Snort3(インストール)

ライブラリ

    [root]# dnf config-manager --enable powertools  <-- AL8
    [root]# dnf config-manager --enable crb         <-- AL9
    [root]# dnf install epel-release
    [root]# dnf upgrade

    # AL 9.x
    [root]# dnf install vim git flex flex-devel bison bison-devel \
                        gcc gcc-c++ make cmake automake autoconf libtool \
                        libpcap libpcap-devel libdnet libdnet-devel \
                        hwloc hwloc-devel openssl openssl-devel \
                        zlib zlib-devel luajit luajit-devel pkgconf \
                        libmnl libmnl-devel libunwind libunwind-devel \
                        libnfnetlink libnfnetlink-devel \
                        libnetfilter_queue libnetfilter_queue-devel \
                        xz xz-devel libuuid libuuid-devel \
                        hyperscan hyperscan-devel libsafec libsafec-devel \
                        gperftools gperftools-devel \
                        libcmocka libcmocka-devel

    # Ubuntu 22.04
    [root]# apt install flex bison libtool libtool-bin libpcap-dev
                    libdnet libdnet-dev hwloc libhwloc-dev luajit pkgconf
                    libmnl0 libmnl-dev libunwind-dev libnfnetlink0 libnfnetlink-dev
                    libnetfilter-queue1 libnetfilter-queue-dev xz-utils libuuid1
                    uuid-dev libhyperscan-dev libsafec3 libsafec-dev
                    libcmocka0 libcmocka-dev libdumbnet-dev libluajit-5.1-dev
                    libgoogle-perftools-dev

    [root]# ln -s /usr/lib64/pkgconfig/safec-3.3.pc /usr/lib64/pkgconfig/libsafec.pc

LibDAQ

    [root]# tar xvfz libdaq-3.0.14.tar.gz
    [root]# cd libdaq-3.0.14
    [root]# ./bootstrap
    [root]# ./configure
    [root]# make -j3
    [root]# make -j3 check
    [root]# make -j3 install
    [root]# cd ..
    [root]# rm -vrf libdaq-3.0.14

    [root]# updatedb
    [root]# locate libdaq

      /usr/local/lib/libdaq.so
      /usr/local/lib/libdaq.so.3

    [root]# vim /etc/ld.so.conf.d/local.conf

      /usr/local/lib
      /usr/local/lib64

    [root]# ldconfig -v <-- 共有ライブラリの更新
    [root]# ldconfig -p | grep libdaq

      libdaq.so.3 (libc6,x86-64) => /usr/local/lib/libdaq.so.3
      libdaq.so (libc6,x86-64) => /usr/local/lib/libdaq.so

Flatbuffers

    [root]# curl -Lo flatbuffers-23.5.26.tar.gz
                https://github.com/google/flatbuffers/archive/v23.5.26.tar.gz
    [root]# tar xvfz flatbuffers-23.5.26.tar.gz
    [root]# cd flatbuffers-23.5.26
    [root]# cmake .
    [root]# make -j3
    [root]# make -j3 test
    [root]# make -j3 install
    [root]# cd ..
    [root]# rm -vrf flatbuffers-23.5.26

Snort3

    [root]# tar xvfz snort3-snort3-3.1.83.0-0-ga346713.tar.gz
    [root]# cd snort3-snort3-ca88efa
    [root]# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
    [root]# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
    [root]# export CFLAGS="-O3"
    [root]# export CXXFLAGS="-O3 -fno-rtti"
    [root]# ./configure_cmake.sh --prefix=/usr/local/snort
                            --enable-tcmalloc --enable-appid-third-party

      --enable-tcmalloc : メモリ使用量を削減し、処理時間を短縮
      --enable-appid-third-party : サードパーティの appid を有効

    [root]# cd build
    [root]# make -j3
    [root]# make -j3 install
    [root]# /usr/local/snort/bin/snort -V
    [root]# cd ../..
    [root]# rm -vrf snort3-snort3-ca88efa

    ・アップデート時

     1. 設定ファイルが上書きされるため、設定ファイルの修正

       [root]# vim /usr/local/snort/etc/snort/snort_defaults.lua
       [root]# vim /usr/local/snort/etc/snort/snort.lua

     2. pulledpork.conf 内のバージョン変更後、pulledpork.pl 実行

      [root]# vim /usr/local/pulledpork/etc/pulledpork.conf

        snort_version=3.1.47.0

      [root]# /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf

     3. Snort 再起動

      [root]# systemctl restart snortd.service

Snort3 Extra

    [root]# tar xvfz snort3-snort3_extra-3.1.83.0-0-gb81e2e4.tar.gz
    [root]# cd snort3-snort3_extra-35f6fe6
    # AL 9.x
    [root]# export PKG_CONFIG_PATH=/usr/local/snort/lib64/pkgconfig:$PKG_CONFIG_PATH
    # Ubuntu 22.04
    [root]# export PKG_CONFIG_PATH=/usr/local/snort/lib/pkgconfig:$PKG_CONFIG_PATH
    [root]# ./configure_cmake.sh --prefix=/usr/local/snort/extra
    [root]# cd build
    [root]# make -j3
    [root]# make -j3 install
    [root]# cd ../..
    [root]# rm -vrf snort3-snort3_extra-35f6fe6

ディレクトリ作成

    [root]# mkdir -p /usr/local/snort/{builtin_rules,rules,appid,intel}

      builtin_rules, rules にはルールファイル、appid には AppID 検出器、
     intel にはブラックリストとホワイトリストを配置。

ルールファイル

    ・ルールセットの取得

      Subscriber Release : 最新のルールセット(有償)

      Registered User Release : Subscriber Release より30日遅れのルールセット

      Community Rules : オープンソースコミュニティが作成したルールセット

      [root]# mkdir rules
      [root]# cd rules

      Registered User Release を取得
      [root]# curl -Lo snortrules-snapshot-31470.tar.gz
                  https://www.snort.org/rules/snortrules-snapshot-31470.tar.gz?
                  oinkcode=<OINKCODE>

    ・設定ファイル/ルールファイルをコピー

      [root]# tar xvfz snortrules-snapshot-31470.tar.gz
      [root]# ls

        builtins  etc  rules  snortrules-snapshot-31470.tar.gz  so_rules

      [root]# cp -v etc/*.lua /usr/local/snort/etc/snort/
      [root]# cat rules/*.rules > /usr/local/snort/rules/snort.rules
      [root]# cp -v builtins/builtins.rules /usr/local/snort/builtin_rules/

OpenAppID

    [root]# cd /usr/local/snort/appid/
    [root]# curl -Lo snort-openappid.tar.gz
                https://snort.org/downloads/openappid/snort-openappid.tar.gz
    [root]# tar xvfz snort-openappid.tar.gz
    [root]# rm -v snort-openappid.tar.gz
    [root]# ls

      odp

IP Reputation

    [root]# cd /usr/local/snort/intel/
    [root]# curl -Lo ip-blocklist
                https://www.talosintelligence.com/documents/ip-blacklist
    [root]# ls

      ip-blocklist

    [root]# touch /usr/local/snort/intel/ip-allowlist