort3:~/snort-files$ wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ cd pcre-8.44/
securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install

After pcre-8.44 we next install gperftools (originally Google Performance Tools)

securitynik@snort3:~/snort-files$ git clone https://github.com/gperftools/gperftools.git
securitynik@snort3:~/snort-files/gperftools$ cd gperftools
securitynik@snort3:~/snort-files/gperftools$ ./autogen.sh 
securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install

Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .

securitynik@snort3:~/snort-files$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz 
securitynik@snort3:~/snort-files$ cd ragel-6.10/
securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install

Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.

securitynik@snort3:~/snort-files$ wget https://boostorg.jfrog.io/artifactory/main/release/1.75.0/source/boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz 
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a  boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz 

Let's grab Hyperscan.

securitynik@snort3:~/snort-files$ git clone https://github.com/intel/hyperscan
securitynik@snort3:~/snort-files$ cd hyperscan
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install

Install flatbuffers

securitynik@snort3:~/snort-files$ git clone https://github.com/google/flatbuffers.git
securitynik@snort3:~/snort-files$ mkdir flatbuffers-build
securitynik@snort3:~/snort-files$ cd flatbuffers-build/
securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers
securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install

Next up, install the Data Acquisition Library (DAQ)

securitynik@snort3:~/snort-files$ git clone https://github.com/snort3/libdaq.git
securitynik@snort3:~/snort-files$ cd libdaq/
securitynik@snort3:~/snort-files/libdaq$ ./bootstrap 
securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install

Wheewwww! That is a lot of pre-prequisites. Hopefully, they can package all of these up via package manager to make the install process easier. Note, if you don't install them in the order provided, you can expect to find one or more products complaining about dependency related to other products.

Finally, lets update the shared libraries.

securitynik@snort3:~$ sudo ldconfig

Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.

securitynik@snort3:~/snort-files$ wget https://www.snort.org/downloads/snortplus/snort3-3.1.0.0.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3-3.1.0.0.tar.gz 
securitynik@snort3:~/snort-files$ cd snort3-3.1.0.0/
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc  --enable-shell --enable-large-pcap  
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ cd build/
securitynik@snort3:~/snort-files/snort3-3.1.0.0/build$ make && sudo make install

Once I run snort --version, we see wat seems to suggest we are good to go.

scuritynik@snort3:~$ snort --version

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.44 2020-02-12
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.4.0 2021-01-28
           Using LZMA version 5.2.4

Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
	ssh
	hosts
	host_cache
	pop
	...
	stream_file
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.


References:

https://www.snort.org/snort3

https://snort.org/documents

https://www.snort.org/downloads

https://www.securitynik.com/2014/12/building-snort-30-snort.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/175/original/Snort_3_Multiple_Packet_Threads_Processing.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf

https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=1

https://askubuntu.com/questions/1140770/this-system-is-currently-not-set-up-to-build-kernel-modules-please-install-the

https://github.com/rurban/safeclib

https://www.hyperscan.io/

https://github.com/intel/hyperscan

https://github.com/gperftools/gperftools

https://www.colm.net/open-source/ragel/

https://www.boost.org/

http://google.github.io/flatbuffers/

https://www.snort.org/faq/readme-daq

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/023/original/ids2ips.txt

https://github.com/snort3/libdaq

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/342/original/snort_devel.html

https://blog.snort.org/2015/03/basic-snort-usage.html

https://geekflare.com/nginx-error-while-loading-shared-libraries-libpcre-so-1/

https://usermanual.wiki/Document/snortmanual.1752822391.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://www.usenix.org/sites/default/files/conference/protected-files/nsdi19_slides_wang_xiang.pdf