-
Notifications
You must be signed in to change notification settings - Fork 1
/
snort.sh
92 lines (69 loc) · 3.34 KB
/
snort.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#! /bin/bash
# https://upcloud.com/community/tutorials/installing-snort-on-debian/
# Install dependancies
apt-get install -y gcc make libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet
# Configure workdir
mkdir /opt/snort_src && cd /opt/snort_src
# Download "Data Aquisition Library" (daq)
wget https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz
#wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
# Untar archive
tar xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
# Configure, compile & install daq
./configure && make && make install
# Download snort
cd ../ && wget https://www.snort.org/downloads/archive/snort/snort-2.9.15.tar.gz
#cd ../ && wget https://www.snort.org/downloads/snort/snort-2.9.15.tar.gz
# Untar archive
tar xvzf snort-2.9.15.tar.gz
cd snort-2.9.15
# Configure with sourcefire option, compile & install
./configure --enable-sourcefire && make && make install
# Update snort libraries
ldconfig
# Symlink to add snort into $PATH
ln -s /usr/local/bin/snort /usr/sbin/snort
# Create snort user & group
groupadd snort
useradd snort -r -s /sbin/nologin -g snort
# Create configuration directories
mkdir -p /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
# Set permissions
chmod -R 5775 /etc/snort
chmod -R 5775 /var/log/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules
# Create empty config files
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules
# Get initial config files
cp /opt/snort_src/snort-2.9.15/etc/*.conf* /etc/snort
cp /opt/snort_src/snort-2.9.15/etc/*.map /etc/snort
# We will use community rules
wget https://www.snort.org/rules/community -O /tmp/community.tar.gz
tar xvzf /tmp/community.tar.gz -C /tmp
cp /tmp/community-rules/* /etc/snort/rules
# Comment include lines in configuration
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
# edit configuration
sed -i 's/ipvar HOME_NET any/ipvar HOME_NET 192.168.122.0\/24/' /etc/snort/snort.conf
sed -i 's/ipvar EXTERNAL_NET any/ipvar EXTERNAL_NET !\$HOME_NET/' /etc/snort/snort.conf
sed -i 's/ipvar DNS_SERVERS \$HOME_NET/ipvar DNS_SERVERS 8.8.8.8/' /etc/snort/snort.conf
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH \/etc\/snort\/rules/' /etc/snort/snort.conf
sed -i 's/var SO_RULE_PATH ..\/so_rules/var SO_RULE_PATH \/etc\/snort\/so_rules/' /etc/snort/snort.conf
sed -i 's/var PREPROC_RULE_PATH ..\/preproc_rules/var PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH \/etc\/snort\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH \/etc\/snort\/rules/' /etc/snort/snort.conf
sed -i 's/# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types/output unified2: filename snort.log, limit 128/' /etc/snort/snort.conf
sed -i 's/#include \$RULE\_PATH\/local.rules/include \$RULE\_PATH\/local.rules/' /etc/snort/snort.conf
echo "include \$RULE_PATH/community.rules" >> /etc/snort/snort.conf
# Test the configuration
#snort -T -c /etc/snort/snort.conf
# Run
#snort -A console -i enp7s0 -u snort -g snort -c /etc/snort/snort.conf