Snort 3 includes two main configuration files, snort_defaults.lua and snort.lua. The snort.lua file contains Snort’s main configuration, allowing the implementation and configuration of Snort inspectors (preprocessors), rules files inclusion, event filters, output, etc.The snort_defaults.lua file contains default values such as paths to rules, AppID, intelligence lists, and network variables.The file snort_defaults.lua contains default values for rules paths, networks, ports, wizards, and inspectors, etc.
An additional file file_magic.lua exists in the etc/snort/ directory. This file contains pre-defined file identities based on the hexadecimal representation of the files magic headers. These help Snort identify the file types traversing the network when applicable. This file is also used by Snort main configuration file snort.lua and does not require any modifications.
| Task | Snort Configuration File |
| Configure rules, reputation, and AppID paths | snort_defaults.lua |
| Configure HOME_NET and EXTERNAL_NET | snort.lua |
| Configure ips module | snort.lua |
| Configure file_id and file_log inspectors | snort.lua |
| Configure data_log inspector | snort.lua |
| Configure logging | snort.lua |
Configuration Paths
Configuring Network Interface Cards
Configuring snort starts with enabling promiscuous mode on the interface where the snort is listening for network traffic.This enable the network card to be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.This starts with modifying the content of the Interface configuration (ifcfg) file with the below minimal configuration
# nano /etc/sysconfig/network-scripts/ifcfg-ens34
TYPE=Ethernet
BOOTPROTO=none
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_FAILURE_FATAL=no
NAME=ens34
DEVICE=ens34
ONBOOT=yes
If an existing interface is modified, ensure that NetworkManager can read the changes and have them applied
# nmcli con load /etc/sysconfig/network-scripts/ifcfg-ens34
# nmcli con up ens34
NIC Offloading
NIC offloads are options that allow the stack to transmit packets that are larger than the normal MTU for resources optimization. In doing so, network traffic is potentially altered– (re)segmentation, IP fragmentation, reassembly, etc. – by the receiving host’s network interface instead of the CPU. This could lead to packet errors potentially allowing IDS evasion scenarios. In order to avoid these issues and allow Snort to monitor the same packets destined to the receiving host, it is recommended to disable NIC offloading options.
In CentOS 8 with NetworkManager present, this can be achieved with the following command
# nmcli con mod ens34 ethtool.feature-lro off ethtool.feature-gro off ethtool.feature-tso off ethtool.feature-gso off ethtool.feature-sg off ethtool.feature-rx off ethtool.feature-tx off ethtool.feature-rxvlan off ethtool.feature-txvlan off
This permanently modifies the interface’s configuration file ifcfg-ens34 with the ETHTOOL_OPTS parameter as below
# ETHTOOL_OPTS=”-K ifname gro off gso off lro off rx off rxvlan off sg off tso off tx off txvlan off”
Next we are increase the size of the receive ring buffer, rx, to the maximum value the interface is capable of, increasing the number of stored incoming packets, thus, potentially improving capture performance. Determining the ring buffer size can be done using ethtool with the –g option as shown in the below
# ethtool –g ens34
From the output, the interface is set to 1024 while the maximum is 4096. The NetworkManager does not support adapting ring buffers. Instead, using the ETHTOOL_CMD parameter combined with dispatcher script ensures that the interface ring buffers are adjusted permanently.
First, the interface is configured with the ETHTOOL_CMD parameter.
# nano /etc/sysconfig/network-scripts/ifcfg-ens34
Add the following line to increase the ring buffer size
# ETHTOOL_CMD=”-G ens34 rx 4096″
And our new interface file will look something similar
Second, an executable network dispatcher script is created, which will pass the configured ETHTOOL_CMD string from the interface’s configuration file to the ethtool program.
# nano /etc/NetworkManager/dispatcher.d/99-ethtool.sh
#!/bin/bash
# BEGIN 99-ethtool.sh
if [[ $2 == up ]]; then
SCRIPT=”$(basename “$0″)”
if [[ -e $CONNECTION_FILENAME ]]; then
source $CONNECTION_FILENAME
if [[ -n $ETHTOOL_CMD ]]; then
ETHTOOL_CMD=”/usr/sbin/ethtool $ETHTOOL_CMD”
if $ETHTOOL_CMD; then
logger “$SCRIPT: success: $ETHTOOL_CMD”
else
logger “$SCRIPT: failed: $ETHTOOL_CMD”
fi
else
logger “$SCRIPT: ETHTOOL_CMD not in $CONNECTION_FILENAME, skipping”
fi
else
logger “$SCRIPT: $CONNECTION_FILENAME does not exist?”
fi
fi
Finally, the script must be made executable.
# chmod +x /etc/NetworkManager/dispatcher.d/99-ethtool.sh
Another task involves setting up the interface in promiscuous mode permanently using a custom oneshot systemd service. The service will also disable ARP and multicast. Once created reload systemd and enable it.
# nano /etc/systemd/system/promisc.service
[Unit]
Description=Snort 3 interface promiscuous mode during boot service
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens34 arp off
ExecStart=/usr/sbin/ip link set dev ens34 multicast off
ExecStart=/usr/sbin/ip link set dev ens34 promisc on
TimeoutStartSec=0
RemainAfterExit=yes
[Install]
WantedBy=default.target
# systemctl daemon-reload
# systemctl enable promisc.service
Finally, reboot the host and verify that all of the changes were successfully applied. The below outputs demonstrate the expected behavior of the above tasks
# systemctl status promisc.service