Snort3安装部署

1、系统配置

sudo vim /etc/apt/sources.list


deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse

sudo apt-get update && sudo apt-get dist-upgrade -y

sudo dpkg-reconfigure tzdata

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev 
zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev 
libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev 
libmnl-dev ethtool libjemalloc-dev

2、Snort初始化配置

cd /opt
sudo mkdir snort_src
cd snort_src

cd /opt/snort_src
git clone https://github.com/snort3/libdaq.git
cd libdaq
./bootstrap
./configure
make
sudo make install

cd /opt/snort_src/
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9/gperftools-2.9.tar.gz
tar xzf gperftools-2.9.tar.gz 
cd gperftools-2.9/
./configure
make 
sudo make install

cd /opt/snort_src/
wget https://github.com/snort3/snort3/archive/refs/tags/snort3-3.1.23.0.zip
unzip snort3-3.1.23.0.zip
cd snort3-3.1.23.0/
sudo ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make 
sudo make install

sudo ldconfig

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

snort -v

3、设置为IDS模式

sudo ip link set dev ens33 promisc on

ip add sh ens33

查看接口模式

ethtool -k ens33 | grep receive-offload

禁用接口模式

sudo ethtool -K ens33 gro off lro off

已经禁用完毕

sudo nano /etc/systemd/system/snort3-nic.service

[Unit]
Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens33 promisc on
ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off 
TimeoutStartSec=0 
RemainAfterExit=yes

[Install]
WantedBy=default.target

重新加载systemd，并设置开机启动

sudo systemctl daemon-reload
sudo systemctl enable --now snort3-nic.service

查看服务运行状态

sudo systemctl status snort3-nic.service

4、配置规则

sudo mkdir /usr/local/etc/rules
sudo wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
sudo tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/

wget https://snort.org/downloads/openappid/23020 -O OpenAppId-23020.tgz
sudo tar -xzvf OpenAppId-23020.tgz -C /usr/local/lib/

vim /usr/local/etc/snort/snort.lua

appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
    app_detector_dir = '/usr/local/lib/odp',
    log_stats = true,
}

5、设置Snort开机启动

sudo useradd -r -s /usr/sbin/nologin -M -c SNORT_IDS snort

sudo nano /etc/systemd/system/snort3.service

[Unit]
Description=Snort 3 NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -D -i ens33 -m 0x1b -u snort -g snort

[Install]
WantedBy=multi-user.target

sudo mkdir /var/log/snort
sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /var/log/snort

sudo systemctl daemon-reload
sudo systemctl enable --now snort3
sudo systemctl status snort3

原文始发于微信公众号（安全孺子牛）：Snort3安装部署