Installing Snort on OpenBSD 6.4

As you may recall from previous posts, I am running an OpenBSD server on an APU2 air-cooled 3 Intel NIC box as my router/firewall for my secure home network.  Given that all of my Internet traffic flows through this box, I thought it would be a cool idea to run an Intrusion Detection System (IDS) on it.  Snort is the big hog of the open source world so I took a peek in the packages directory on one of the mirrors and lo and behold we have the latest & greatest version of Snort available!  Thanks devs!!!

I did some quick Googling and didn’t find much “modern” howto help out there so, after some trial and error, I have it up and running.  I thought I’d give back in a small way and share a quickie howto for other Googlers out there who are looking for guidance.  Here’s hoping that my title is good enough “SEO” to get you here!  🙂

As an IDS, the purpose of Snort is to examine all packets coming from the Internet to your network and from your network to the Internet.  The purpose of this inspection, unlike a firewall such as PF which is looking at ports and ensuring that you only expose the attack surface you mean to, is to use a set of know vulnerability (in the form of “snort rules”) to alert you if there is a problem.  The difference between an IDS and an IPS (intrusion prevention system) is that an IPS takes active steps to protect you, while an IPS like Snort just tells you “you have a problem.”

Installing snort from packages is pretty simple:

# pkg_add snort

After it’s done its thing, you now have a new /etc/rc.d/snort init script, a new _snort user and the snort files (along with dependencies) in the appropriate /usr/local directories.  The log files will show up in /var/snort/log and the configuration files are in /etc/snort.  The first thing I tried to do is run snort from the command line and discovered pretty quickly that it needs to know where its DAQ library (the functions that allow Snort to sniff traffic) is located.  To set this up, add the following line to your /etc/snort/snort.conf file:

config daq_dir: /usr/local/lib/daq

Now, we need to tell it which network represents our “internal” network and which represents the untrusted world of the Internet.  Near the top of the /etc/snort/snort.conf file, you will see the definition of “HOME_NET” and “EXTERNAL_NET”.  For HOME_NET you want to set it to use your local network.  For example, let’s say your local network was a class C network (255 possible IP addresses) at 10.0.5.x, you would use:

ipvar HOME_NET 10.0.5.1/24

You then want to define EXTERNAL_NET to be everything but that.  Fortunately, the syntax for this is pretty straightforward:

ipvar EXTERNAL_NET !$HOME_NET

At this point, you need to install your Snort rules.  There is a free “community” rule-set you can use that has all new rules delayed by 30 days, or you can crack open your moldy wallet, let a few moths out of it and spring $29.95 annually for the personal license for all of the latest & greatest rules.  Given that I like this tool and want to see it continue to be supported (and I want to be better protected), I’ll do the latter.  If you want to go the free route, I’ll leave it as an “exercise for the reader” to figure out how to make that happen.

When you subscribe, you get a userid and password that allow you to log into the https://snort.org website and download the latest ruleset.  Once you have pulled down the tarball (mine was called snortrules-snapshot-29120.tar.gz), scp it over to your OpenBSD router and unpack it in the /etc/snort directory.  Be careful – it will replace your snort.conf file so if you are dumb like me <grin>, you’ll have to re-apply your changes to it after you get confused as to why it isn’t working right.

At this point, you can either play around with Snort in the terminal or, if you are feeling particularly adventurous, make some changes to your rc.conf.local file via the beautiful rcctl tool that the wonderful OpenBSD devs created for us.  On my system, firing up Snort takes some time so I needed to set a timeout to a maximum of six minutes and I also have to pass it the interface I’m using (it defaults to your “first” interface but why take the chance):

# rcctl enable snort

# rcctl set snort flags -i em0

# rcctl set snort timeout 360

With that, a quick “doas reboot” and log back in will have you wondering if it worked.  Tail /var/log/messages until you actually see it spawn the daemon.  That will show you that it actually kicked things off.

At this point, Snort is monitoring your traffic and anything untoward will show up in /var/snort/log in either the “alert” logfile or the “snort.log.*” logfile.  You can find tools out there that will monitor your logs and notify you if something bad happens.  In addition, there is a tool that will keep your snort rules up to date as well that you can slap in a chron script if you’d like.

As I said, short and sweet, but I wanted folks who were interested in running this tool to at least have a good launching point on a more recent version of OpenBSD to hopefully leverage this great open source tool.

This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Installing Snort on OpenBSD 6.4

  1. John R Page says:

    Could you do a brief comparison and contrast of Snort with the geohegan scripts:

    https://www.geoghegan.ca/pfbadhost.html

    https://www.geoghegan.ca/unbound-adblock.html

    Thanks.

    John

  2. Pingback: Valuable News – 2019/04/15 | 𝚟𝚎𝚛𝚖𝚊𝚍𝚎𝚗

  3. Pingback: Snort on OpenBSD 6.4 | 0ddn1x: tricks with *nix

  4. Pingback: Let’s dial it up to 11 | FunctionallyParanoid.com

  5. Ramin Tehrani says:

    Hi,
    I used your howto for installing snort at openBSD and thx for your installation guide.
    But I get:

    My-FW1$ doas snort -v
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    ERROR: Can’t find pcap DAQ!
    Fatal Error, Quitting..

    I seems that something is still missing. Has the outside interface to be set to “promisc” mode”?
    Any way the path to “config daq_dir: /usr/local/lib/daq” is corrrect.
    Thx
    Ramin

Leave a Reply

Your email address will not be published. Required fields are marked *