Optimizing Snort for Effective Network Intrusion Detection on CentOS7

Snort has evolved into a powerful Network Intrusion Detection/Prevention System (NIDS/NIPS) characterized by multi-platform, real-time traffic analysis, and network IP packet recording.

Online video: https://ali.kenvie.com/Test/%E9%85%8D%E7%BD%AESnort

Install Dependencies for Network Intrusion Detection

Configure Cloud CentOS7 Source

Code Language: shellCopy

mkdir /etc/yumback   # Create backup foldermv /etc/yum.repos.d/* /etc/yumback/  # Move official files into the newly created yumbackcurl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repoyum clean allyum makecache

Code Language: shellCopy

yum -y install epel-releaseyum -y install gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump nghttp2 glibc-headers gcc-c++ openssl openssl-develgcc-c++: Compilerflex: Parser required by DAQbison: Parser required by DAQlibpcap-devel: Header libraries required for network traffic capture by Snortlibdnet-devel: Not necessary, but Snort provides simplified portable interfaces for several network operationspcre-devel: Header files of pcre3 required by Snorttcpdump: Tool for capturing network packets and outputting packet contents

Upload Packages for Network Intrusion Detection

Upload the following packages to the server

  • daq-2.0.7.tar.gz
  • libdnet-1.11.tar.gz
  • libpcap-1.9.0.tar.gz
  • LuaJIT-2.1.0-beta3.tar.gz
  • snort-2.9.19.tar.gz
  • snortrules-snapshot-29190.tar.gz

“Extract Packages for Network Intrusion Detection”

Code Language: shellCopy

tar -zxvf snort-2.9.19.tar.gztar -zxvf daq-2.0.7.tar.gztar -zxvf LuaJIT-2.1.0-beta3.tar.gztar -zxvf libpcap-1.9.0.tar.gztar -zxvf libdnet-1.11.tar.gz

Compile and Install Sequentially

Code Language: shellCopy

#libpcapcd /root/libpcap-1.9.0 && ./configure && make && make install#libdnetcd /root/libdnet-1.11 && ./configure && make && make install#daqcd /root/daq-2.0.7 && ./configure && make && make install#LuaJITcd /root/LuaJIT-2.1.0-beta3/src && make && cd .. && make install#snortcd /root/snort-2.9.19 && ./configure --enable-sourcefire && make && make install

Configure Snort

Code Language: shellCopy

# Snort installation places the binary at /usr/local/bin/snort, create a symlink to /usr/sbin/snortln -s /usr/local/bin/snort /usr/sbin/snortmkdir /etc/snort   # Create rules directorymkdir /var/log/snort   # Create logs directorymkdir /usr/local/lib/snort_dynamicrules  # Create dynamic rules directory# Running Snort as root is unsafe, create a user to run it# Create accountgroupadd snortuseradd -g snort snortchown snort:snort /var/log/snort# Download official rules for configuration# Official configuration download (registration required): https://snort.org/downloads# Download file: snortrules-snapshot-29190.tar.gztar -zxvf snortrules-snapshot-29190.tar.gz -C /etc/snortcp /etc/snort/etc/* /etc/snort/# Choose system in /etc/snort/so_rules/precompiledcp /etc/snort/so_rules/precompiled/Centos-7/x86-64/2.9.19.0/* /usr/local/lib/snort_dynamicrules/

Edit snort.conf

Make Four Changes

Code Language: shellCopy

vi /etc/snort/snort.conf

1. Change relative paths in the following segment to absolute paths

Code Language: shellCopy

=====Before Change========================var RULE_PATH ../rulesvar SO_RULE_PATH ../so_rulesvar PREPROC_RULE_PATH ../preproc_rules# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH ../rulesvar BLACK_LIST_PATH ../rules=====Before Change=============================After Change========================var RULE_PATH /etc/snort/rulesvar SO_RULE_PATH /etc/snort/so_rulesvar PREPROC_RULE_PATH /etc/snort/preproc_rules# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rules=====After Change========================

2. Remove the trailing / in line 321 of snort.conf, and delete lines 322 and 323

Code Language: shellCopy

=====Before Change========================316     iis_delimiter no \317     iis_unicode no \318     multi_slash no \319     utf_8 no \320     u_encode yes \321     webroot no \322     decompress_swf { deflate lzma } \323     decompress_pdf { deflate }324   325 # ONC-RPC normalization and anomaly detection.=====Before Change=============================After Change========================316     iis_delimiter no \317     iis_unicode no \318     multi_slash no \319     utf_8 no \320     u_encode yes \321     webroot no 322   323 # ONC-RPC normalization and anomaly detection.=====After Change========================

3. Change the value of the IP variable HOME_NET to the local machine’s IP address

Code Language: shellCopy

ipvar HOME_NET 192.168.200.10

4. Comment out redundant rules, ensure not to comment include $RULE_PATH/local.rules, add # to lines 540 to 655

You can use this shortcut command for replacement

Code Language: shellCopy

:%s/include $RULE_PATH/#include $RULE_PATH/g# Then search for local.rules to uncomment

The purpose of this configuration is to make Snort, when used in intrusion detection mode, operate solely based on the custom rules in the local.rules file.

Create White/Black Lists

Code Language: shellCopy

touch /etc/snort/rules/white_list.rulestouch /etc/snort/rules/black_list.rules

Check If the Installation Was Successful

Code Language: shellCopy

[root@localhost ~]# snort -V   ,,_     -*> Snort! <*-  o"  )~   Version 2.9.19 GRE (Build 85)    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team           Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.           Copyright (C) 1998-2013 Sourcefire, Inc., et al.           Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)           Using PCRE version: 8.32 2012-11-30           Using ZLIB version: 1.2.7

Configure Test Rule

Ping

Code Language: shellCopy

vi /etc/snort/rules/local.rules# Add the following line to the last linealert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"We are being pinged!";icode:0;itype:8;sid:10000003;rev:1;)# Start Snort# Open two terminals, start Snort in one and monitor dynamic logs in the othershell1 : snort -e -A full -c /etc/snort/snort.confshell2 : tail -f /var/log/snort/alert # Then ping the Snort host from another machine,# shell2 log will trigger the rule and return information[**] [1:10000003:1] We are being pinged! [**][Priority: 0] 04/16-10:28:27.949163 00:50:56:C0:00:08 -> 00:0C:29:C6:6E:91 type:0x800 len:0x4A192.168.200.1 -> 192.168.200.10 ICMP TTL:64 TOS:0x0 ID:9816 IpLen:20 DgmLen:60Type:8  Code:0  ID:1   Seq:21  ECHO