Step-by-Step Guide to Install and Configure Snort3 on Kali Linux with Auto Rule Updates Using PulledPork

Welcome to this comprehensive guide on installing and configuring Snort3 on Kali Linux with automatic rule updates. This tutorial is tailored for those who want to set up Snort3 with the ability to fetch registered rules automatically from Snort's official repository.

If you're looking for a simpler Snort installation without auto-updated rules, you might want to check our previous post on basic Snort installation on Kali Linux.

In this guide, we'll walk you through the process of installing both Snort and PulledPork, along with all required dependencies and additional packages. You'll learn how to configure Snort to automatically pull registered rules using the Oinkcode API key.

While we're using Kali Linux for this tutorial, you can replicate this setup on any Linux distribution, including Debian, Ubuntu, Mint, RedHat, Fedora, or Arch. We'll be using source code installations rather than package repositories, making this guide adaptable to various Linux environments.

Let's dive in and get your Snort3 installation up and running with automatic rule updates!

Fundamental Knowledge Required:

Before we dive into the step-by-step guide, let's discuss the knowledge and skills you'll need to successfully follow this tutorial.

To get the most out of this guide, you should have:

1. Basic understanding of networking concepts

* IP addressing

* Network protocols

* Firewalls or IDS/IPS

2. Familiarity with Linux command line

* Basic terminal commands

* Command line text editors like Nano or Vim

3. Comfort with reading and modifying configuration files

Don't worry if you're not an expert in all these areas. We'll guide you through each step, providing explanations along the way. However, having this foundational knowledge will help you better understand the process and troubleshoot any issues that may arise.

If you need help, consider checking out these tutorial posts:

Prerequisites

Before you begin the installation and configuration process, ensure you have the following prerequisites in place:

Install and Configure Snort3 on Kali Linux with Auto Rule Updates

This procedure requires several packages to install. We divided this into several steps. Let's start this procedure by creating a directory 'snort' under the home directory.

sudo apt update

mkdir snort
cd snort/

Step 1: Install all the Required Packages and Development Libraries

Install the set of tools and libraries necessary for compiling and running Snort3 with the below command. It includes compilers, development tools, networking libraries, and other dependencies that Snort3 relies on.

1. build-essential: Provides the necessary compilation tools (gcc, g++, make)

2. autotools-dev: Development files for autoconf and automake

3. libdumbnet-dev: A simplified, portable interface to several low-level networking routines

4. libluajit-5.1-dev: Just-In-Time compiler for Lua scripting language

5. libpcap-dev: Development files for packet capture library

6. zlib1g-dev: Compression library

7. pkg-config: Helper tool for compiling applications and libraries

8. libhwloc-dev: Hardware locality library

9. cmake: Cross-platform build system

10. liblzma-dev: LZMA compression library

11. openssl and libssl-dev: OpenSSL cryptography toolkit and development files

12. cpputest: Unit testing framework for C/C++

13. libsqlite3-dev: SQLite database engine

14. libtool: Generic library support script

15. uuid-dev: Universally Unique ID library

16. git: Version control system

17. autoconf, bison, flex: Tools for generating parsers and lexical analyzers

18. libcmocka-dev: Lightweight testing framework for C

19. libnetfilter-queue-dev: Netfilter queue library

20. libunwind-dev: Stack unwinding library

21. libmnl-dev: Minimalistic Netlink communication library

22. ethtool: Utility for controlling network drivers and hardware

23. libjemalloc-dev: General-purpose scalable concurrent malloc implementation

sudo apt install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool libjemalloc-dev

Step 2: Install PCRE

PCRE is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. Snort uses PCRE for its powerful pattern-matching capabilities in rules and configurations.

Installing PCRE from the source ensures that you have a compatible version for Snort3. This step is crucial because Snort relies heavily on regular expressions for pattern matching in its rules and configurations.

After completing this step, your system will have the necessary PCRE libraries installed, which Snort3 will use during its compilation and operation.

Changes the directory to the snort folder in your home directory. Downloads the PCRE source code (version 8.45) from SourceForge.

cd ~/snort
wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz

Extracts the downloaded tarball.

tar -xzvf pcre-8.45.tar.gz

Changes into the extracted PCRE directory. Runs the configuration script, which checks your system for the required dependencies and sets up the build environment. Compiles the PCRE source code. Installs the compiled PCRE libraries and binaries on your system.

cd pcre-8.45
./configure 
make 
sudo make install

Step 3: gperftools

gperftools, originally developed by Google, is a collection of performance analysis tools. It includes:

For Snort3, gperftools is particularly useful for its memory allocation and profiling capabilities. These tools can help optimize Snort's performance, especially in high-traffic environments where efficient memory usage and CPU performance are crucial.

By installing gperftools, you're providing Snort3 with advanced memory management and profiling capabilities. This can be particularly beneficial when you need to analyze Snort's performance or optimize its resource usage in complex network environments.

After completing this step, your system will have gperftools installed, which Snort3 can leverage for improved performance and debugging capabilities.

Changes the directory back to the snort folder in your home directory. Downloads the gperftools source code (version 2.9.1) from GitHub.

cd ~/snort
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz

Extracts the downloaded tarball.

tar xzvf gperftools-2.9.1.tar.gz

Changes into the extracted gperftools directory. Runs the configuration script to check for dependencies and set up the build environment. Compiles the gperftools source code. Installs the compiled gperftools libraries and binaries on your system.

cd gperftools-2.9.1 
./configure 
make 
sudo make install

Step 4: Install Ragel

Ragel is a state machine compiler. It compiles executable finite state machines from regular languages. In other words, Ragel allows you to create efficient and fast pattern matching code.

For Snort3, Ragel is particularly useful in generating optimized code for pattern matching and protocol analysis. It helps in creating efficient parsers for network protocols and can significantly improve the performance of packet inspection and rule matching.

Some key benefits of Ragel in the context of Snort3 include:

By installing Ragel, you're providing Snort3 with a powerful tool for generating efficient code for its pattern matching and protocol analysis functions. This can lead to improved performance in packet inspection and rule matching, which are core functionalities of Snort.

After completing this step, your system will have Ragel installed, which will be used during the compilation of Snort3 to generate optimized code for certain components.

Changes the directory back to the snort folder in your home directory. Downloads the Ragel source code (version 6.10) from the official website.

cd ~/snort
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz 

Extracts the downloaded tarball. Changes into the extracted Ragel directory. Runs the configuration script to check for dependencies and set up the build environment. Compiles the Ragel source code.Installs the compiled Ragel binaries on your system.

tar -xzvf ragel-6.10.tar.gz

cd ragel-6.10 
./configure 
make 
sudo make install

Step 5: Download Boost C++ Libraries

It's important to note that this step only downloads and extracts the Boost libraries without installing them. This is because Snort3 will use these libraries during its compilation process.

Boost C++ Libraries are a set of free, peer-reviewed, portable C++ source libraries. They're designed to work well with the C++ Standard Library and provide functionality that extends beyond what's available in the standard library.

For Snort3, Boost libraries are crucial for several reasons:

Some specific Boost libraries that might be particularly useful for Snort3 include:

By downloading these libraries, you're preparing the necessary components for Snort3's compilation. In the next steps, you'll see how Snort3 uses these Boost libraries during its build process.

Remember, we're not installing Boost system-wide here. Instead, Snort3's build system will use this local copy of Boost during compilation, ensuring compatibility and avoiding potential conflicts with other system-installed versions of Boost.

Changes the directory back to the snort folder in your home directory. Downloads the Boost C++ Libraries source code (version 1.77.0) from the official Boost repository.

cd ~/snort
wget https://boostorg.jfrog.io/artifactory/main/release/1.77.0/source/boost_1_77_0.tar.gz

Extracts the downloaded tarball.

tar -xvzf boost_1_77_0.tar.gz

Step 6: Install Hyperscan

Hyperscan is a high-performance multiple regex matching library developed by Intel. It's particularly useful for Snort3 for several reasons:

By installing Hyperscan, you're providing Snort3 with a powerful tool for pattern matching, which is at the core of its intrusion detection capabilities. This can significantly improve Snort's performance, especially when dealing with complex rule sets and high-speed network traffic.

The use of CMake in this step allows for easy configuration of the build process, and specifying the Boost root ensures that Hyperscan is built against the same Boost libraries that Snort3 will use.

After this step, your system will have Hyperscan installed and ready for Snort3 to use during its operation, potentially greatly enhancing its pattern matching performance.

Changes to the snort directory. Downloads Hyperscan source code (version 5.4.2) from GitHub.

cd ~/snort
wget https://github.com/intel/hyperscan/archive/refs/tags/v5.4.2.tar.gz

Extracts the downloaded tarball. Creates a new directory for building Hyperscan. Changes to the newly created build directory.

tar -xvzf v5.4.2.tar.gz 
mkdir ~/snort/hyperscan-5.4.2-build 
cd hyperscan-5.4.2-build/

Configures the build using CMake. It sets the installation prefix to /usr/local and specifies the path to the Boost libraries we downloaded earlier. compiles Hyperscan. Installs Hyperscan, requiring sudo privileges.

cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort/boost_1_77_0/ ../hyperscan-5.4.2

make

sudo make install

Step 7: Install FlatBuffers

FlatBuffers is an efficient cross-platform serialization library developed by Google. It's particularly useful for Snort3 for several reasons:

In the context of Snort3, FlatBuffers can be used for:

By installing FlatBuffers, you're providing Snort3 with a powerful tool for data serialization and deserialization. This can lead to improved performance in various aspects of Snort3's operation, from rule processing to logging and data exchange.

After this step, your system will have FlatBuffers installed and ready for Snort3 to use during its compilation and operation. This will contribute to Snort3's overall efficiency and performance in handling structured data.

Changes to the snort directory. Downloads FlatBuffers source code (version 2.0.0) from GitHub and saves it as flatbuffers-v2.0.0.tar.gz.

cd ~/snort 
wget https://github.com/google/flatbuffers/archive/refs/tags/v2.0.0.tar.gz -O flatbuffers-v2.0.0.tar.gz

Extracts the downloaded tarball. Creates a new directory for building FlatBuffers. Changes to the newly created build directory. Configures the build using CMake, pointing to the extracted FlatBuffers source directory.Compiles FlatBuffers.

tar -xzvf flatbuffers-v2.0.0.tar.gz 
mkdir flatbuffers-build 
cd flatbuffers-build 
cmake ../flatbuffers-2.0.0 
make 
sudo make install

Step 8: Install Data Acquisition (DAQ) from Snort

The Data Acquisition (DAQ) library is a crucial component for Snort3. Here's why it's important:

Key features of DAQ include:

By installing the DAQ library, you're providing Snort3 with the necessary tools to efficiently capture and process network packets. This is fundamental to Snort's ability to monitor network traffic and detect potential security threats.

After this step, your system will have the DAQ library installed, which is a critical dependency for building and running Snort3. This library will enable Snort3 to interact with network interfaces and capture packets for analysis.

Changes to the snort directory. Downloads the DAQ library source code (version 3.0.13) from GitHub and saves it as libdaq-3.0.13.tar.gz.

cd ~/snort 
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.13.tar.gz -O libdaq-3.0.13.tar.gz

Extracts the downloaded tarball. Changes to the extracted DAQ library directory. Prepares the build environment by generating the configure script. Configures the build process, checking for dependencies and setting up the Makefile. Compiles the DAQ library.Installs the DAQ library, requiring sudo privileges.

tar -xzvf libdaq-3.0.13.tar.gz 
cd libdaq-3.0.13 
./bootstrap 
./configure 
make 
sudo make install

Step 9 - Update Shared Libraries

ldconfig stands for "loader config".

The ldconfig command performs several important functions:

1. Updates the Shared Library Cache: It creates, updates, and removes the necessary links and cache (the file /etc/ld.so.cache) to the most recent shared libraries found in the directories specified in /etc/ld.so.conf and on the command line.

2. Configures Dynamic Linker Run-time Bindings: It helps the dynamic linker find and load shared libraries quickly.

3. Adds New Libraries: If new libraries have been added to the directories listed in /etc/ld.so.conf, running ldconfig ensures that they are properly recognized by the system.

4. Removes Old Cache Entries: It removes cache entries for libraries that no longer exist.

Why is this step important for Snort3 installation?

1. Library Recognition: We've just installed several new libraries (PCRE, gperftools, Ragel, Hyperscan, FlatBuffers, and DAQ). Running ldconfig ensures that these newly installed libraries are recognized by the system.

2. Proper Linking: When we compile Snort3 in later steps, it needs to link against these libraries. Updating the shared library cache ensures that the linker can find these libraries correctly.

3. Runtime Performance: By updating the cache, we're also optimizing the runtime performance of Snort3 and other programs that might use these shared libraries.

4. Avoiding Conflicts: It helps prevent conflicts or errors that might occur if the system tries to use older versions of libraries that might still be cached.

After running this command, your system's shared library cache will be updated to include all the new libraries we've installed. This prepares your system for the final steps of compiling and installing Snort3, ensuring that all dependencies are properly recognized and can be linked correctly.

Remember, it's a good practice to run ldconfig after installing new libraries to keep your system's shared library configuration up to date.

sudo ldconfig

Step 10: Download and Install the Latest Version of Snort 3

Finally, the time comes to install Snort3 on Kali Linux. Snort installation is no different then the packages we installed.

After this step, Snort 3 will be installed on your system. However, there are still a few more steps to complete before Snort 3 is fully set up and ready to use. These include setting up the configuration files, downloading rules, and configuring your network for Snort to monitor.

Remember, Snort 3 is a significant upgrade from previous versions, with improved performance, enhanced extensibility, and new features. It's designed to be more efficient and easier to use and extend than its predecessors.

Changes to the snort directory. Downloads Snort 3 source code (version 3.1.74.0) from GitHub.

cd ~/snort 
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.82.0.tar.gz -O snort3-3.1.82.0.tar.gz

Extracts the downloaded tarball. Changes to the extracted Snort 3 directory.

Runs the configuration script:

* --prefix=/usr/local: Sets the installation directory to /usr/local.

* --enable-jemalloc: Enables the use of jemalloc, a memory allocator that can improve performance.

Changes to the build directory created by the configuration script. Compiles Snort 3. Installs Snort 3, requiring sudo privileges.

tar -xzvf snort3-3.1.82.0.tar.gz 
cd snort3-3.1.82.0 
./configure_cmake.sh --prefix=/usr/local --enable-jemalloc 
cd build 
make 
sudo make install

To verify the installation is complete, check the version of snort with -V flag.

/usr/local/bin/snort -V

Let's test the snort configuration file 'snort.lua' located in /usr/local/etc/snort/ path by running snort command with -c flag. 

/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua

Step 11: Disable Network Offload Features

This is an optional step, it is important in the context of Snort because certain network offload features can interfere with Snort's ability to accurately monitor network traffic. Specifically:

When running Snort, it's often recommended to disable these offload features to ensure Snort can analyze each packet individually.

Run these commands to check the status of network offload.

sudo ethtool -k eth0 | grep receive-offload

If you see that these features are enabled (showing "on"), you might want to disable them for more accurate Snort operation. This can typically be done with commands like:

sudo ethtool -K eth0 gro off
sudo ethtool -K eth0 lro off

Bear in mind, that this is a temporary setting, it doesn't survive reboot. To make this setting permanent, create a file named ethtool.service under the directory /lib/systemd/system/ .

sudo nano /lib/systemd/system/ethtool.service

Add these lined in the ethtool.service file.

[Unit] 
Description=Ethtool Configration for Network Interface 
[Service] 
Requires=network.target 
Type=oneshot 
ExecStart=/sbin/ethtool -K <network adapter> gro off 
ExecStart=/sbin/ethtool -K <network adapter> lro off 
[Install] 
WantedBy=multi-user.target

Start and enable the service ethtool running these commands.

sudo systemctl start ethtool
sudo systemctl enable ethtool
sudo ethtool -k eth0 | grep receive-offload

[Optional] Create a Simple Rule and Test

You can create a rule in any location. However, you should keep two things to run the rule file:

It's good practice to keep the rule file under /usr/local/etc/snort/rules/ the directory. Let's create a file with the name local.rules underneath /usr/local/etc/snort/rules/ .

sudo mkdir /usr/local/etc/snort/rules
sudo nano /usr/local/etc/snort/rules/local.rules

Add this simple rule to test the Snort.

alert icmp any any -> any any (msg:"ICMP Echo Request detected"; sid:1000001;)

This rule we created to detect ICMP Echo Request packets (commonly known as ping requests) on your network. 

Let's test the Snort rule against its configuration. To do that, you need to supply the Snort configuration file with the -c flag and the rule file with the -R flag. Like this:

/usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules

You should see "Snort successfully validated the configuration (with 0 warnings)." if your configuration file and rules have no issues.

Now, it's time to test the rule against the live traffic.

To do that you need to assign your network interface to listen to the traffic with the -i flag and print the alert message on the console with the -A flag. Let's construct the command.

sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i eth0 -A alert_fast

ping 192.1689.0.59

See the Snort console. If your rules and configuration files are configured correct, you should see ICMP alerts on Snort console. Which we can see in our case.

This validates that Snort is functioning as expected. This completes the installation of Snort with dependencies.

Configure the Multiple Snort Rules Files to Run Snort

This is again an optional configuration. This should be done if you want to use the same rule file over and over or multiple rules from different locations to run Snort. You can define the multiple rules file from different paths in the Sonrt configuration file snort.lua .

Edit the snort.lua using nano or any CLI text editor.

sudo nano /usr/local/etc/snort/snort.lua

Update the configurations marked as red.

Uncomment enable_builtin_rules line and set it's value to true . Add the rules file path each per line with the directive include = <rule_file_path> as shown in the picture.

Configure Snort3 on Kali Linux with Auto Rule Updates

To configure Snort3 with the ability to fetch registered rules automatically from Snort's official repository, you need to download and install the pulledport package.

Step 12: Install PulledPork

PulledPork is an essential tool for Snort users, designed to automate the process of downloading, managing, and updating Snort rules. It simplifies the task of keeping your intrusion detection system up-to-date with the latest threat signatures, ensuring that your network remains protected against emerging security risks. By using PulledPork, you can efficiently maintain your Snort ruleset, customize it to your specific needs, and save valuable time that would otherwise be spent on manual rule management.

After completing this step, PulledPork3 will be installed on your system, ready to be configured for automatic rule updates. The next steps typically involve setting up the PulledPork configuration file and creating a cron job to run PulledPork regularly, ensuring your Snort installation always has the latest rules.

cd ~/snort 
git clone https://github.com/shirkdog/pulledpork3.git 
cd ~/snort/pulledpork3 
sudo mkdir /usr/local/bin/pulledpork3 
sudo cp pulledpork.py /usr/local/bin/pulledpork3 
sudo cp -r lib/ /usr/local/bin/pulledpork3 
sudo chmod +x /usr/local/bin/pulledpork3/pulledpork.py 
sudo mkdir /usr/local/etc/pulledpork3 

sudo cp etc/pulledpork.conf /usr/local/etc/pulledpork3/

This completes the installation of PulledPork. You can verify the installation with -V flag.

sudo /usr/local/bin/pulledpork3/pulledpork.py -V

Step 13: Configure PulledPork Config File to Auto Download the Rules

Configure PulledPork to Fetch Snort Rules from the Official Repositories. Edit the pulledpork.conf file located in /usr/local/etc/pulledpork3/ the directory. Configure the marked configuration directives.

Note: Get your oinkcode API key by creating an account on the official Snort website.

sudo nano /usr/local/etc/pulledpork3/pulledpork.conf

sudo mkdir /usr/local/etc/so_rules

Run the pulledpork.py with the pulledpork.conf file to download the registered rules from the official Snort repository.

sudo /usr/local/bin/pulledpork3/pulledpork.py -c /usr/local/etc/pulledpork3/pulledpork.conf

If you see this WARNING: `blocklist_path` is configured but no blocklists have been specified for download. Comment the line with the directive blocklist_path and re-run the command.

sudo /usr/local/bin/pulledpork3/pulledpork.py -c /usr/local/etc/pulledpork3/pulledpork.conf

Again there is a WARNING: Unable to load rules archive:  422 Client Error: Unprocessable Content for url: https://snort.org/rules/snortrules-snapshot-31820.tar.gz?oinkcode=<hidden>

This is because there is no existence of 31820 rules. You can fix this problem by hard coding the  number of existing rule snapshot in the pulledpork.py file.

Get the Oinkcode rules from here:  https://www.snort.org/oinkcodes

sudo nano /usr/local/bin/pulledpork3/pulledpork.py

sudo /usr/local/bin/pulledpork3/pulledpork.py -c /usr/local/etc/pulledpork3/pulledpork.conf

Step 14: [Optional] Configure PulledPork Rules in the Snort Configuration File

Optional Configuration to point pulledpork rules with Snort. You can skip this if you don't want to configure it.

sudo nano /usr/local/etc/snort/snort.lua

Run Snort with pulledpork rules.

sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules

You can test this against the live traffic.

To do that you need to assign your network interface to listen to the traffic with the -i flag and print the alert message on the console with the -A flag. Let's construct the command.

sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules -i wlan0 -A alert_fst

This command lets Snort to listening mode and start listing the traffic and print alerts if there is traffic that matches the rule pulledpork.rules file.

This is how we can install and configure Snort with the ability to fetch registered rules automatically from Snort's official repository using PulledPork. Note: Don't try this on ARM chip computers. It works only on x86 chipset architecture.

Please keep visiting thesecmaster.com for more such technical information. Visit our social media page on Facebook, Instagram,  LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive information like this. 

You may also like these articles: