一 下载并安装源代码

地址:https://github.com/snort3/snort3/releases

#下载，解压
wget https://github.com/snort3/snort3/archive/refs/tags/3.2.1.0.tar.gz
tar  zxvf  3.2.1.0.tar.gz

二  安装软件依赖包

1 安装依赖包

sudo apt update
sudo apt  install  build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc  libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev autoconf automake libtool libffi-dev check
hyperscan.dev libsafec.dev

2 安装 libdnet

#下载
wget https://github.com/ofalk/libdnet/archive/refs/tags/libdnet-1.18.0.tar.gz
tar zxvf libdnet-1.18.0.tar.gz
cd libdnet-libdnet-1.18.0/
./configure
make
sudo make install

3 安装libdaq

#下载，解压
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.14.tar.gz
tar  zxvf  v3.0.14.tar.gz
cd  libdaq-3.0.14/
#编译，安装./bootstrap 
+ autoreconf -ivf --warnings=all
autoreconf: export WARNINGS=all
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: /usr/bin/autoconf --force
configure.ac:27: warning: The macro `AC_PROG_CC_C99' is obsolete.
configure.ac:27: You should run autoupdate.
./lib/autoconf/c.m4:1659: AC_PROG_CC_C99 is expanded from...
configure.ac:27: the top level
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
api/Makefile.am:4: error: Libtool library used but 'LIBTOOL' is undefined
api/Makefile.am:4:   The usual way to define 'LIBTOOL' is to add 'LT_INIT'
api/Makefile.am:4:   to 'configure.ac' and run 'aclocal' and 'autoconf' again.
api/Makefile.am:4:   If 'LT_INIT' is in 'configure.ac', make sure
api/Makefile.am:4:   its definition is in aclocal's search path.
modules/Makefile.am:4: error: Libtool library used but 'LIBTOOL' is undefined
modules/Makefile.am:4:   The usual way to define 'LIBTOOL' is to add 'LT_INIT'
modules/Makefile.am:4:   to 'configure.ac' and run 'aclocal' and 'autoconf' again.
modules/Makefile.am:4:   If 'LT_INIT' is in 'configure.ac', make sure
modules/Makefile.am:4:   its definition is in aclocal's search path.
autoreconf: error: automake failed with exit status: 1
#解决，安装libtool
./configure
#编译成功如下code_coverage_enabled:  nocode_coverage_cppflags: code_coverage_cflags:   code_coverage_ldflags:  Build AFPacket DAQ module.. : yesBuild BPF DAQ module....... : yesBuild Divert DAQ module.... : noBuild Dump DAQ module...... : yesBuild FST DAQ module....... : yesBuild netmap DAQ module.... : noBuild NFQ DAQ module....... : yesBuild PCAP DAQ module...... : yesBuild Savefile DAQ module.. : yesBuild Trace DAQ module..... : yesBuild GWLB DAQ module...... : yes
#编译，安装
make
sudo make install

4 安装gperftools

wget  https://github.com/gperftools/gperftools/releases/download/gperftools-2.15/gperftools-2.15.tar.gz
tar zxvf gperftools-2.15.tar.gz
cd gperftools-2.15/
./configure
sudo make install

三 安装snort 3.2.1.0

1 编译安装

cd  snort3-3.2.1.0/
./configure_cmake.sh --prefix=/usr/local/snort --enable-tcmalloc
#如下即可
snort version 3.2.1.0Install options:prefix:     /usr/local/snortincludes:   /usr/local/snort/include/snortplugins:    /usr/local/snort/lib/snortCompiler options:CC:             /usr/bin/ccCXX:            /usr/bin/c++CFLAGS:            -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUGCXXFLAGS:          -fvisibility=hidden   -DNDEBUG -g -ggdb  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -O2 -g -DNDEBUGEXE_LDFLAGS:        MODULE_LDFLAGS:     Feature options:DAQ Modules:    Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace)libatomic:      System-providedHyperscan:      ONICONV:          ONLibunwind:      ONLZMA:           ONRPC DB:         Built-inSafeC:          ONTCMalloc:       ONJEMalloc:       OFFUUID:           ONNUMA:           ONLibML:          OFFcd build/
make
sudo make install
#跟新系统共享库
sudo ldconfig

2 配置环境

sudo vim /etc/profile
export PATH=/usr/local/snort//bin:$PATH
source  /etc/profile

3  查看snort版本

test@ubuntuserver:~$ snort -v
--------------------------------------------------
o")~   Snort++ 3.2.1.0
--------------------------------------------------
--------------------------------------------------
Network Policy : policy id 0 : 
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to passive.
--------------------------------------------------
host_cachememcap: 33554432 bytesSnort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting
test@ubuntuserver:~$ snort -V,,_     -*> Snort++ <*-o"  )~   Version 3.2.1.0''''    By Martin Roesch & The Snort Teamhttp://snort.org/contact#teamCopyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using DAQ version 3.0.14Using Hyperscan version 5.4.2 2024-04-19Using libpcap version 1.10.4 (with TPACKET_V3)Using LuaJIT version 2.1.1703358377Using LZMA version 5.4.5Using OpenSSL 3.0.13 30 Jan 2024Using PCRE version 8.39 2016-06-14Using ZLIB version 1.3

 四 配置 监听网络流量的网卡设置为混杂模式

test@ubuntuserver:~$ ip a show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:a2:94:12 brd ff:ff:ff:ff:ff:ffaltname enp2s1
#
sudo ifconfig ens33 promisc

 

#禁用网卡 Offload功能， Snort 会截断大于1518 字节的数据包

#查看
test@ubuntuserver:~$ ethtool -k ens33 | grep receive-off
generic-receive-offload: on
large-receive-offload: off [fixed]
#禁用
test@ubuntuserver:~$ sudo ethtool -K ens33 gro off lro off

五 下载，配置snort3规则

规则集分为三种:Community Rules，Registered Rules，Subscriber Rules；其中社区规则可以直接下载使用，注册规则需要注册之后才可以下载，但2个都免费的；订阅规则收费的。

1 下载地址:Snort Rules and IDS Software Download

2 本文下载注册规则集

#创建规则存放目录
sudo mkdir /usr/local/snort/etc/rules
cd /usr/local/snort/etc/rules

3  安装pulledpork

#安装依赖包
sudo apt update
sudo  apt-get  install libcrypt-ssleay-perl liblwp-useragent-determined-perl
#下载
wget https://github.com/shirkdog/pulledpork/archive/refs/tags/v0.7.4.tar.gz
#
tar  zxvf  v0.7.4.tar.gz 
cd  pulledpork-0.7.4/
#
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo mkdir /usr/local/snort/etc/pulledpork
sudo cp etc/*.conf /usr/local/snort/etc/pulledpork
#查看
test@ubuntuserver:~$ pulledpork.pl -V
PulledPork v0.7.4 - Helping you protect your bitcoin wallet!
#创建规则用的文件和目录
sudo touch  /usr/local/snort/etc/rules/snort.rules
sudo touch  /usr/local/snort/etc/rules/local.rules
sudo mkdir  /usr/local/snort/etc/rules/so_rules
sudo mkdir  /usr/local/snort/etc/rules/lists
sudo touch  /usr/local/snort/etc/rules/lists/default.blocklist
sudo  mkdir /var/log/snort/

#修改配置pulledpor
sudo vim /usr/local/snort/etc/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-3031.tar.gz|<oinkcode>
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/snort/etc/rules/snort.rules
local_rules=/usr/local/snort/etc/rules/local.rules
sid_msg=/usr/local/snort/etc/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/snort/etc/rules/so_rules/
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
distro=Ubuntu-18-4
block_list=/usr/local/snort/etc/rules/lists/default.blocklist
IPRVersion=/usr/local/snort/etc/rules/lists
snort_control=/usr/local/bin/snort_control
pid_path=/var/log/snort/snort.pid
ips_policy=security
version=0.7.4
#运行下载合并
sudo /usr/local/bin/pulledpork.pl -c /usr/local/snort/etc/pulledpork/pulledpork.conf  -l -P -E -H SIGHUP
#如下
Rule Stats...New:-------19352Deleted:---0Enabled Rules:----19352Dropped Rules:----0Disabled Rules:---0Total Rules:------19352
IP Blocklist Stats...Total IPs:-----1558Done
Please review /var/log/snort/sid_changes.log for additional details
Fly Piggy Fly!

4 修改snort配置文件

sudo  vim  /usr/local/snort/etc/snort/snort.lua
HOME_NET = 'any' --> HOME_NET = '192.168.50.19/24'
EXTERNAL_NET = 'any' --> EXTERNAL_NET = '!$HOME_NET'
#新增
include = '/usr/local/snort/etc/rules/snort.rules',
include = '/usr/local/snort/etc/rules/local.rules',

5 snort检验规则，19500+条

snort -c /usr/local/snort/etc/snort/snort.lua

六 运行，测试

1 自定义一条ping测试的规则

#增加本地规则库
sudo  vim /usr/local/snort/etc/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)
#测试规则正确
snort -c /usr/local/snort/etc/snort/snort.lua  -R /usr/local/snort/etc/rules/local.rules

2 启动snort 

#配置日志
sudo  vim /usr/local/snort/etc/snort/snort.lua
alert_fast ={file = true,limit = 200#日志滚动大小（200M）}
#检查
snort -c /usr/local/snort/etc/snort/snort.lua

sudo snort -c /usr/local/snort/etc/snort/snort.lua -i ens33 -s 65535 -k none -A fast -l /var/log/snort/ -v

3 测试

#在其他主机ping snort服务器
ping  192.168.50.19

 #snort 服务器查看日志