Snort3 (Configuring)

Configuration file

    [root]# ls /usr/local/snort/etc/snort/

      balanced.lua  file_magic.lua  max_detect.lua  snort.lua  talos.lua
     connectivity.lua  inline.lua  security.lua  snort_defaults.lua

snort_defaults.lua

    [root]# vim /usr/local/snort/etc/snort/snort_defaults.lua

    ------------------------------------------------------------
    -- default paths
    ------------------------------------------------------------
    -- Path to your rules files (this can be a relative path)
    RULE_PATH = '../../rules'
    BUILTIN_RULE_PATH = '../../builtin_rules'
    PLUGIN_RULE_PATH = '../../so_rules'

    -- If you are using reputation preprocessor set these
    ALLOW_LIST_PATH = '../../intel'
    BLOCK_LIST_PATH = '../../intel'

    -- Path to AppID ODP - Optional
    APPID_PATH = '../../appid' or '/usr/local/snort/appid'

snort.lua

    [root]# vim /usr/local/snort/etc/snort/snort.lua

    Do not forget to add , (comma)

    ------------------------------------------------------------
    -- 1. configure defaults
    ------------------------------------------------------------

    -- HOME_NET and EXTERNAL_NET must be set now
    -- setup the network addresses you are protecting
    -- HOME_NET = "any"
    HOME_NET = '[[Global IP/32,Local IP/24]]'

    -- set up the external network addresses.
    -- (leave as "any" in most situations)
    -- EXTERNAL_NET = "any"
    EXTERNAL_NET = '[[!$HOME_NET]]'

    include 'snort_defaults.lua'
    include 'file_magic.lua'

    ------------------------------------------------------------
    -- 2. configure inspection
    ------------------------------------------------------------

    -- Identify files and file types that traverse the network
    --[[
    file_id =
    {
        enable_type = true,
        enable_signature = true,
        file_rules = file_magic,
        file_policy =
        {
            { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
        }
    }
    --]]

    ※ Error occurred with the above settings
    ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.file_policy
    ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.enable_signature
    ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.enable_type

    output description of given module
    [root]# /usr/local/snort/bin/snort --help-module file_id
    [root]# /usr/local/snort/bin/snort --help-module file_policy

    file_id = { rules_file = 'file_magic.rules' }
    file_policy =
    {
        enable_type = true,
        enable_signature = true,
        rules = {
            use = { verdict = "log" }
        },
    }

    -- Detection of connection source application (comment out when using SnortSnarf)
    --[[
    appid =
    {
        -- appid requires this to use appids in rules
        app_detector_dir = APPID_PATH,
    }
    --]]

    reputation =
    {
        -- configure one or both of these, then uncomment reputation
        blocklist = BLOCK_LIST_PATH .. '/ip-blocklist',
        allowlist = ALLOW_LIST_PATH .. '/ip-allowlist',
    }

    ------------------------------------------------------------
    -- 5. configure detection
    ------------------------------------------------------------

    ips =
    {
        mode = tap,

        variables = default_variables,

        rules = [[
            include ../../rules/snort.rules  <-- PulledPork
                    or
            include /usr/local/snort/rules/snort.rules  <-- PulledPork
        ]],
    }

    ------------------------------------------------------------
    -- 7. configure outputs
    ------------------------------------------------------------

    -- /var/log/snort/alert_fast.txt
    alert_fast =
    {
        file = true,
    }

    -- /var/log/snort/file.log
    file_log =
    {
        log_pkt_time = true,
        log_sys_time = false,
    }