Snort Intrusion Detection System Configuración

Snort is one of the most widely deployed open-source intrusion detection and prevention systems in the world. As a red-based IDS/IPS, Snort analyzes red traffic in real-time to identify suspicious activity, enforce red policies, and log traffic for post-incident analysis. Esta guía cubre installing Snort 3 on Linux, configuring red variables, managing detection rules, setting up preprocessing, configuring output plugins, and using PulledPork for automated rule management and maintenance.

Tabla de Contenidos

• System Requirements
• Instalación
• Snort 3 Architecture
• Red Variables Configuración
• Rule Gestión Basics
• PulledPork Rule Manager
• Preprocessors and Inspection
• Output Plugins
• Inline Mode Configuración
• Rule Tuning and Optimization
• Monitoreo and Mantenimiento
• Conclusión

System Requirements

Snort 3 requires modern hardware and libraries for optimal performance. Ensure your system meets these specifications:

• Intel or AMD multi-core processor (4+ cores recommended)
• Minimum 2 GB RAM (4 GB+ for production)
• 20 GB disk space for binaries, rules, and logs
• Linux kernel 4.0 or newer
• GCC compiler and development libraries
• PCAP library for packet capture

Check system prerequisites:

uname -r
nproc
free -h
df -h /
gcc --version

Instalación

Instala Snort 3 from source for maximum control and latest features. The build process involves compiling dependencies and Snort itself.

Instala required development packages:

For Ubuntu/Debian:

sudo apt-get update
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev pkg-config cmake

For CentOS/RHEL:

sudo yum groupinstall -y 'Development Tools'
sudo yum install -y pcap-devel pcre-devel libdnet-devel openssl-devel zlib-devel

Download Snort 3 source code:

cd /tmp
wget https://github.com/snort3/snort3/archive/3.1.73.0.tar.gz
tar xzf 3.1.73.0.tar.gz
cd snort3-3.1.73.0

Compile Snort 3:

./configure_cmake.sh --prefix=/opt/snort
cd build
make -j$(nproc)
sudo make install

Add Snort to the system PATH:

sudo bash -c 'echo "export PATH=/opt/snort/bin:$PATH" >> /etc/profile.d/snort.sh'
source /etc/profile.d/snort.sh

Verifica the installation:

snort --version
which snort
snort -V

Crea directories for rules and logs:

sudo mkdir -p /etc/snort
sudo mkdir -p /var/log/snort
sudo mkdir -p /var/lib/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /var/lib/snort

Snort 3 Architecture

Snort 3 uses a modular architecture with pluggable components. The main components are:

• Inspector plugins (inspect red protocols)
• IPS Action plugins (decide how to handle alerts)
• Logger plugins (output alerts and events)
• Data Handler plugins (manage inspection state)

View available inspectors:

snort --list-modules | grep inspector

View available loggers:

snort --list-modules | grep logger

View module help:

snort --help-module http_inspect

Red Variables Configuración

Red variables define trusted redes, monitored puertos, and other policy elements. Crea the main configuration file:

sudo nano /etc/snort/snort.lua

Define red variables in the configuration:

-- Snort 3 Configuración File

-- Red variables
HOME_NET = 'home'
EXTERNAL_NET = '!home'

TRUSTED_RULES_LIST_PATH = '/etc/snort'

-- Puertos
HTTP_PORTS = '80 8080 8888'
SHELLCODE_PORTS = '!80'
ORACLE_PORTS = '1521'
SSH_PORTS = '22'
FTP_PORTS = '21'
SIP_PORTS = '5060 5061'
DNSD_PORTS = '53'
MODBUS_PORTS = '502'
DNP3_PORTS = '20000'

-- Policy selection
ips =
{
    mode = IPS_MODE,
    type = INSPECTION_TYPE,
}

Crea a red variables file for easier management:

sudo nano /etc/snort/vars.lua

Add comprehensive variables:

-- Snort 3 Red Variables

-- Define your red
HOME_NET = { '192.168.0.0/16', '10.0.0.0/8', '172.16.0.0/12' }
EXTERNAL_NET = 'any'

-- HTTP puertos
HTTP_PORTS = { 80, 8080, 8888, 8000, 3128, 3132, 8081, 6588 }
HTTPS_PORTS = { 443, 465, 563, 8443 }

-- Mail puertos
MAIL_PORTS = { 25, 109, 110, 143, 600, 993, 995 }

-- P2P puertos
P2P_PORTS = { 1214, 3689, 4662, 6346, 6666, 6667, 6668, 6669 }

-- RPC servicios
RPC_PORTS = { 111, 32770, 32771, 32772, 32773, 32774, 32815 }

Include the variables file in the main configuration:

include = 'vars.lua'

Rule Gestión Basics

Snort rules are the core detection logic. A basic rule consists of:

1. Action (alert, drop, pass, log)
2. Protocol (tcp, udp, icmp, ip)
3. Direction (from/to)
4. Source and destination addresses
5. Puertos
6. Rule options (msg, flow, content, etc.)

Crea a custom rules file:

sudo nano /etc/snort/custom.rules

Example rules:

# Detect SSH brute force attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SSH Brute Force Attempt"; flow:to_server,established; content:"SSH"; http_client_body; threshold:type both, track by_src, count 10, seconds 60; sid:1000001; rev:1;)

# Detect puerto scanning
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Puerto Scan"; flags:F; threshold:type both, track by_src, count 5, seconds 60; sid:1000002; rev:1;)

# Detect SQL injection attempts
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection Attempt"; uricontent:"union"; http_uri; sid:1000003; rev:1;)

# Detect common malware user agents
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious User-Agent"; content:"curl"; http_user_agent; sid:1000004; rev:1;)

# Detect Nikto scanning
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Nikto Scanner Detected"; content:"nikto"; http_user_agent; case-insensitive; sid:1000005; rev:1;)

Include custom rules in the main configuration:

ips = {
    enable_builtin_rules = true,
}

include = 'custom.rules'

Prueba the rules for syntax:

snort -c /etc/snort/snort.lua -T

PulledPork Rule Manager

PulledPork is a rule management tool that automates downloading, merging, and organizing Snort rules from various sources. Instala PulledPork:

cd /tmp
wget https://github.com/pulledpork/pulledpork/archive/v0.7.3.tar.gz
tar xzf v0.7.3.tar.gz
cd pulledpork-0.7.3
sudo install -m 755 pulledpork.pl /usr/local/bin/
sudo mkdir -p /etc/pulledpork
sudo cp pulledpork.conf /etc/pulledpork/

Configura PulledPork:

sudo nano /etc/pulledpork/pulledpork.conf

Critical settings:

# Output directory
output_directory=/etc/snort/rules

# Rule source URL (requires registration for commercial rules)
rule_url=https://rules.snort.org/snortrules-snapshot-33120.tar.gz|<your-oinkcode>

# ET Pro rules (if available)
et_pro_url=https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

# Local rules
local_rules=/etc/snort/custom.rules

# Sid map file for rule versioning
sid_map_fqdn=https://www.snort.org/sid-msg-map

# Alert classification
classification_file=/etc/snort/classification.config

# Reference configuration
reference_config_file=/etc/snort/reference.config

# Verbose output
verbose=1

For ET Open rules (free alternative to Snort VRT):

# Download ET Open rules manually
mkdir -p /tmp/et-rules
cd /tmp/et-rules
wget https://rules.emergingthreats.net/open/snort/emerging.rules.tar.gz
tar xzf emerging.rules.tar.gz

Ejecuta PulledPork to update rules:

sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l

Check rule statistics after update:

snort -c /etc/snort/snort.lua --dump-dynamic-rules

Schedule automatic rule updates:

sudo crontab -e

Add this line for daily updates at 3 AM:

0 3 * * * /usr/local/bin/pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l > /var/log/snort/pulledpork.log 2>&1 && systemctl restart snort

Preprocessors and Inspection

Preprocessors analyze protocol-specific behavior before rule matching. In Snort 3, these are called inspectors and are configured differently.

Configura HTTP inspection:

-- HTTP Inspector Configuración
http_inspect = {
    request_depth = 0,  -- 0 means unlimited
    response_depth = 0,
    unzip_max_size = 0,
    unzip_mem_limit = 0,
    script_detection = true,
    uri_include_all = false,
}

Configura TCP stream reassembly:

stream_tcp = {
    show_rebuilt_packets = false,
    enable_alerts = true,
    max_tcp_sessions = 200000,
    cache_nominal_timeout = 3600,
    cache_pruning_timeout = 30,
    cache_timeout = 3600,
    track_only_established_sessions = false,
}

Configura DNS inspection:

dns = {
    puertos = { 53 },
    enable_alerts = true,
    enable_normalizations = { 'dns' },
}

Configura FTP inspection:

ftp_server = {
    puertos = { 21, 2100, 3535, 5600, 5631, 9503 },
}

ftp_client = {
}

Configura SSL/TLS inspection:

ssl = {
    puertos = { 443, 465, 563, 585, 614, 636, 989, 990, 992, 993, 995, 8443 },
    allow_invalid_certs = false,
}

Output Plugins

Output plugins format and deliver alerts and events to various destinations. Configura multiple outputs:

-- Alert output
alert_csv = {
    fields = 'timestamp, action, class, priority, protocol, src_addr, src_port, dst_addr, dst_port, message',
    file = true,
}

-- Unified2 output for distributed systems
unified2 = {
    memory_cap = 100,
    packet_log_limit = 0,
}

-- JSON output for SIEM integration
alert_json = {
    file = true,
}

Configura file logging:

alert_fast = {
    filename = '/var/log/snort/alert',
}

log_tcpdump = {
    filename = '/var/log/snort/snort.pcap',
}

Configura syslog output:

alert_syslog = {
    level = 'info',
    facility = 'LOG_LOCAL0',
}

Send alerts to a remote syslog server:

sudo nano /etc/rsyslog.d/snort.conf

Add configuration:

:programname, isequal, "snort" @@192.168.1.100:514

Reinicia rsyslog:

sudo systemctl restart rsyslog

Inline Mode Configuración

Inline mode (IPS mode) allows Snort to actively block malicious traffic. Configura inline mode:

-- IPS mode
ips = {
    mode = IPS_MODE,
    type = INSPECTION_TYPE,
}

Configura iptables for NFQUEUE to route traffic through Snort:

sudo iptables -I FORWARD -j NFQUEUE --queue-num 0

Crea IPS rules that drop traffic:

sudo nano /etc/snort/ips.rules

Example IPS rules:

# Drop SMB exploitation attempts
drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"IPS: SMB Exploitation Attempt"; sid:2000001; rev:1;)

# Drop malformed packets
drop tcp any any -> any any (msg:"IPS: Malformed TCP"; flags:!F,!S,!R,!P,!A,!U; sid:2000002; rev:1;)

# Drop known botnet C&C traffic
drop tcp any any -> $HOME_NET any (msg:"IPS: Botnet C&C Connection"; content:"bot"; http_client_body; sid:2000003; rev:1;)

Inicia Snort in inline mode:

sudo snort -c /etc/snort/snort.lua -Q

Rule Tuning and Optimization

Tune rules to reduce false positives while maintaining security effectiveness. Generate statistics from rule firing:

snort -c /etc/snort/snort.lua -r /var/log/snort/snort.pcap -q

Deshabilita rules that consistently generate false positives:

sudo nano /etc/snort/threshold.config

Add rule suppression:

# Suppress specific rule
suppress gen_id 1, sig_id 1000001

# Suppress rule with source-based tracking
suppress gen_id 1, sig_id 1000002, track by_src, ip 192.168.1.5

Crea a rule policy for different environments:

sudo nano /etc/snort/local.rules

Comment out or modify rules:

# Disabled due to false positives in our environment
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Rule causing false positives"; sid:1000001; rev:1;)

Prueba configuration changes without restarting:

snort -c /etc/snort/snort.lua -T

Monitoreo and Mantenimiento

Monitorea Snort's operation and maintain system health:

sudo systemctl status snort
sudo systemctl start snort
sudo systemctl stop snort
sudo systemctl restart snort

Monitorea Snort logs:

sudo tail -f /var/log/snort/alert
sudo tail -f /var/log/snort/snort.log

Check Snort resource usage:

ps aux | grep snort
top -p $(pgrep snort | tr '\n' ',')

Analiza alerts with command-line tools:

# Count alerts by source IP
grep "saddr.*:" /var/log/snort/alert | cut -d' ' -f3 | sort | uniq -c | sort -rn

# Count alerts by destination puerto
grep "dport.*:" /var/log/snort/alert | cut -d' ' -f5 | sort | uniq -c | sort -rn

Rotate logs:

sudo nano /etc/logrotate.d/snort

Configuración:

/var/log/snort/*.log {
    daily
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 snort snort
    postrotate
        systemctl reload snort > /dev/null 2>&1 || true
    endscript
}

Conclusión

Snort 3 proporciona powerful intrusion detection and prevention capabilities for protecting critical infrastructure and redes. By following this guide, you've installed Snort 3, configured red variables and detection rules, implemented PulledPork for automated rule management, set up inspectors and preprocessors for protocol analysis, configured output plugins for various destinations, and deployed IPS mode for active threat prevention. Regular rule updates, performance monitoring, and false positive tuning asegúrate de que accurate threat detection. Whether deployed as a standalone IDS for red visibility or as an IPS for active defense, Snort scales from small redes to large enterprise environments with proper configuration and maintenance.