kali installs and configures snort to realize simple intrusion detection
reference resources
- Installing and configuring snort on kali and simple experiments (this is the most concise and error free article in my installation process);
- Install snort for Ubuntu 16.04, including problem solving (sample code) (this article contains common mistakes, although my mistakes have not been solved);
preface
snort is really a devil. It has been installed on four systems before and after. I don't know how many times. Finally, it was barely installed on the cloud server equipped with Ubuntu 18.
Main reasons for installation failure
- The network is not smooth (this is also the main reason for many of the following reasons);
- Incomplete installation of dependent environment;
Main reasons for configuration failure
- The snort version is inconsistent with the snort rule library version;
- The configuration file cannot be found due to improper modification;
snort installation configuration
Be sure to update the software library first. This is what many novices don't pay attention to. Then they know why my software can't be installed and the network is so poor.
sudo apt-get install update
Install daq before installing
sudo apt-get install flex -y sudo apt-get install bison -y sudo apt-get install aptitude -y sudo aptitude install libpcap-dev -y
Installing daq
This step can be in Official website home page Find the corresponding content. Be sure to follow the version package currently given on the official website.
At present, it is 2021.11.28, and the DAQ package is daq-2.0.7.tar.gz.
# 1. Download daq installation package sudo wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz # 2. Decompression sudo tar xvfz daq-2.0.7.tar.gz # 3. Switch paths cd daq-2.0.7 # 4. Configure compilation and installation ./configure && sudo make && sudo make install # 5. Go back to the superior menu (many novices are confused when watching other people's tutorials, and they don't know which path to execute what code) cd ..
Dependencies required before installing snort
sudo aptitude install libpcre3-dev -y sudo aptitude install libdumbnet-dev -y sudo aptitude install zlib1g-dev -y sudo apt-get install openssl -y sudo apt-get install libssl-dev -y # luaJIT Library (I don't know why this is used, but it will report an error if it is not installed) sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz sudo tar -zxvf LuaJIT-2.0.5.tar.gz cd LuaJIT-2.0.5/ sudo make && sudo make install && cd ..
Install snort
a key
Here, like the previous daq, you should select the version package of the current official home page.
At present, it is 2021.11.28, and the snort version package is snort-2.9.18.1.tar.gz.
Otherwise, you may not be able to download it on the official website.
sudo wget https://www.snort.org/downloads/snort/snort-2.9.18.1.tar.gz sudo tar xvfz snort-2.9.18.1.tar.gz cd snort-2.9.18.1 ./configure --enable-sourcefire && make && sudo make install
A small error occurred
Displays header files where < RPC / RPC. H > was not found.
solve
First, enter:
sudo apt install libntirpc-dev
You can see if the problem is solved, but my problem has not been solved. Continue.
apt-file search rpc/rpc.h
I found this header file in ntirpc and other folders. My method is to copy all files under ntripc to / usr/include /. The problem is solved:
sudo cp /usr/include/ntirpc/* /usr/include/ -r
to configure
create folder
#Snort installation directory sudo mkdir -p /etc/snort/rules/iplists sudo mkdir -p /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules #Store filtering rules and server black and white list sudo touch /etc/snort/rules/iplists/default.blacklist sudo touch /etc/snort/rules/iplists/default.whitelist sudo touch /etc/snort/rules/so_rules #Create log directory sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs #Adjust permissions sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/rules/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
Copy file
sudo cp /home/kali/snort-2.9.18.1/etc/*.conf* /etc/snort sudo cp /home/kali/snort-2.9.18.1/etc/*.map /etc/snort sudo cp /home/kali/snort-2.9.18.1/etc/*.dtd /etc/snort sudo cp /home/kali/snort-2.9.18.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
Modify profile
# Open profile sudo vim /etc/snort/snort.conf # Modify the path and find the corresponding copy var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules/iplists/ var BLACK_LIST_PATH /etc/snort/rules/iplists/ whitelist $WHITE_LIST_PATH/default.whitelist, \ blacklist $BLACK_LIST_PATH/default.blacklist
Download the rule package that matches snort
# 1. Download wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz # 2. Decompression sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort # 3. Copy (select according to the system (RHEL should be the corresponding kali) and the installed package (2.9.18.1, usually only one folder) sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
Start test
Obviously, the result is normal
sudo snort -T -c /etc/snort/snort.conf