IT Solutions Technology Blog

   Snort 2.9.x – Users Manual

root@bpi-iot-jsho-snort-01:~# apt-get install snort

root@bpi-iot-jsho-snort-01:~# snort -v
Running in packet dump mode

–== Initializing Snort ==–
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from „eth0“.
Decoding Ethernet

–== Initialization Complete ==–

,,_ -*> Snort! <*-
o“ )~ Version 2.9.7.0 GRE (Build 149)
““ By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11

Stay current with the latest updates using Community rules

root@bpi-iot-jsho-snort-01

root@bpi-iot-jsho-snort-01:~# wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
root@bpi-iot-jsho-snort-01:/# tar -xvzf community-rules.tar.gz -C /etc/snort/rules

https://www.snort.org/faq/readme-unified2

U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout

root@bpi-iot-jsho-snort-01:~# cd /var/log/snort
root@bpi-iot-jsho-snort-01:~# u2spewfoo snort.log

U2boat is a tool for converting unified2 files into different formats currently supported conversion formats are pcap

root@bpi-iot-jsho-snort-01:~# cd /var/log/snort
root@bpi-iot-jsho-snort-01:~# u2boat -t pcap snort.log snort.pcap

root@bpi-iot-jsho-snort-01:~# vi /etc/snort/snort.conf
ipvar HOME_NET 192.168.1.0/24

root@bpi-iot-jsho-snort-01:~# touch /etc/snort/rules/custom.rules

root@bpi-iot-jsho-snort-01:~# vi /etc/snort/snort.conf
include $RULE_PATH/custom.rules

root@bpi-iot-jsho-snort-01:~# vi /etc/snort/rules/custom.rules
alert udp any any -> any any (msg:“UDP traffic“; sid:10001;)
alert tcp any any -> any 80 (msg:“WEB traffic“; content: „login“; nocase; sid:10001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:“Incoming FTP traffic“; flags:S; sid:10000;)
alert icmp $EXTERNAL_NET any -> $HOME_NET 80 (msg:“we are being pinged“; icode:0; itype:8; sid=10003;)
alert tcp any any -> any any (msg:“Possible Neutrino Exploit kit infection“; content:“vclphjybj.ioxbpjgtqvwqfzmwhn.ga“; classtype:trojan-activity; sid:10003; rev:1;)

root@bpi-iot-jsho-snort-01:~# mkdir log
root@bpi-iot-jsho-snort-01:~# snort -d -l ./log -b -c /etc/snort/snort.conf -i eth0

root@bpi-iot-jsho-snort-01:~# vi /etc/snort/rules/icmp.rules
root@bpi-iot-jsho-snort-01:~# /usr/sbin/snort -A console -c /etc/snort/snort.conf -i eth0

root@bpi-iot-jsho-snort-01:~# /etc/init.d/snort stop
[ ok ] Stopping snort (via systemctl): snort.service

root@bpi-iot-jsho-snort-01:/var/log/snort# vi /etc/default/snort
# Parameters for the daemon
# Add any additional parameteres here.
PARAMS=“-m 027 -D -d -A full„
#
# Snort user
# This user will be used to launch snort. Notice that the
# preinst script of the package might do changes to the user
# (home directory, User Name) when the package is upgraded or
# reinstalled. So, do *not* change this to ‚root‘ or to any other user
# unless you are sure there is no problem with those changes being introduced.
#
SNORTUSER=“snort“
#
# Logging directory
# Snort logs will be dropped here and this will be the home
# directory for the SNORTUSER. If you change this value you should
# change the /etc/logrotate.d/snort definition too, otherwise logs
# will not be rotated properly.
#
LOGDIR=“/var/log/snort“
#
# Snort group
# This is the group that the snort user will be added to.
#
SNORTGROUP=“snort“
#
# Allow Snort’s init.d script to work if the configured interfaces
# are not available. Set this to yes if you configure Snort with
# multiple interfaces but some might not be available on boot
# (e.g. wireless interfaces)
#
# Note: In order for this to work the ‚iproute‘ package needs to
# be installed.
ALLOW_UNAVAILABLE=“no„

root@bpi-iot-jsho-snort-01:~# /etc/init.d/snort restart

root@bpi-iot-jsho-snort-01:/var/log/snort# ps -ef | grep snort
snort 23159 1 0 20:04 ? 00:00:01 /usr/sbin/snort -m 027 -D -d -A full -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.1.0/24] -i eth0

root@bpi-iot-jsho-snort-01:~# /usr/sbin/snort -T -c /etc/snort/snort.conf -i eth0