Snort
From the project home page:
- Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
Contents
Installation
Install snortAUR from the AUR.
Configuration
The main configuration file is /etc/snort/snort.conf
.
Read it carefully, as usual it is very well documented.
ipvar HOME_NET 10.0.0.0/28 # Change to the subnet of your LAN. ipvar EXTERNAL_NET !$HOME_NET ipvar DNS_SERVERS $HOME_NET ipvar SMTP_SERVERS $HOME_NET ipvar HTTP_SERVERS $HOME_NET ipvar SQL_SERVERS $HOME_NET ipvar TELNET_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 ipvar AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/ 24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] ipvar RULE_PATH /etc/snort/rules ipvar HTTP_PORTS 80:5000 # For HTTPd's running on port 80 and 5000. Change appropriately # to the ports you are using on your LAN. config detection: search-method lowmem # If you're using a machine "with very limited resources".
At the bottom of the file, there is a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.
groupadd snort mkdir -p /var/log/snort useradd -g snort -d /var/log/snort snort chown -R snort:snort /var/log/snort
Edit /etc/conf.d/snort
:
SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full
Replace 10.0.0.0/28 with the CIDR of your LAN.
Now Snort will run as user snort in group snort. Should improve security. The other options make it log to /var/log/snort
in ASCII mode. Run snort -h to see other available options.
I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.
Update the rules: Oinkmaster
If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release. Go ahead and register at Snort. If you really do not want to register, you can use the rules from BleedingSnort.com. They are bleeding edge, meaning they have not been tested thoroughly.
oinkmasterAUR is available as AUR package.
Oinkmaster setup
Edit /etc/oinkmaster.conf
and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
When you log into your new account, create an "Oink code". Another thing to change is
use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules
The rest of the configuration file is fine.
Oinkmaster usage
oinkmaster.pl -o /etc/snort/rules
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.