Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.
Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.
Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.
For this post, we will leverage my previous post in conjunction with Snort 3.1.0.0 on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the snort.org website as well as additional information from other sources.
This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.
1 2 3 4 5 6 | securitynik@snort3:~$ lsb_release --all No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal |
Note: If you choose to install VirtualBox tools from the "CD", you may get an error about "**This system is currently not set up to build kernel modules.". To resolve, this execute:
1 | securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms
|
As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:
1 | securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y
|
Depending on your install you may also need to install gcc and make
1 | securitynik@snort3:~$ sudo apt-get install gcc make
|
securitynik@snort3:~$ sudo timedatectl list-timezones Africa/Abidjan Africa/Accra Africa/Algiers .... America/Tijuana America/Toronto America/Vancouver America/Whitehorse America/Winnipeg ....
securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto securitynik@snort3:~$ sudo timedatectl set-local-rtc False securitynik@snort3:~$ sudo timedatectl set-ntp True
Verifying the time configuration.
securitynik@snort3:~$ sudo timedatectl Local time: Wed 2021-01-27 11:14:29 EST Universal time: Wed 2021-01-27 16:14:29 UTC RTC time: Wed 2021-01-27 16:14:29 Time zone: America/Toronto (EST, -0500) System clock synchronized: yes NTP service: active RTC in local TZ: no
Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones.
With time properly configured, let's now install Snort3 by starting with its dependencies.
securitynik@snort3:~$ pwd /home/securitynik securitynik@snort3:~$ mkdir snort-files securitynik@snort3:~$ cd snort-files/
Now that we are inside the snort-files folder, let's grab the pre-requisites.
securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \
autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \
pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \
libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \
libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool
Next install Safe C Library (safeclib) from GitHub.
securitynik@snort3:~/snort-files$ git clone https://github.com/rurban/safeclib.git securitynik@snort3:~/snort-files$ cd safeclib/ securitynik@snort3:~/snort-files/safeclib$ build-aux/autogen.sh securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install
Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.
securitynik@snort3:~/snort-files$ wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz securitynik@snort3:~/snort-files$ cd pcre-8.44/ securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install
After pcre-8.44 we next install gperftools (originally Google Performance Tools)
securitynik@snort3:~/snort-files$ git clone https://github.com/gperftools/gperftools.git securitynik@snort3:~/snort-files/gperftools$ cd gperftools securitynik@snort3:~/snort-files/gperftools$ ./autogen.sh securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install
Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .
securitynik@snort3:~/snort-files$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz securitynik@snort3:~/snort-files$ cd ragel-6.10/ securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install
Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.
securitynik@snort3:~/snort-files$ wget https://boostorg.jfrog.io/artifactory/main/release/1.75.0/source/boost_1_75_0.tar.gz securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a boost_1_75_0.tar.gz securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz
Let's grab Hyperscan.
securitynik@snort3:~/snort-files$ git clone https://github.com/intel/hyperscan securitynik@snort3:~/snort-files$ cd hyperscan securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/ securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install
securitynik@snort3:~/snort-files$ git clone https://github.com/google/flatbuffers.git securitynik@snort3:~/snort-files$ mkdir flatbuffers-build securitynik@snort3:~/snort-files$ cd flatbuffers-build/ securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install
securitynik@snort3:~/snort-files$ git clone https://github.com/snort3/libdaq.git securitynik@snort3:~/snort-files$ cd libdaq/ securitynik@snort3:~/snort-files/libdaq$ ./bootstrap securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install
securitynik@snort3:~$ sudo ldconfig
Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.
securitynik@snort3:~/snort-files$ wget https://www.snort.org/downloads/snortplus/snort3-3.1.0.0.tar.gz securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3-3.1.0.0.tar.gz securitynik@snort3:~/snort-files$ cd snort3-3.1.0.0/ securitynik@snort3:~/snort-files/snort3-3.1.0.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc --enable-shell --enable-large-pcap securitynik@snort3:~/snort-files/snort3-3.1.0.0$ cd build/ securitynik@snort3:~/snort-files/snort3-3.1.0.0/build$ make && sudo make install
scuritynik@snort3:~$ snort --version ,,_ -*> Snort++ <*- o" )~ Version 3.1.0.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.0 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1f 31 Mar 2020 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.44 2020-02-12 Using ZLIB version 1.2.11 Using FlatBuffers 1.12.0 Using Hyperscan version 5.4.0 2021-01-28 Using LZMA version 5.2.4
Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).
securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: ssh hosts host_cache pop ... stream_file Finished /usr/local/etc/snort/snort.lua: -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.
References:
https://www.snort.org/downloads
https://www.securitynik.com/2014/12/building-snort-30-snort.html
https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=1
https://github.com/rurban/safeclib
https://github.com/intel/hyperscan
https://github.com/gperftools/gperftools
https://www.colm.net/open-source/ragel/
http://google.github.io/flatbuffers/
https://www.snort.org/faq/readme-daq
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html
https://github.com/snort3/libdaq
https://blog.snort.org/2015/03/basic-snort-usage.html
https://geekflare.com/nginx-error-while-loading-shared-libraries-libpcre-so-1/
https://usermanual.wiki/Document/snortmanual.1752822391.pdf
https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2
https://www.usenix.org/sites/default/files/conference/protected-files/nsdi19_slides_wang_xiang.pdf
Failed to install:
ReplyDeleteStep:
securitynik@snort3:~/snort-files$ wget https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.gz
securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a boost_1_75_0.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz
====
I had changed it to:
$ sudo wget https://boostorg.jfrog.io/artifactory/main/release/1.76.0/source/boost_1_76_0.tar.gz
$ sudo tar --extract --verbose --file boost_1_76_0.tar.gz
====
then fail at:
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install
I did:
$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/
-- Build type RELWITHDEBINFO
-- using release build
CMake Error at cmake/boost.cmake:23 (message):
Boost 1.57.0 or later not found. Either install system packages if
available, extract Boost headers to
/home/atlas/snort-files/hyperscan/include, or set the CMake BOOST_ROOT
variable.
Call Stack (most recent call first):
CMakeLists.txt:72 (include)
====
and fail at:
$ sudo make && sudo make install
make: *** No targets specified and no makefile found. Stop.
Any suggestions?
:-) I think I see your problem. You downloaded "boost_1_76_0.tar.gz". However, your cmake command has "=~/snort-files/boost_1_75_0/". Change this to "=~/snort-files/boost_1_76_0/" and you should be fine.
DeleteGood luck and thanks for visiting my blog.
Failed Install, I had already changed the version number and got the error. Other solutions?
DeleteI had already changed:
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
as and ran:
user@pc:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/
Thank you.
Send me the command you are executing and the error you get when you use Boost 1_75_0
DeleteIs there website email address I can send details?
ReplyDelete==========
Faild install also when followed instructions from Snort website: https://www.snort.org/documents/snort-3-1-0-0-on-ubuntu-18-20
Even when replaced both "Boost C++ Libraries" & "Hyperscan" to the latest versions: boost_1_76_0 & hyperscan-5.4.0
=================
"Send me the command you are executing and the error you get when you use Boost 1_75_0"
I cannot download "Boost 1_75_0". Website says "Forbidden"
https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.gz
=================
Error: "CMake Error at cmake/boost.cmake:23 (message): Boost 1.57.0 or later not found."
=================
$ sudo cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_76_0/ ../hyperscan/
-- Build type RELWITHDEBINFO
-- using release build
CMake Error at cmake/boost.cmake:23 (message):
Boost 1.57.0 or later not found. Either install system packages if
available, extract Boost headers to
/home/atlas/snort-files/hyperscan/include, or set the CMake BOOST_ROOT
variable.
Call Stack (most recent call first):
CMakeLists.txt:72 (include)
=================
Thank you
Try this link: https://www.boost.org/users/history/version_1_75_0.html
Deletein order to get hyperscan to compile in an lxc container i had to change a line in cmake/build_wrapper.sh from:
ReplyDeletenm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ ]*\).*/^\1$/' >> ${KEEPSYMS}
to:
nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ @]*\).*/^\1$/' >> ${KEEPSYMS}
per:
https://github.com/intel/hyperscan/issues/292
There's also a bug because glibc changed the constant SZSTKSZ TO _SC_SIGSTKSZ, so I changed tools/hscollider/sig.cpp line 178 and 190 to represent that, here's the bug report:
https://github.com/intel/hyperscan/issues/359
“Bonus abuse” will get your account permanently banned from the site, and 1xbet you’ll lose any money you’ve already deposited or earned. In basic, making an attempt to redeem MyBookie promo codes from more than one account or IP tackle is taken into account “bonus abuse”. If you’d rather claim any of MyBookie’s other promotions, you can use use|you must use} their drop-down menu decide out} your favorite bonus from the pack. Regardless, the minimal deposit required for “MYB100” is $50.
ReplyDelete