ライブラリ
[root]# dnf config-manager --enable powertools <-- AL8
[root]# dnf config-manager --enable crb <-- AL9
[root]# dnf install epel-release
[root]# dnf upgrade
# AL 9.x
[root]# dnf install vim git flex flex-devel bison bison-devel \
gcc gcc-c++ make cmake automake autoconf libtool \
libpcap libpcap-devel libdnet libdnet-devel \
hwloc hwloc-devel openssl openssl-devel \
zlib zlib-devel luajit luajit-devel pkgconf \
libmnl libmnl-devel libunwind libunwind-devel \
libnfnetlink libnfnetlink-devel \
libnetfilter_queue libnetfilter_queue-devel \
xz xz-devel libuuid libuuid-devel \
hyperscan hyperscan-devel libsafec libsafec-devel \
gperftools gperftools-devel \
libcmocka libcmocka-devel
[root]# ln -s /usr/lib64/pkgconfig/safec-3.3.pc /usr/lib64/pkgconfig/libsafec.pc
# Ubuntu 24.04
[root]# apt install flex bison libtool libtool-bin libpcap-dev
hwloc libhwloc-dev luajit pkgconf libmnl0 libmnl-dev
libunwind-dev libnfnetlink0 libnfnetlink-dev
libnetfilter-queue1 libnetfilter-queue-dev xz-utils libuuid1
uuid-dev libhyperscan-dev libsafec3 libsafec-dev
libcmocka0 libcmocka-dev libdumbnet-dev libluajit-5.1-dev
libgoogle-perftools-dev
LibDAQ
[root]# git clone https://github.com/snort3/libdaq.git
[root]# cd libdaq
[root]# ./bootstrap
[root]# ./configure
[root]# make -j3
[root]# make -j3 check
[root]# make -j3 install
[root]# cd ..
[root]# rm -vrf libdaq
[root]# updatedb
[root]# locate libdaq
/usr/local/lib/libdaq.so
/usr/local/lib/libdaq.so.3
[root]# vim /etc/ld.so.conf.d/local.conf
/usr/local/lib
/usr/local/lib64
[root]# ldconfig -v <-- 共有ライブラリの更新
[root]# ldconfig -p | grep libdaq
libdaq.so.3 (libc6,x86-64) => /usr/local/lib/libdaq.so.3
libdaq.so (libc6,x86-64) => /usr/local/lib/libdaq.so
Flatbuffers
[root]# curl -Lo flatbuffers-24.3.25.tar.gz
https://github.com/google/flatbuffers/archive/v24.3.25.tar.gz
[root]# tar xvfz flatbuffers-24.3.25.tar.gz
[root]# cd flatbuffers-24.3.25
[root]# mkdir build
[root]# cd build
[root]# cmake ..
[root]# make -j3
[root]# make -j3 test
[root]# make -j3 install
[root]# cd ../..
[root]# rm -vrf flatbuffers-24.3.25
Snort3
[root]# git clone https://github.com/snort3/snort3.git
[root]# cd snort3
[root]# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
[root]# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
[root]# export CFLAGS="-O3"
[root]# export CXXFLAGS="-O3 -fno-rtti"
[root]# ./configure_cmake.sh --prefix=/usr/local/snort
--enable-tcmalloc --enable-appid-third-party
--enable-tcmalloc : メモリ使用量を削減し、処理時間を短縮
--enable-appid-third-party : サードパーティの appid を有効
[root]# cd build
[root]# make -j3
[root]# make -j3 install
[root]# /usr/local/snort/bin/snort -V
[root]# cd ../..
[root]# rm -vrf snort3
・アップデート時
1. 設定ファイルが上書きされるため、設定ファイルの修正
[root]# vim /usr/local/snort/etc/snort/snort_defaults.lua
[root]# vim /usr/local/snort/etc/snort/snort.lua
2. pulledpork.conf 内のバージョン変更後、pulledpork.pl 実行
[root]# vim /usr/local/pulledpork/etc/pulledpork.conf
snort_version=3.2.0.0
[root]# /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf
3. Snort 再起動
[root]# systemctl restart snortd.service
Snort3 Extra
[root]# git clone https://github.com/snort3/snort3_extra.git
[root]# cd snort3_extra
# AL 9.x
[root]# export PKG_CONFIG_PATH=/usr/local/snort/lib64/pkgconfig:$PKG_CONFIG_PATH
# Ubuntu 24.04
[root]# export PKG_CONFIG_PATH=/usr/local/snort/lib/pkgconfig:$PKG_CONFIG_PATH
[root]# ./configure_cmake.sh --prefix=/usr/local/snort/extra
[root]# cd build
[root]# make -j3
[root]# make -j3 install
[root]# cd ../..
[root]# rm -vrf snort3_extra
ディレクトリ作成
[root]# mkdir -p /usr/local/snort/{builtin_rules,rules,appid,intel}
builtin_rules, rules にはルールファイル、appid には AppID 検出器、
intel にはブラックリストとホワイトリストを配置。
ルールファイル
・ルールセットの取得
Subscriber Release : 最新のルールセット(有償)
Registered User Release : Subscriber Release より30日遅れのルールセット
Community Rules : オープンソースコミュニティが作成したルールセット
[root]# mkdir rules
[root]# cd rules
Registered User Release を取得
[root]# curl -Lo snortrules-snapshot-3200.tar.gz
https://www.snort.org/rules/snortrules-snapshot-3200.tar.gz?
oinkcode=<OINKCODE>
・設定ファイル/ルールファイルをコピー
[root]# tar xvfz snortrules-snapshot-3200.tar.gz
[root]# ls
builtins etc rules snortrules-snapshot-3200.tar.gz so_rules
[root]# cp -v etc/*.lua /usr/local/snort/etc/snort/
[root]# cat rules/*.rules > /usr/local/snort/rules/snort.rules
[root]# cp -v builtins/builtins.rules /usr/local/snort/builtin_rules/
OpenAppID
[root]# cd /usr/local/snort/appid/
[root]# curl -Lo snort-openappid.tar.gz
https://snort.org/downloads/openappid/snort-openappid.tar.gz
[root]# tar xvfz snort-openappid.tar.gz
[root]# rm -v snort-openappid.tar.gz
[root]# ls
odp
IP Reputation
[root]# cd /usr/local/snort/intel/
[root]# curl -Lo ip-blocklist
https://www.talosintelligence.com/documents/ip-blacklist
[root]# ls
ip-blocklist
[root]# touch /usr/local/snort/intel/ip-allowlist