kali installs and configures snort to realize simple intrusion detection

reference resources

• Installing and configuring snort on kali and simple experiments (this is the most concise and error free article in my installation process);
• Install snort for Ubuntu 16.04, including problem solving (sample code) (this article contains common mistakes, although my mistakes have not been solved);

preface

snort is really a devil. It has been installed on four systems before and after. I don't know how many times. Finally, it was barely installed on the cloud server equipped with Ubuntu 18.

Main reasons for installation failure

• The network is not smooth (this is also the main reason for many of the following reasons);
• Incomplete installation of dependent environment;

Main reasons for configuration failure

• The snort version is inconsistent with the snort rule library version;
• The configuration file cannot be found due to improper modification;

snort installation configuration

Be sure to update the software library first. This is what many novices don't pay attention to. Then they know why my software can't be installed and the network is so poor.

sudo apt-get install update

Install daq before installing

sudo apt-get install flex -y
sudo apt-get install bison -y
sudo apt-get install aptitude -y
sudo aptitude install libpcap-dev -y

Installing daq

This step can be in Official website home page Find the corresponding content. Be sure to follow the version package currently given on the official website.
At present, it is 2021.11.28, and the DAQ package is daq-2.0.7.tar.gz.

# 1. Download daq installation package
sudo wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
# 2. Decompression
sudo tar xvfz daq-2.0.7.tar.gz
# 3. Switch paths
cd daq-2.0.7
# 4. Configure compilation and installation
./configure && sudo make && sudo make install
# 5. Go back to the superior menu (many novices are confused when watching other people's tutorials, and they don't know which path to execute what code)
cd ..

Dependencies required before installing snort

sudo aptitude install libpcre3-dev -y 
sudo aptitude install libdumbnet-dev -y
sudo aptitude install zlib1g-dev -y

sudo apt-get install openssl -y
sudo apt-get install libssl-dev -y

# luaJIT Library (I don't know why this is used, but it will report an error if it is not installed)
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install && cd ..

Install snort

a key

Here, like the previous daq, you should select the version package of the current official home page.
At present, it is 2021.11.28, and the snort version package is snort-2.9.18.1.tar.gz.
Otherwise, you may not be able to download it on the official website.

sudo wget https://www.snort.org/downloads/snort/snort-2.9.18.1.tar.gz
sudo tar xvfz snort-2.9.18.1.tar.gz                      
cd snort-2.9.18.1
./configure --enable-sourcefire && make && sudo make install

A small error occurred

Displays header files where < RPC / RPC. H > was not found.

solve

First, enter:

sudo apt install libntirpc-dev

You can see if the problem is solved, but my problem has not been solved. Continue.

apt-file search rpc/rpc.h

I found this header file in ntirpc and other folders. My method is to copy all files under ntripc to / usr/include /. The problem is solved:

sudo cp /usr/include/ntirpc/* /usr/include/ -r

to configure

create folder

#Snort installation directory
sudo mkdir -p /etc/snort/rules/iplists
sudo mkdir -p /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

#Store filtering rules and server black and white list
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/so_rules

#Create log directory
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

#Adjust permissions
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/rules/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

Copy file

sudo cp /home/kali/snort-2.9.18.1/etc/*.conf* /etc/snort
sudo cp /home/kali/snort-2.9.18.1/etc/*.map /etc/snort
sudo cp /home/kali/snort-2.9.18.1/etc/*.dtd /etc/snort
sudo cp /home/kali/snort-2.9.18.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

Modify profile

# Open profile
sudo vim /etc/snort/snort.conf

# Modify the path and find the corresponding copy
var RULE_PATH /etc/snort/rules 
var SO_RULE_PATH /etc/snort/so_rules 
var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/

whitelist $WHITE_LIST_PATH/default.whitelist, \ 
blacklist $BLACK_LIST_PATH/default.blacklist

Download the rule package that matches snort

# 1. Download
wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz
# 2. Decompression
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
# 3. Copy (select according to the system (RHEL should be the corresponding kali) and the installed package (2.9.18.1, usually only one folder)
sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/

Start test

Obviously, the result is normal

sudo snort -T -c /etc/snort/snort.conf

The experimental part has not been finished yet. Stop for a minute