Step by Step: SNORT on AsusMerlin

[ugvenkat]

Step by Step procedure for installing and configuring SNORT AsusMerlin

login into WebUI at 192.168.xxx.xxx
Adminstration -> System ->
Format JFFS partition at next boot = No.
Enable JFFS custom scripts and configs = Yes
Enable SSH = Yes

venkat@venkat:~$telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
RT-AC87U-E478 login: admin
Password:

ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root#

ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root# entware-setup.sh
.
.
Info: Looking for available partitions...
[1] --> /tmp/mnt/sda1
=> Please enter partition number or 0 to exit
[0-1]: 1
.
.
Info: Congratulations!
Info: If there are no errors above then Entware.arm successfully initialized.
Info: Add /opt/bin & /opt/sbin to your PATH variable
Info: Add '/opt/etc/init.d/rc.unslung start' to startup script for Entware.arm services to start
Info: Found a Bug? Please report at https://github.com/zyxmon/entware-arm/issues
admin@RT-AC87U-E478:/tmp/home/root#

admin@RT-AC87U-E478:/tmp/home/root# opkg update
admin@RT-AC87U-E478:/tmp/home/root# opkg list libdaq
admin@RT-AC87U-E478:/tmp/home/root# opkg install snort
admin@RT-AC87U-E478:/tmp/home/root# opkg install openssh-sftp-server

admin@RT-AC87U-E478:/tmp/home/root# Download the Snort Rules using Wget.
Unzip to a directory say SnortRules.

admin@RT-AC87U-E478:/tmp/home/root# cd /mnt/sda1/SnortRules/snortrules-snapshot-2973
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r preproc_rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r so_rules/ /opt/etc/snort

admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# mkdir /opt/etc/snort/log

#Location of Snort files.
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# ls -l /opt/etc/snort/
drwxr-xr-x 2 admin root 4096 Sep 30 00:24 preproc_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 so_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 log
-rw------- 1 admin root 1281 Aug 1 08:57 attribute_table.dtd
-rw------- 1 admin root 3757 Aug 1 08:57 classification.config
-rw------- 1 admin root 31709 Aug 1 08:57 gen-msg.map
-rw------- 1 admin root 687 Aug 1 08:57 reference.config
-rw------- 1 admin root 26761 Sep 30 00:04 snort.conf
-rw------- 1 admin root 26772 Sep 29 23:58 snort.conf.bak
-rw------- 1 admin root 160606 Aug 1 08:57 unicode.map

#Location of daq files.
admin@RT-AC87U-E478:/tmp/home/root# ls /opt/lib/daq* -l
-rwxr-xr-x 1 admin root 14308 Aug 1 08:48 daq_afpacket.so
-rwxr-xr-x 1 admin root 5900 Aug 1 08:48 daq_dump.so
-rwxr-xr-x 1 admin root 7080 Aug 1 08:48 daq_ipfw.so
-rwxr-xr-x 1 admin root 8996 Aug 1 08:48 daq_pcap.so
admin@RT-AC87U-E478:/tmp/home/root#


admin@RT-AC87U-E478:/tmp/home/root# vi /opt/etc/snort/snort.conf

#Orginal Contents in snort.conf
ipvar HOME_NET any
ipvar EXTERNAL_NET any
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
# config logdir:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 262144, \
max_udp 131072, \
preprocessor sip: max_sessions 40000, \
include threshold.conf


#Modified Contents in Snort.conf
pvar HOME_NET [192.168.2.1/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /opt/etc/snort/rules
var SO_RULE_PATH /opt/etc/snort/so_rules
var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules
var WHITE_LIST_PATH /opt/etc/snort/rules
var BLACK_LIST_PATH /opt/etc/snort/rules
config logdir:/opt/etc/snort/log
dynamicpreprocessor directory /opt/lib/snort_dynamicpreprocessor/
dynamicengine /opt/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 9999, \
max_udp 31072, \
preprocessor sip: max_sessions 4000, \
# include threshold.conf

admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/white_list.rules
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/black_list.rules

admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# cd /opt
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm#dd if=/dev/zero of=swap bs=1024 count=524288
524288+0 records in
524288+0 records out
Note this takes almost 5 minutes to get back the prompt, please wait.

admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# mkswap swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# chmod 0600 swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# swapon swap

To enable swap file when router booting, add this lines to /jffs/scripts/post-mount script
echo "" >>/jffs/scripts/post-mount
echo "swapon /opt/swap" >>/jffs/scripts/post-mount

To unmount swap add this lines to /jffs/scripts/services-stop script
echo "" >>/jffs/scripts/services-stop
echo "swapoff /opt/swap" >>/jffs/scripts/services-stop

To Test - Comment or remove this line from /opt/etc/snort/rules/local.rules file.
echo 'alert ip any any -> any any (msg: "IP Packet detected"; sid:1000001; )' >> /opt/etc/snort/rules/local.rules

admin@RT-AC87U-E478:/tmp/home/root# reboot

Login back to the router using telnet or ssh and start the process.

#Run snort and view the contents on the screen instantly.
admin@RT-AC87U-E478:/tmp/home/root# snort -A console -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/

#Run snort as a process.
admin@RT-AC87U-E478:/tmp/home/root# snort -A fast -d -D -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/
This will not return the prompt immediately, wait for 5 mts to get the prompt back. you can us
admin@RT-AC87U-E478:/tmp/home/root# ps
to see the snort process running.

#Run Snort to check if all the configurations files are correct.
snort -T -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq

 

[HRearden]

ugvenkat,

Thank you for your tutorial.

I am installing it on my AC66. The install seems to have gone fine, except when I run it the router appears to go into a swap lock state.

Snort never displays data, the load count reported by top continually increases as does the swap usage reported by free and the router becomes very slow. As soon as I stop the snort process, everything returns to normal.

So it seems after a short time of snort trying to allocate the memory it needs, the router starts to thrash the swap file and everything comes to a halt.

I am using 1GB in swap on the thumb drive., there is 256mb memory on the AC66.

I have tried reducing the max number of TCP and UDP but that has not helped.

What else can I check or reduce to get snort to work?

rearden

 

[alby258]

Installed on AC68U with NG-Entware. Everything is working well, average CPU usage around 5-10%, ram around 85-90%

 

[HRearden]

I continued to play with it. I took the default snort.conf and modified the lines mentioned above. It is currently running 8-20% cpu using about 64mb of swap. The free ram stays around 70% no matter how much snort seems to want. I tried adjusting swappiness but that didn't change anything.

The problem is the file-flash.rules set. All other rule sets seem to work fine but when I include that one, the allocated swap increases quickly and then all the cpu goes to io or sys and it falls on it's face. So comment out file-flash.rules.

My test was successful:
alert icmp any any -> 192.168.1.234 any (msg: "Someone Pinged Sas3"; sid:1000003

has snort flagging pings. Otherwise everything is quiet, which I hope is a Good Thing and not that snort is incorrectly configured.

I have not been able to get pulledpork to work. It seems to want perl modules I don't have installed:

/entware/etc/snort# perl pulledpork.pl -V
Can't locate LWP/UserAgent.pm in @INC (you may need to install the LWP::UserAgent module) (@INC contains: /opt/lib/perl5/5.22 .) at pulledpork.pl line 25.
BEGIN failed--compilation aborted at pulledpork.pl line 25.

If anyone has suggestions on that, I would appreciate it.

Does this configuration drop packets or just flag them?

rearden

 

[HRearden]

Snort 2.9.7.6 is end of life. How do you update opkg?

 

[Xentrk]

Snort 2.9.7.6 is end of life. How do you update opkg?

I recommend you open an issue on entware GitHub site regarding the package version and ask if there are plans to update it. If not, you may need to remove the existing entware package, download the source from snort.org, compile and configure. I recently installed it on a raspberry pi using these instructions: http://blog.holdenkilbride.com/2016/10/25/turn-your-raspberry-pi-into-a-snort-ids/. This one may be more applicable to the router but it is dated: http://www.thegeekstuff.com/2010/08/snort-tutorial. Perhaps a more robust search might give you more updated instructions. I've been thinking about doing this myself recently.

Edit: I just checked and entware is missing the package dependencies flex, bison and libpcre3.

 

[Lynoad]

I very likely ought to have created a new thread, and will do so if this isn't fruitful. My thinking is that a followup to this old thread would easily reach someone knowledgeably able to respond.

Is it possible that any WRT/ARMv7-compatible recent version of Snort might get developed? Has any such possibility been supplanted by NIDS hardware?

I'd like to be able to use PulledPork on a machine in my home network and push new rules to my AC87. Right now the Snort package available on the Entware repo doesn't seem useful.

News - or alternative suggestions - welcome. Thanks!

 

[RMerlin]

IMHO, Suricata is a better alternative than Snort. It's simpler to configure, and seemed to be working reasonably well when I last experimented with it a few years back. Entware-NG has since added the package to its repository.