Snort installation

mwotim · 2022-02-21 11:56:41

First time Arch Installer, learning how to network properly to protect my family.

We are attempting to add Snort to our growing system tool kit, as there is limited information available online at this time we wanted to reach out here.

We were required to make two packages in order to make the Snort package.

So we made the two required packages (libdaq and pulledpork), than made the Snort package and installed it successfully: Version 3.1.22.0

We found our snort.conf folder both in our home directory as well as here:

/usr/lib/sysusers.d/snort.conf
/usr/lib/tmpfiles.d/snort.conf

We also found another "swap file" located her: /usr/lib/sysusers.d/snort.conf

ALL of these files appear to be empty.

Are there any further steps required to edit the snort.conf file or is this a failed "successful installation." ?

Because it appears that we cannot edit the sysusers.d/snort.conf file in order to test the configuration properly, in order to proceed in any manner at this time.

thank you!

Last edited by mwotim (2022-02-21 12:00:42)

hcjl · 2022-02-21 13:05:37

https://wiki.archlinux.org/title/Snort

seth · 2022-02-21 13:10:18

sysusers and tmpfiles have nothing to do w/ the snort config itself.
https://wiki.archlinux.org/title/Snort#Configuration and wrt to your other thread, this is WAY above your head.

I suggest to focus on setting up a *basic*, working network environment before you look into an intrusion detection system again.
If you want to keep the arch system connected directly to the WAN, you'll need to setup an IP filter, while personally not a huge fan of the abstraction levels, you may want to look at https://wiki.archlinux.org/title/Uncomplicated_Firewall
But my sincerely best advise to you is to get a consumer grade router between your system and the internet.

In order to use snort, you'll first and foremost require a working local router to at least divert packages to the IDS - and it gets more complicated if you want to use it as IPS (see the general notes on the arch wiki page - which does not even begin to scratch the surface of intrusion detection)

As a general remark: those systems are set up *before* connecting them or anything behind to the network, because otherwise everyone had all the time in the world to compromise them anyway.

amish · 2022-02-21 15:03:29

Snort arch wiki is outdated and is for snort 2.

AUR has snort 3 as well as pulled pork 3. (It includes pulled pork 2 as well)

For IPS snort package see snort-nfqueue package on AUR

Last edited by amish (2022-02-21 15:04:11)

mwotim · 2022-02-22 16:01:39

hcjl wrote:

https://wiki.archlinux.org/title/Snort

FYI I did not ask how to find an arch wiki, I read and re-read it, watched some videos (none relevant or recent) and read the git hub comments - all done prior to this posting request.

Pls do not contribute to post clog.

mwotim · 2022-02-22 16:42:28

seth wrote:

sysusers and tmpfiles have nothing to do w/ the snort config itself.
https://wiki.archlinux.org/title/Snort#Configuration and wrt to your other thread, this is WAY above your head.
I suggest to focus on setting up a *basic*, working network environment before you look into an intrusion detection system again.
If you want to keep the arch system connected directly to the WAN, you'll need to setup an IP filter, while personally not a huge fan of the abstraction levels, you may want to look at https://wiki.archlinux.org/title/Uncomplicated_Firewall
But my sincerely best advise to you is to get a consumer grade router between your system and the internet.
In order to use snort, you'll first and foremost require a working local router to at least divert packages to the IDS - and it gets more complicated if you want to use it as IPS (see the general notes on the arch wiki page - which does not even begin to scratch the surface of intrusion detection)
As a general remark: those systems are set up *before* connecting them or anything behind to the network, because otherwise everyone had all the time in the world to compromise them anyway.

seth wrote:

sysusers and tmpfiles have nothing to do w/ the snort config itself.
https://wiki.archlinux.org/title/Snort#Configuration and wrt to your other thread, this is WAY above your head.
I suggest to focus on setting up a *basic*, working network environment before you look into an intrusion detection system again.
If you want to keep the arch system connected directly to the WAN, you'll need to setup an IP filter, while personally not a huge fan of the abstraction levels, you may want to look at https://wiki.archlinux.org/title/Uncomplicated_Firewall
But my sincerely best advise to you is to get a consumer grade router between your system and the internet.
In order to use snort, you'll first and foremost require a working local router to at least divert packages to the IDS - and it gets more complicated if you want to use it as IPS (see the general notes on the arch wiki page - which does not even begin to scratch the surface of intrusion detection)
As a general remark: those systems are set up *before* connecting them or anything behind to the network, because otherwise everyone had all the time in the world to compromise them anyway.

//

Thanks Seth, you've been more helpful than anyone, and I know it's not easy trying to help ppl with the information provided, but I want to experiment with us BEFORE setting up my new network when i relocate and setup a a trust with an enterprise firewall.

It seems I am not alone: I found absoultely nothing recent on this topic when i searched this forum and from what i saw on the last posted comment here https://aur.archlinux.org/packages/snort

So I consider myself fortunate to have not received the errors one user "got." Either way I simply timeshifted because the best information i found upon my initial researching had me looking for:

/etc/snort/snort.conf

Since this file was not setup either by a. my installation steps with the 3 required packages i installed which were not mentioned on the arch wiki or

b. the current "noted" issue with the AUR git file - nobody knows.

And the video I obtained my setup instructions from was not done on Arch.

So I guess we wait until the AUR is updated

Than it's only a matter of testing the configuration with the ethernet label (en#####) and proceeding with the next command from the video to see if it works before moving into researching how to set it up in "inline mode."

Either way i'm not going to live in fear of having my http ports open to someone trying to brute force my luks or netgear password to superimpose the firmware just to be a dink to a guy who stood up to fear in a jail cell for 3+ years by refusing to take a series of plea bargains for making a series of psychic threats that have all been fulfilled - and will continue to be fulfilled in the worst possible way.

My network is secure, as I am protected by psi.

//

ewsboost commented on 2022-02-07 12:48 (UTC)

Oooh, man, this sucks... Is this package both out-of-date and abandonded? I appreciate the effort people put into maintaining stuff, but this is not right and not typical. Please fix!

Slithery · 2022-02-22 16:55:27

mwotim wrote:

Either way i'm not going to live in fear of having my http ports open to someone trying to brute force my luks or netgear password to superimpose the firmware just to be a dink to a guy who stood up to fear in a jail cell for 3+ years by refusing to take a series of plea bargains for making a series of psychic threats that have all been fulfilled - and will continue to be fulfilled in the worst possible way.

This is a technical support forum, please stick to the relevant subject at hand.
There are plenty of other places online for all that sort of talk.
You have already been warned about this once, consider this your final warning.

mwotim · 2022-02-22 17:40:29

Got it.

mwotim · 2022-02-22 17:46:35

Got it installed using 'yay."

Last edited by mwotim (2022-02-22 19:40:03)

mwotim · 2022-02-22 20:51:26

Now i'm getting a DAQ PCAP error when i verify the configuration using HOME_NET '192.168.1.1'

When I run "yay pcap," i see 43 options, not one reference to DAQ.

If I run "yay daq," I see 6 more options:

yay daq
6 aur/ni-daqmx-base-bin 15.0.0-1 (+0 0.00)
a subset of NI-DAQmx functionality for your data acquisition system
5 aur/python-dash-daq 0.5.0-1 (+0 0.00)
Control components for Dash
4 aur/libuldaq 1.2.0-3 (+0 0.00)

3 aur/nidaqmx-dummy 0.1-1 (+0 0.00) (Out-of-date: 2019-04-26)
Dummy library to compile and link code using NI DAQmx under Linux
2 aur/libdaq-static 3.0.5-1 (+1 0.00)
Data Acquisition library for packet I/O.
1 aur/libdaq 3.0.6-1 (+4 0.00) (Installed)
Data Acquisition library for packet I/O.
==> Packages to install (eg: 1 2 3, 1-3 or ^4)

Can someone advise on how to fix this error in order to verify my Snort configuration installed using the yay repository helper program?

seth · 2022-02-22 21:02:05

Please post error messages verbatim, https://bbs.archlinux.org/viewtopic.php?id=57855
https://en.wikipedia.org/wiki/Pcap
https://en.wikipedia.org/wiki/Data_acquisition

You can't "yay-fix" whatever that error is.
Is the host meanwhile in the 192.168.1.0/24 segment?

ip a

xunilatus · 2024-07-13 22:07:49

Answer 2024 Install snort its gonna take upwards of 20 min, it compiles everything you need out of the box.

yay -S snort

The directories to make not of /etc/snort/ and /usr/lib/daq and likely others
update the rules with:

touch /etc/snort/pulledpork.conf

pulledpork.pl -c /etc/snort/pulledpork.conf -Pw

somewhere in /etc/snort/snort.lua file you will need these lines

HOME_NET = 'any'
EXTERNAL_NET = 'any'

Try to log, run as a root user, and keep those directories in mind:

sudo snort -c /etc/snort/snort.lua --daq-dir /usr/lib/daq -i ens33 -l /var/log/snort

so the answer is : --daq-dir

you can spend alot of time searching the internet for configuration files and rules. use chatgpt and github to find configuration files and setups make sure its not for windows and that its for the version of snort you are using.

Last edited by xunilatus (2024-07-13 22:30:58)

amish · 2024-07-14 02:08:34

xunilatus wrote:

update the rules with:
touch /etc/snort/pulledpork.conf
pulledpork.pl -c /etc/snort/pulledpork.conf -Pw

Pulledpork is now dependency of snort. So these should not be required.
It happens automatically post installation of snort.

xunilatus wrote:

somewhere in /etc/snort/snort.lua file you will need these lines
HOME_NET = 'any'
EXTERNAL_NET = 'any'

This goes in homenet.lua file and not in snort.lua. But in most cases, you wont need to update homenet.lua. Defaults should suffice.

Last edited by amish (2024-07-14 02:09:57)

Arch Linux

#1 2022-02-21 11:56:41

Snort installation

#2 2022-02-21 13:05:37

Re: Snort installation

#3 2022-02-21 13:10:18

Re: Snort installation

#4 2022-02-21 15:03:29

Re: Snort installation

#5 2022-02-22 16:01:39

Re: Snort installation

#6 2022-02-22 16:42:28

Re: Snort installation

#7 2022-02-22 16:55:27

Re: Snort installation

#8 2022-02-22 17:40:29

Re: Snort installation

#9 2022-02-22 17:46:35

Re: Snort installation

#10 2022-02-22 20:51:26

Re: Snort installation

#11 2022-02-22 21:02:05

Re: Snort installation

#12 2024-07-13 22:07:49

Re: Snort installation

#13 2024-07-14 02:08:34

Re: Snort installation

Board footer