Friday, February 5, 2021

Snort3 on Ubuntu 20 - The Initial Setup

Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.

Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.

Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.

For this post, we will leverage my previous post in conjunction with Snort 3.1.0.0 on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the snort.org website as well as additional information from other sources.

This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.

1
2
3
4
5
6
securitynik@snort3:~$ lsb_release --all
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Note: If you choose to install VirtualBox tools from the "CD", you may get an error about  "**This system is currently not set up to build kernel modules.". To resolve, this execute:

1
securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms

As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:

1
securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

Depending on your install you may also need to install gcc and make

1
securitynik@snort3:~$ sudo apt-get install gcc make

Time if of great importance. To ensure your system time reflects your time zone, use the following commands. Note, also that you should consider taking advantage of NTP as I've done below, rather than manually configuring your time.

First list the available time zones

securitynik@snort3:~$ sudo timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Algiers

....
America/Tijuana
America/Toronto
America/Vancouver
America/Whitehorse
America/Winnipeg
....

I will set mine as America/Toronto, while I set my time to UTC time and use a NTP server. Local time can be problematic when using NTP, as the time may not be properly updated during shifts to and from daylight saving time.

securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto
securitynik@snort3:~$ sudo timedatectl set-local-rtc False
securitynik@snort3:~$ sudo timedatectl set-ntp True

Verifying the time configuration.

securitynik@snort3:~$ sudo timedatectl 
               Local time: Wed 2021-01-27 11:14:29 EST 
           Universal time: Wed 2021-01-27 16:14:29 UTC 
                 RTC time: Wed 2021-01-27 16:14:29     
                Time zone: America/Toronto (EST, -0500)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones. 

With time properly configured, let's now install Snort3 by starting with its dependencies.

In my previous install, I did a lot of compiling of code. It looks like that is still the case at this time and will probably be that way for a while. I hope sooner rather than later, it is incorporated within a package manager.

Let's first create a directory to store our downloaded files

securitynik@snort3:~$ pwd
/home/securitynik
securitynik@snort3:~$ mkdir snort-files
securitynik@snort3:~$ cd snort-files/

Now that we are inside the snort-files folder, let's grab the pre-requisites.

securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \ 
autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \
pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \ 
libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \
libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Next install Safe C Library (safeclib) from GitHub.

securitynik@snort3:~/snort-files$ git clone https://github.com/rurban/safeclib.git
securitynik@snort3:~/snort-files$ cd safeclib/
securitynik@snort3:~/snort-files/safeclib$ build-aux/autogen.sh
securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install

Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.

securitynik@snort3:~/snort-files$ wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ cd pcre-8.44/
securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install

After pcre-8.44 we next install gperftools (originally Google Performance Tools)

securitynik@snort3:~/snort-files$ git clone https://github.com/gperftools/gperftools.git
securitynik@snort3:~/snort-files/gperftools$ cd gperftools
securitynik@snort3:~/snort-files/gperftools$ ./autogen.sh 
securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install

Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .

securitynik@snort3:~/snort-files$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz 
securitynik@snort3:~/snort-files$ cd ragel-6.10/
securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install

Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.

securitynik@snort3:~/snort-files$ wget https://boostorg.jfrog.io/artifactory/main/release/1.75.0/source/boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz 
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a  boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz 

Let's grab Hyperscan.

securitynik@snort3:~/snort-files$ git clone https://github.com/intel/hyperscan
securitynik@snort3:~/snort-files$ cd hyperscan
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install

Install flatbuffers

securitynik@snort3:~/snort-files$ git clone https://github.com/google/flatbuffers.git
securitynik@snort3:~/snort-files$ mkdir flatbuffers-build
securitynik@snort3:~/snort-files$ cd flatbuffers-build/
securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers
securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install

Next up, install the Data Acquisition Library (DAQ)

securitynik@snort3:~/snort-files$ git clone https://github.com/snort3/libdaq.git
securitynik@snort3:~/snort-files$ cd libdaq/
securitynik@snort3:~/snort-files/libdaq$ ./bootstrap 
securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install

Wheewwww! That is a lot of pre-prequisites. Hopefully, they can package all of these up via package manager to make the install process easier. Note, if you don't install them in the order provided, you can expect to find one or more products complaining about dependency related to other products.

Finally, lets update the shared libraries.

securitynik@snort3:~$ sudo ldconfig

Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.

securitynik@snort3:~/snort-files$ wget https://www.snort.org/downloads/snortplus/snort3-3.1.0.0.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3-3.1.0.0.tar.gz 
securitynik@snort3:~/snort-files$ cd snort3-3.1.0.0/
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc  --enable-shell --enable-large-pcap  
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ cd build/
securitynik@snort3:~/snort-files/snort3-3.1.0.0/build$ make && sudo make install

Once I run snort --version, we see wat seems to suggest we are good to go.

scuritynik@snort3:~$ snort --version

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.44 2020-02-12
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.4.0 2021-01-28
           Using LZMA version 5.2.4

Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
	ssh
	hosts
	host_cache
	pop
	...
	stream_file
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.


References:

https://www.snort.org/snort3

https://snort.org/documents

https://www.snort.org/downloads

https://www.securitynik.com/2014/12/building-snort-30-snort.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/175/original/Snort_3_Multiple_Packet_Threads_Processing.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf

https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=1

https://askubuntu.com/questions/1140770/this-system-is-currently-not-set-up-to-build-kernel-modules-please-install-the

https://github.com/rurban/safeclib

https://www.hyperscan.io/

https://github.com/intel/hyperscan

https://github.com/gperftools/gperftools

https://www.colm.net/open-source/ragel/

https://www.boost.org/

http://google.github.io/flatbuffers/

https://www.snort.org/faq/readme-daq

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/023/original/ids2ips.txt

https://github.com/snort3/libdaq

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/342/original/snort_devel.html

https://blog.snort.org/2015/03/basic-snort-usage.html

https://geekflare.com/nginx-error-while-loading-shared-libraries-libpcre-so-1/

https://usermanual.wiki/Document/snortmanual.1752822391.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://www.usenix.org/sites/default/files/conference/protected-files/nsdi19_slides_wang_xiang.pdf

8 comments:

  1. Failed to install:

    Step:

    securitynik@snort3:~/snort-files$ wget https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.gz

    securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz
    aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a boost_1_75_0.tar.gz

    securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz

    ====

    I had changed it to:

    $ sudo wget https://boostorg.jfrog.io/artifactory/main/release/1.76.0/source/boost_1_76_0.tar.gz

    $ sudo tar --extract --verbose --file boost_1_76_0.tar.gz

    ====

    then fail at:

    securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
    securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install

    I did:

    $ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/

    -- Build type RELWITHDEBINFO
    -- using release build
    CMake Error at cmake/boost.cmake:23 (message):

    Boost 1.57.0 or later not found. Either install system packages if
    available, extract Boost headers to
    /home/atlas/snort-files/hyperscan/include, or set the CMake BOOST_ROOT
    variable.
    Call Stack (most recent call first):
    CMakeLists.txt:72 (include)

    ====

    and fail at:

    $ sudo make && sudo make install
    make: *** No targets specified and no makefile found. Stop.

    Any suggestions?


    ReplyDelete
    Replies
    1. :-) I think I see your problem. You downloaded "boost_1_76_0.tar.gz". However, your cmake command has "=~/snort-files/boost_1_75_0/". Change this to "=~/snort-files/boost_1_76_0/" and you should be fine.

      Good luck and thanks for visiting my blog.

      Delete
    2. Failed Install, I had already changed the version number and got the error. Other solutions?

      I had already changed:

      securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/

      as and ran:

      user@pc:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/



      Thank you.

      Delete
    3. Send me the command you are executing and the error you get when you use Boost 1_75_0

      Delete
  2. Is there website email address I can send details?

    ==========

    Faild install also when followed instructions from Snort website: https://www.snort.org/documents/snort-3-1-0-0-on-ubuntu-18-20

    Even when replaced both "Boost C++ Libraries" & "Hyperscan" to the latest versions: boost_1_76_0 & hyperscan-5.4.0

    =================

    "Send me the command you are executing and the error you get when you use Boost 1_75_0"

    I cannot download "Boost 1_75_0". Website says "Forbidden"

    https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.gz

    =================

    Error: "CMake Error at cmake/boost.cmake:23 (message): Boost 1.57.0 or later not found."

    =================

    $ sudo cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/

    -- Build type RELWITHDEBINFO
    -- using release build
    CMake Error at cmake/boost.cmake:23 (message):

    Boost 1.57.0 or later not found. Either install system packages if
    available, extract Boost headers to
    /home/atlas/snort-files/hyperscan/include, or set the CMake BOOST_ROOT
    variable.
    Call Stack (most recent call first):
    CMakeLists.txt:72 (include)

    =================

    Thank you

    ReplyDelete
    Replies
    1. Try this link: https://www.boost.org/users/history/version_1_75_0.html

      Delete
  3. in order to get hyperscan to compile in an lxc container i had to change a line in cmake/build_wrapper.sh from:
    nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ ]*\).*/^\1$/' >> ${KEEPSYMS}

    to:
    nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ @]*\).*/^\1$/' >> ${KEEPSYMS}

    per:
    https://github.com/intel/hyperscan/issues/292

    There's also a bug because glibc changed the constant SZSTKSZ TO _SC_SIGSTKSZ, so I changed tools/hscollider/sig.cpp line 178 and 190 to represent that, here's the bug report:

    https://github.com/intel/hyperscan/issues/359

    ReplyDelete
  4. “Bonus abuse” will get your account permanently banned from the site, and 1xbet you’ll lose any money you’ve already deposited or earned. In basic, making an attempt to redeem MyBookie promo codes from more than one account or IP tackle is taken into account “bonus abuse”. If you’d rather claim any of MyBookie’s other promotions, you can use use|you must use} their drop-down menu decide out} your favorite bonus from the pack. Regardless, the minimal deposit required for “MYB100” is $50.

    ReplyDelete