Step by Step procedure for installing and configuring SNORT AsusMerlin
login into WebUI at 192.168.xxx.xxx
Adminstration -> System ->
Format JFFS partition at next boot = No.
Enable JFFS custom scripts and configs = Yes
Enable SSH = Yes
venkat@venkat:~$telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
RT-AC87U-E478 login: admin
Password:
ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root#
ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root# entware-setup.sh
.
.
Info: Looking for available partitions...
[1] --> /tmp/mnt/sda1
=> Please enter partition number or 0 to exit
[0-1]: 1
.
.
Info: Congratulations!
Info: If there are no errors above then Entware.arm successfully initialized.
Info: Add /opt/bin & /opt/sbin to your PATH variable
Info: Add '/opt/etc/init.d/rc.unslung start' to startup script for Entware.arm services to start
Info: Found a Bug? Please report at https://github.com/zyxmon/entware-arm/issues
admin@RT-AC87U-E478:/tmp/home/root#
admin@RT-AC87U-E478:/tmp/home/root# opkg update
admin@RT-AC87U-E478:/tmp/home/root# opkg list libdaq
admin@RT-AC87U-E478:/tmp/home/root# opkg install snort
admin@RT-AC87U-E478:/tmp/home/root# opkg install openssh-sftp-server
admin@RT-AC87U-E478:/tmp/home/root# Download the Snort Rules using Wget.
Unzip to a directory say SnortRules.
admin@RT-AC87U-E478:/tmp/home/root# cd /mnt/sda1/SnortRules/snortrules-snapshot-2973
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r preproc_rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r so_rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# mkdir /opt/etc/snort/log
#Location of Snort files.
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# ls -l /opt/etc/snort/
drwxr-xr-x 2 admin root 4096 Sep 30 00:24 preproc_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 so_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 log
-rw------- 1 admin root 1281 Aug 1 08:57 attribute_table.dtd
-rw------- 1 admin root 3757 Aug 1 08:57 classification.config
-rw------- 1 admin root 31709 Aug 1 08:57 gen-msg.map
-rw------- 1 admin root 687 Aug 1 08:57 reference.config
-rw------- 1 admin root 26761 Sep 30 00:04 snort.conf
-rw------- 1 admin root 26772 Sep 29 23:58 snort.conf.bak
-rw------- 1 admin root 160606 Aug 1 08:57 unicode.map
#Location of daq files.
admin@RT-AC87U-E478:/tmp/home/root# ls /opt/lib/daq* -l
-rwxr-xr-x 1 admin root 14308 Aug 1 08:48 daq_afpacket.so
-rwxr-xr-x 1 admin root 5900 Aug 1 08:48 daq_dump.so
-rwxr-xr-x 1 admin root 7080 Aug 1 08:48 daq_ipfw.so
-rwxr-xr-x 1 admin root 8996 Aug 1 08:48 daq_pcap.so
admin@RT-AC87U-E478:/tmp/home/root#
admin@RT-AC87U-E478:/tmp/home/root# vi /opt/etc/snort/snort.conf
#Orginal Contents in snort.conf
ipvar HOME_NET any
ipvar EXTERNAL_NET any
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
# config logdir:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 262144, \
max_udp 131072, \
preprocessor sip: max_sessions 40000, \
include threshold.conf
#Modified Contents in Snort.conf
pvar HOME_NET [192.168.2.1/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /opt/etc/snort/rules
var SO_RULE_PATH /opt/etc/snort/so_rules
var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules
var WHITE_LIST_PATH /opt/etc/snort/rules
var BLACK_LIST_PATH /opt/etc/snort/rules
config logdir:/opt/etc/snort/log
dynamicpreprocessor directory /opt/lib/snort_dynamicpreprocessor/
dynamicengine /opt/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 9999, \
max_udp 31072, \
preprocessor sip: max_sessions 4000, \
# include threshold.conf
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/white_list.rules
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/black_list.rules
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# cd /opt
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm#dd if=/dev/zero of=swap bs=1024 count=524288
524288+0 records in
524288+0 records out
Note this takes almost 5 minutes to get back the prompt, please wait.
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# mkswap swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# chmod 0600 swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# swapon swap
To enable swap file when router booting, add this lines to /jffs/scripts/post-mount script
echo "" >>/jffs/scripts/post-mount
echo "swapon /opt/swap" >>/jffs/scripts/post-mount
To unmount swap add this lines to /jffs/scripts/services-stop script
echo "" >>/jffs/scripts/services-stop
echo "swapoff /opt/swap" >>/jffs/scripts/services-stop
To Test - Comment or remove this line from /opt/etc/snort/rules/local.rules file.
echo 'alert ip any any -> any any (msg: "IP Packet detected"; sid:1000001; )' >> /opt/etc/snort/rules/local.rules
admin@RT-AC87U-E478:/tmp/home/root# reboot
Login back to the router using telnet or ssh and start the process.
#Run snort and view the contents on the screen instantly.
admin@RT-AC87U-E478:/tmp/home/root# snort -A console -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/
#Run snort as a process.
admin@RT-AC87U-E478:/tmp/home/root# snort -A fast -d -D -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/
This will not return the prompt immediately, wait for 5 mts to get the prompt back. you can us
admin@RT-AC87U-E478:/tmp/home/root# ps
to see the snort process running.
#Run Snort to check if all the configurations files are correct.
snort -T -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq
login into WebUI at 192.168.xxx.xxx
Adminstration -> System ->
Format JFFS partition at next boot = No.
Enable JFFS custom scripts and configs = Yes
Enable SSH = Yes
venkat@venkat:~$telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
RT-AC87U-E478 login: admin
Password:
ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root#
ASUSWRT-Merlin RT-AC87U_3.0.0.4 Fri Jul 17 03:17:40 UTC 2015
admin@RT-AC87U-E478:/tmp/home/root# entware-setup.sh
.
.
Info: Looking for available partitions...
[1] --> /tmp/mnt/sda1
=> Please enter partition number or 0 to exit
[0-1]: 1
.
.
Info: Congratulations!
Info: If there are no errors above then Entware.arm successfully initialized.
Info: Add /opt/bin & /opt/sbin to your PATH variable
Info: Add '/opt/etc/init.d/rc.unslung start' to startup script for Entware.arm services to start
Info: Found a Bug? Please report at https://github.com/zyxmon/entware-arm/issues
admin@RT-AC87U-E478:/tmp/home/root#
admin@RT-AC87U-E478:/tmp/home/root# opkg update
admin@RT-AC87U-E478:/tmp/home/root# opkg list libdaq
admin@RT-AC87U-E478:/tmp/home/root# opkg install snort
admin@RT-AC87U-E478:/tmp/home/root# opkg install openssh-sftp-server
admin@RT-AC87U-E478:/tmp/home/root# Download the Snort Rules using Wget.
Unzip to a directory say SnortRules.
admin@RT-AC87U-E478:/tmp/home/root# cd /mnt/sda1/SnortRules/snortrules-snapshot-2973
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r preproc_rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# cp -r so_rules/ /opt/etc/snort
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# mkdir /opt/etc/snort/log
#Location of Snort files.
admin@RT-AC87U-E478:/tmp/mnt/sda1/SnortRules/snortrules-snapshot-2973# ls -l /opt/etc/snort/
drwxr-xr-x 2 admin root 4096 Sep 30 00:24 preproc_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 so_rules
drwxrwxrwx 2 admin root 4096 Sep 30 00:24 log
-rw------- 1 admin root 1281 Aug 1 08:57 attribute_table.dtd
-rw------- 1 admin root 3757 Aug 1 08:57 classification.config
-rw------- 1 admin root 31709 Aug 1 08:57 gen-msg.map
-rw------- 1 admin root 687 Aug 1 08:57 reference.config
-rw------- 1 admin root 26761 Sep 30 00:04 snort.conf
-rw------- 1 admin root 26772 Sep 29 23:58 snort.conf.bak
-rw------- 1 admin root 160606 Aug 1 08:57 unicode.map
#Location of daq files.
admin@RT-AC87U-E478:/tmp/home/root# ls /opt/lib/daq* -l
-rwxr-xr-x 1 admin root 14308 Aug 1 08:48 daq_afpacket.so
-rwxr-xr-x 1 admin root 5900 Aug 1 08:48 daq_dump.so
-rwxr-xr-x 1 admin root 7080 Aug 1 08:48 daq_ipfw.so
-rwxr-xr-x 1 admin root 8996 Aug 1 08:48 daq_pcap.so
admin@RT-AC87U-E478:/tmp/home/root#
admin@RT-AC87U-E478:/tmp/home/root# vi /opt/etc/snort/snort.conf
#Orginal Contents in snort.conf
ipvar HOME_NET any
ipvar EXTERNAL_NET any
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
# config logdir:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 262144, \
max_udp 131072, \
preprocessor sip: max_sessions 40000, \
include threshold.conf
#Modified Contents in Snort.conf
pvar HOME_NET [192.168.2.1/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /opt/etc/snort/rules
var SO_RULE_PATH /opt/etc/snort/so_rules
var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules
var WHITE_LIST_PATH /opt/etc/snort/rules
var BLACK_LIST_PATH /opt/etc/snort/rules
config logdir:/opt/etc/snort/log
dynamicpreprocessor directory /opt/lib/snort_dynamicpreprocessor/
dynamicengine /opt/lib/snort_dynamicengine/libsf_engine.so
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
max_tcp 9999, \
max_udp 31072, \
preprocessor sip: max_sessions 4000, \
# include threshold.conf
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/white_list.rules
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# touch /opt/etc/snort/rules/black_list.rules
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm/etc/snort# cd /opt
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm#dd if=/dev/zero of=swap bs=1024 count=524288
524288+0 records in
524288+0 records out
Note this takes almost 5 minutes to get back the prompt, please wait.
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# mkswap swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# chmod 0600 swap
admin@RT-AC87U-E478:/tmp/mnt/sda1/entware.arm# swapon swap
To enable swap file when router booting, add this lines to /jffs/scripts/post-mount script
echo "" >>/jffs/scripts/post-mount
echo "swapon /opt/swap" >>/jffs/scripts/post-mount
To unmount swap add this lines to /jffs/scripts/services-stop script
echo "" >>/jffs/scripts/services-stop
echo "swapoff /opt/swap" >>/jffs/scripts/services-stop
To Test - Comment or remove this line from /opt/etc/snort/rules/local.rules file.
echo 'alert ip any any -> any any (msg: "IP Packet detected"; sid:1000001; )' >> /opt/etc/snort/rules/local.rules
admin@RT-AC87U-E478:/tmp/home/root# reboot
Login back to the router using telnet or ssh and start the process.
#Run snort and view the contents on the screen instantly.
admin@RT-AC87U-E478:/tmp/home/root# snort -A console -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/
#Run snort as a process.
admin@RT-AC87U-E478:/tmp/home/root# snort -A fast -d -D -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq -l /opt/etc/snort/log/
This will not return the prompt immediately, wait for 5 mts to get the prompt back. you can us
admin@RT-AC87U-E478:/tmp/home/root# ps
to see the snort process running.
#Run Snort to check if all the configurations files are correct.
snort -T -c /opt/etc/snort/snort.conf --daq-dir /opt/lib/daq