Snort3(インストール)

ライブラリ

    [root]# dnf config-manager --enable powertools  <-- AL8
    [root]# dnf config-manager --enable crb         <-- AL9
    [root]# dnf install epel-release
    [root]# dnf upgrade

    # AL 9.x
    [root]# dnf install vim git flex flex-devel bison bison-devel \
                        gcc gcc-c++ make cmake automake autoconf libtool \
                        libpcap libpcap-devel libdnet libdnet-devel \
                        hwloc hwloc-devel openssl openssl-devel \
                        zlib zlib-devel luajit luajit-devel pkgconf \
                        libmnl libmnl-devel libunwind libunwind-devel \
                        libnfnetlink libnfnetlink-devel \
                        libnetfilter_queue libnetfilter_queue-devel \
                        xz xz-devel libuuid libuuid-devel \
                        hyperscan hyperscan-devel libsafec libsafec-devel \
                        gperftools gperftools-devel \
                        libcmocka libcmocka-devel

    [root]# ln -s /usr/lib64/pkgconfig/safec-3.3.pc /usr/lib64/pkgconfig/libsafec.pc

    # Ubuntu 24.04
    [root]# apt install flex bison libtool libtool-bin libpcap-dev
                    hwloc libhwloc-dev luajit pkgconf libmnl0 libmnl-dev
                    libunwind-dev libnfnetlink0 libnfnetlink-dev
                    libnetfilter-queue1 libnetfilter-queue-dev xz-utils libuuid1
                    uuid-dev libhyperscan-dev libsafec3 libsafec-dev
                    libcmocka0 libcmocka-dev libdumbnet-dev libluajit-5.1-dev
                    libgoogle-perftools-dev

LibDAQ

    [root]# git clone https://github.com/snort3/libdaq.git
    [root]# cd libdaq
    [root]# ./bootstrap
    [root]# ./configure
    [root]# make -j3
    [root]# make -j3 check
    [root]# make -j3 install
    [root]# cd ..
    [root]# rm -vrf libdaq

    [root]# updatedb
    [root]# locate libdaq

      /usr/local/lib/libdaq.so
      /usr/local/lib/libdaq.so.3

    [root]# vim /etc/ld.so.conf.d/local.conf

      /usr/local/lib
      /usr/local/lib64

    [root]# ldconfig -v <-- 共有ライブラリの更新
    [root]# ldconfig -p | grep libdaq

      libdaq.so.3 (libc6,x86-64) => /usr/local/lib/libdaq.so.3
      libdaq.so (libc6,x86-64) => /usr/local/lib/libdaq.so

Flatbuffers

    [root]# curl -Lo flatbuffers-24.3.25.tar.gz
                https://github.com/google/flatbuffers/archive/v24.3.25.tar.gz
    [root]# tar xvfz flatbuffers-24.3.25.tar.gz
    [root]# cd flatbuffers-24.3.25
    [root]# mkdir build
    [root]# cd build
    [root]# cmake ..
    [root]# make -j3
    [root]# make -j3 test
    [root]# make -j3 install
    [root]# cd ../..
    [root]# rm -vrf flatbuffers-24.3.25

Snort3

    [root]# git clone https://github.com/snort3/snort3.git
    [root]# cd snort3
    [root]# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
    [root]# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
    [root]# export CFLAGS="-O3"
    [root]# export CXXFLAGS="-O3 -fno-rtti"
    [root]# ./configure_cmake.sh --prefix=/usr/local/snort
                            --enable-tcmalloc --enable-appid-third-party

      --enable-tcmalloc : メモリ使用量を削減し、処理時間を短縮
      --enable-appid-third-party : サードパーティの appid を有効

    [root]# cd build
    [root]# make -j3
    [root]# make -j3 install
    [root]# /usr/local/snort/bin/snort -V
    [root]# cd ../..
    [root]# rm -vrf snort3

    ・アップデート時

     1. 設定ファイルが上書きされるため、設定ファイルの修正

       [root]# vim /usr/local/snort/etc/snort/snort_defaults.lua
       [root]# vim /usr/local/snort/etc/snort/snort.lua

     2. pulledpork.conf 内のバージョン変更後、pulledpork.pl 実行

      [root]# vim /usr/local/pulledpork/etc/pulledpork.conf

        snort_version=3.2.0.0

      [root]# /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf

     3. Snort 再起動

      [root]# systemctl restart snortd.service

Snort3 Extra

    [root]# git clone https://github.com/snort3/snort3_extra.git
    [root]# cd snort3_extra
    # AL 9.x
    [root]# export PKG_CONFIG_PATH=/usr/local/snort/lib64/pkgconfig:$PKG_CONFIG_PATH
    # Ubuntu 24.04
    [root]# export PKG_CONFIG_PATH=/usr/local/snort/lib/pkgconfig:$PKG_CONFIG_PATH
    [root]# ./configure_cmake.sh --prefix=/usr/local/snort/extra
    [root]# cd build
    [root]# make -j3
    [root]# make -j3 install
    [root]# cd ../..
    [root]# rm -vrf snort3_extra

ディレクトリ作成

    [root]# mkdir -p /usr/local/snort/{builtin_rules,rules,appid,intel}

      builtin_rules, rules にはルールファイル、appid には AppID 検出器、
     intel にはブラックリストとホワイトリストを配置。

ルールファイル

    ・ルールセットの取得

      Subscriber Release : 最新のルールセット(有償)

      Registered User Release : Subscriber Release より30日遅れのルールセット

      Community Rules : オープンソースコミュニティが作成したルールセット

      [root]# mkdir rules
      [root]# cd rules

      Registered User Release を取得
      [root]# curl -Lo snortrules-snapshot-3200.tar.gz 
                    https://www.snort.org/rules/snortrules-snapshot-3200.tar.gz?
                    oinkcode=<OINKCODE>

    ・設定ファイル/ルールファイルをコピー

      [root]# tar xvfz snortrules-snapshot-3200.tar.gz
      [root]# ls

        builtins  etc  rules  snortrules-snapshot-3200.tar.gz  so_rules

      [root]# cp -v etc/*.lua /usr/local/snort/etc/snort/
      [root]# cat rules/*.rules > /usr/local/snort/rules/snort.rules
      [root]# cp -v builtins/builtins.rules /usr/local/snort/builtin_rules/

OpenAppID

    [root]# cd /usr/local/snort/appid/
    [root]# curl -Lo snort-openappid.tar.gz
                https://snort.org/downloads/openappid/snort-openappid.tar.gz
    [root]# tar xvfz snort-openappid.tar.gz
    [root]# rm -v snort-openappid.tar.gz
    [root]# ls

      odp

IP Reputation

    [root]# cd /usr/local/snort/intel/
    [root]# curl -Lo ip-blocklist
                https://www.talosintelligence.com/documents/ip-blacklist
    [root]# ls

      ip-blocklist

    [root]# touch /usr/local/snort/intel/ip-allowlist