An alchemists view from the bar

Network Security Alchemy

Snort 3 Beta on Ubuntu / Debian Installation

with 11 comments

A few days ago I had some spare(ish) time, and decided to take a look at the Snort 3.x beta. I took some time looking at the alpha release in 07, and am happy to see how far it has come since then.

Over the last few weeks, I have seen a couple of posts to the Snort forums asking for help to get Snort 3.x up and running. It is good to see that others are interested in testing the engine, and unfortunate that there is such a steep learning curve to get to grips with the new way that Snort, and the Snort Security Platform now work. I have a hunch that after a little effort in learning the new methods it will all soon seem like second nature to all of us.

I thought I would share the steps I went through to get Snort 3 running on a test VMware virtual machine in the hope they can help out others.

My base OS is Ubuntu jeos, a stripped down build of Ubuntu designed and optimised for running in a VMware instance, the below instructions should work for pretty much any Debian based OS and let me know if they don’t!

The Jeos installation leaves me with a minimal Ubuntu system, comparable to Debian “base” , so to build anything on top of this we need to install some extra packages.

Before we try to install and configure the Snort Security Platform along with the Snort 3 analitical engine, lets make sure that we are able to get snort 2.8.2.1 (the latest stable 2.x release at the time of writing) working on our device. This extra task will save us a LOT of time later.

Building and installing Snort 2.8

Firstly I want to access this device via ssh, so a ssh daemon is required along with some other basic tools

sudo apt-get install ssh wget

We need all the key components to allow us to compile code, the build-essential meta-package will install all of these for me.

sudo apt-get install build-essential

To build Snort from source, we need to install some key libraries and development headers that it requires. libpcap is the promiscuous packet capture library, it is used by Snort, wireshark, tcpdump etc to capture network traffic.

sudo apt-get install libpcap0.8 libpcap0.8-dev

Snort supports PCRE for matching data within packets and data streams, therefore we need to install the required libraries and header files.

sudo apt-get install libpcre3 libpcre3-dev

Once Snort’s dependancies are installed, lets get the snort 2.x source and install it.

wget http://snort.org/dl/current/snort-2.8.2.1.tar.gz
tar -zxf ./snort-2.8.2.1.tar.gz
cd snort-2.8.2.1
./configure
make
sudo make install
sudo mkdir /etc/snort
sudo cp etc/* /etc/snort

We should now be in a position where Snort 2.8.x is ready to be configured for use, lets check its availability with a snort -V to check.

snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.2.1 (Build 16)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.4 2007-09-21

Before we can test Snort in any way, we need a few more things, some rules, and some test data. How you access the Snort rulebase is dependant on whether or not you are a Snort rule subscriber, and what level of subscription you have. for this simple test we don’t need the latest and greatest rules from the Sourcefire VRT (Vulnerablity Researh Team) like if we were running a real sensor, but we need a modern set of rules that will work with a 2.8 engine.

Go and register an account on snort.org, and download the “registered user release”, or use whatever ruleset you have handy for a 2.8 engine. Put the rule files into /etc/snort/rules/

<get hold of rule tarball>
tar -zxf snortrules-snapshot-CURRENT.tar.gz
sudo cp -r rules/ /etc/snort/

We now need to set the “RULE_PATH” variable in /etc/snort/snort.conf to point to /etc/snort/rules. I use vi to acomplish this.

sudo vi /etc/snort/snort.conf

After editing, the line should look like this

grep "var RULE_PATH" /etc/snort/snort.conf
var RULE_PATH /etc/snort/rules

Lets not give snort a test

snort -c /etc/snort/snort.conf -A fast -l /tmp -T

This command tells snort to start up in IDS mode reading /etc/snort/snort.conf. The output mode is “Fast”, logging will be to the /tmp directory, and to simply test the config and exit.

You should see an output a little like this:

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.2.1 (Build 16)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.4 2007-09-21

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.8  <Build 14>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.1  <Build 10>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
           Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
           Preprocessor Object: SF_SSLPP  Version 1.0  <Build 1>

Snort successfully loaded all rules and checked all rule chains!
Snort exiting

The below pcap is one I commonly use for testing an installation, it contains some obvious attacks from about 2001. I host it here to make it easy for me to find but its originally from the honeynet project (original data captured by Rain Forest Puppy).

cd /tmp
wget rm-rf.co.uk/downloads/Honeynet-RFP-iis.tgz
tar -zxvf ./Honeynet-RFP-iis.tgz

Now we have Snort configured (using the term losely), and a pcap to test snort with, lets give it a run.

snort -c /etc/snort/snort.conf -A fast -l /tmp -r ./Honeynet-RFP-iis.pcap

If successful you should have a file in /tmp/Alert that contains lots of alarms, and /tmp/snort.log.<timestamp> that contains the pcaps of the detected events.

If you do, lets move on to building and installing snortsp.

Building Snortsp 3.0Beta

The Snort security platform has other requirements for building on top of the above that were needed for Snort 2.x

Libnet and libdumbnet provide low level packet creation and modification libraries. Note that libdumbnet is the Debian name equivalent of libdnet in other distributions. The curses libraries handle screen and terminal manipulation, Libreadline provides history and tab completion for terminal commands to improve the user interaction expience with a shell. Lua is the new scripting language used in the Snort Security Platform, flex and bison are more modern replacements to lex and yacc. A UUID (universally unique identifier) generator is also now required for SnortSP.

sudo apt-get install libnet1 libnet1-dev \
    libdumbnet-dev libdumbnet1 \
    libncurses5 libncurses5-dev \
    libreadline5 libreadline5-dev \
    liblua5.1-0 liblua5.1-0-dev \
    flex bison \
    uuid uuid-dev

Now download and compile SnortSP.

Note: At the time of writing snort 3.0.0b2 is the most current release. Don’t use old betas, go grab the latest from snort.org.

cd ~
wget http://www.snort.org/dl/prerelease/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar -zxf ./snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2
./configure
make
sudo make install
sudo ldconfig
sudo mkdir /etc/snortsp
sudo cp etc/* /etc/snortsp/

Now SnortSP should be installed, not that this is just the security platform and not the snort engine itself. Snort, the analytical engine, needs to be built separately. Before we compile it first check that snortsp works

snortsp -V
SnortSP Version 3.0.0b2

cd src/analysis/snort/

./configure --with-platform-includes=/usr/local/include/snortsp/ \
    --with-platform-libraries=/usr/local/lib/snortsp/
make
sudo make install

The snort engine should now be ready for configuration and use under SnortSP. The challenge we have now it to get it doing what we want.

Start up snortsp to check the platform it is ready for use, (ssp.shutdown() is the command to shutdown the snortsp shell)

sudo snortsp -L /etc/snortsp/snort.lua
[+] Loaded pcap DAQ
[+] Loaded file DAQ
[+] Loaded afpacket DAQ
[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded gtp
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
Control thread running - 3083479952 (22010)
[*] Loading command interface
[!] Loading SnortSP command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
[!] Loading output command metatable
[!] Loading analyzer command metatable
Executing /etc/snortsp/snort.lua
   ,,_     -*> SnortSP! <*-
  o"  )~   Version 3.0.0b2 (Build 9) [BETA]
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 2008 Sourcefire Inc.
snort> ssp.shutdown()

Because snortsp is a radically new method of handling data sources and detection engines (such as the Snort analytic), some tools have been provided within the snortsp tarball for porting your old method of starting up snort and having it run within the snortsp. This tool is called sspiffy.sh. This tool was a key element to me getting my first instance of snort inside the snortsp running the packets contained within my pcap through detection, however it wasn’t the simple walk in the park it was supposed to be.

I suggest you take a look at the documentation for this tool and see how you get on, however expect the lua file that it creates to not be perfect, but close. Also make sure that it has write access to your snort.conf. With this in mind, i decided to share my sightly modified lua file, based on the output of sspiffy.sh. It works for me along with this snort.conf. Feel free to hack about with it to make it do what you want.

My snort.lua file (save it to /etc/snort)

My snort3 beta snort.conf file (save it to /etc/snort)

cd /tmp/
wget http://rm-rf.co.uk/downloads/snort3_beta_pcap.lua
sudo cp snort3_beta_pcap.lua /etc/snort/

sudo mv /etc/snort/snort.conf /etc/snort/snort.conf.2.8
wget http://rm-rf.co.uk/downloads/snort3_beta.conf
sudo cp /tmp/snort3_beta.conf /etc/snort/snort.conf

Now lets fire up snortsp using the lua file above, and see how she goes. If successful you should see output like this.

Anyway, I need to spend some more time playing with the tool and less writing all of this. Let me know if I have got something wrong, or if these instructions don’t work for you.

Happy Snortin’

-Leon

Advertisements

Written by leonward

July 27, 2008 at 5:45 pm

Posted in Security

Tagged with , ,

11 Responses

Subscribe to comments with RSS.

  1. Hi,
    Thank you very much for your great help.
    It really helped me in implementatin of my final dissertation of my degree.
    It really works great.
    No trouble no problems

    Thanks alot.

    Iqrar Hussain

    October 19, 2008 at 12:02 pm

  2. […] Snort 3 Beta on Ubuntu / Debian Installation by Leon Ward […]

  3. There is one point I dont understand. Snort SP should take the advantage of multi-core machine, i.e. we can run in parallel let say 4 Snort engines.

    How can we do it? By the snort.lua config file? How Snort SP will divide the traffic between 4 engines.

    Your tutorial seems to instruct us to run 1 Snort engine only.

    Thank you for your opinion.

    Dinh Van Vu

    February 5, 2009 at 11:52 am

  4. This is more of a question for those working on the code than me as a user.
    As I understand it Snort 3 will use resources from multiple cores by default. One for decode & state tracking and another for detect.

    Snort 3 isn’t ready for real use yet, so keep focused on the 2.8 tree.

    -L

    leonward

    March 8, 2009 at 12:52 pm

  5. when I reached the
    Snort -V
    I got the following:
    The program can be found in the following packages:
    * snort-pgsq
    *snort-mysql
    *snort
    Try:apt-get install
    -bash:snort:order not found
    I installed 2.8.3.2 without no problem but I am new to linux and Ubuntu.
    REgards

    emilio

    April 6, 2009 at 2:39 pm

    • You are seeing that message because the command “snort” cannot be found in your path.
      $ echo $PATH # will show you what your path is set to.

      Did you “make install” ? Did it succeed?

      leonward

      April 6, 2009 at 4:19 pm

    • Hi,

      you can try this :
      updatedb
      locate snort | grep bin
      ( should give you something like : /usr/local/bin/snort
      )

      so you can type ln -s /usr/local/bin/snort /usr/sbin/
      => it will create a snort file in /usr/sbin/ with a link to /usr/local/bin/snort

      it should resolve you issue ( I had the same issue )

      Fred

      July 8, 2009 at 3:00 pm

  6. Hi.
    I got the following
    make[3]: `install-data-am’

    make[3]: Leaving directory `/usr/local/src/snortsp-3.0.0b3/src/analysis/snort/dynamic-preprocessors/ftptelnet’
    make[2]: Leaving directory `/usr/local/src/snortsp-3.0.0b3/src/analysis/snort/dynamic-preprocessors/ftptelnet’
    make[2]: Entering directory `/usr/local/src/snortsp-3.0.0b3/src/analysis/snort/dynamic-preprocessors’
    make[3]: Entering directory `/usr/local/src/snortsp-3.0.0b3/src/analysis/snort/dynamic-preprocessors’

    How can I fix this?

    thanks for you in advance.

    Lee

    January 7, 2010 at 9:00 am

    • I’m not seeing a problem in that snippet. Upload the complete output to pastebin and ill take a look

      leonward

      January 7, 2010 at 12:42 pm

  7. Very grateful for your execelente document Snort, I am a college student, a computer security asked us to develop the following project:

    Adaptation of a module to support multiprocessing in the IDS / IPS snort so they could work in capacities greater than 2 Gbps troughput

    Description: Currently one of the problems of Snort is that single-thread programming can not exploit the existing resources of processing, thus by troughput capacity not exceeding traffic is limited to 400 mbps. The mechanisms of snort piles through PortChannel produce little scalable solution with poor load balancing.

    The project objectives are:

    Create a module to run multiple instances of Snort, redirecting each use of a core

    It is a very new area for us because we do not know where to start? do not know what development tools used to develop the module? so please ask us for a pattern to follow for the development of our project.

    Sebastian

    July 4, 2010 at 8:23 pm

    • Hi Sebastian,

      I work with Snort in multi-gig environments everyday. Although Snort’s detection operates as a single thread, multi-threading alone won’t solve a “few hundred” Mbps performance bottleneck that you’re having.

      Take a read of the below link, hopefully it will point you on a different path but something makes me think your course won’t be interested in the result, just the fact they can waste some effort in the journey.
      http://vrt-sourcefire.blogspot.com/2010/06/single-threaded-data-processing.html

      -Leon

      leonward

      July 4, 2010 at 8:48 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: