lanakod/snort-docker
1
0
Fork 0
mirror of https://github.com/Lanakod-Networks/snort-docker.git synced 2025-07-04 13:26:38 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Some tweaks

Browse Source
This commit is contained in:
Maxim Malakhov 2024-08-19 14:40:19 +03:00
parent 5c306c01af
commit cd483cb4df
No known key found for this signature in database
GPG Key ID: A77DC2E5B79AF357
17 changed files with 1105 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.env Normal file
View File

@ -0,0 +1,41 @@
# Project namespace (defaults to the current folder name if not set)
#COMPOSE_PROJECT_NAME=myproject
# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=changeme
# Password for the 'kibana_system' user (at least 6 characters)
KIBANA_PASSWORD=changeme
# Version of Elastic products
STACK_VERSION=8.7.1
# Set the cluster name
CLUSTER_NAME=snort-cluster
# Set to 'basic' or 'trial' to automatically start the 30-day trial
LICENSE=basic
#LICENSE=trial
# Port to expose Elasticsearch HTTP API to the host
ES_PORT=9200
# Port to expose Kibana to the host
KIBANA_PORT=5601
# Increase or decrease based on the available host memory (in bytes)
ES_MEM_LIMIT=1073741824
KB_MEM_LIMIT=1073741824
LS_MEM_LIMIT=1073741824
# SAMPLE Predefined Key only to be used in POC environments
ENCRYPTION_KEY=c34d38b3a14956121ff2170e5030b471551370178f43e5626eec58b04a30fae2

50
Dockerfile
View File

@ -6,36 +6,28 @@ ENV HOME=/root
RUN apt-get -y update && apt-get -y upgrade RUN apt-get -y update && apt-get -y upgrade
RUN apt-get -y install \ RUN apt-get -y install \
wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config openssh-server \ wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config \
strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl supervisor net-tools iputils-ping iproute2 ethtool \ strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl supervisor net-tools iputils-ping iproute2 ethtool \
libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \ libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \
libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \ libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \
libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev
# Some network tweaks
RUN ip add sh eth0
# Build libdaq # Build libdaq
WORKDIR $HOME WORKDIR $HOME
RUN git clone https://github.com/snort3/libdaq.git RUN git clone https://github.com/snort3/libdaq.git && \
WORKDIR $HOME/libdaq cd libdaq && ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install
RUN ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install
# Build gperftools # Build gperftools
WORKDIR $HOME WORKDIR $HOME
RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz && \
cd gperftools-2.9.1 && ./configure && make && make install
WORKDIR $HOME/gperftools-2.9.1
RUN ./configure && make && make install
# Build snort # Build snort
WORKDIR $HOME WORKDIR $HOME
RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz && \
WORKDIR $HOME/snort3-3.3.2.0 cd snort3-3.3.2.0 && ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs && \
RUN ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs cd build && make && make install && \
WORKDIR $HOME/snort3-3.3.2.0/build ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \
RUN make && make install
RUN ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \
ln -s /usr/local/lib/libdaq.so.3 /lib/ && \ ln -s /usr/local/lib/libdaq.so.3 /lib/ && \
ldconfig ldconfig
@ -48,22 +40,26 @@ RUN mkdir ${PREFIX_DIR}/etc/rules && \
touch ${PREFIX_DIR}/etc/lists/default.blocklist && \ touch ${PREFIX_DIR}/etc/lists/default.blocklist && \
mkdir /var/log/snort mkdir /var/log/snort
COPY snort3-community-rules.tar.gz ${HOME}/snort3-community-rules.tar.gz COPY snort3-community-rules.tar.gz ${HOME}/snort3-community-rules.tar.gz
COPY feodotracker.tar.gz ${HOME}/feodotracker.tar.gz
COPY appid-rules.tar.gz ${HOME}/appid-rules.tar.gz
COPY emerging-rules.tar.gz ${HOME}/emerging-rules.tar.gz
RUN tar -xvzf snort3-community-rules.tar.gz && cd snort3-community-rules && mkdir ${PREFIX_DIR}/etc/rules/snort3-community-rules/ && cp * ${PREFIX_DIR}/etc/rules/snort3-community-rules/ RUN tar -xvzf snort3-community-rules.tar.gz && cd snort3-community-rules && mkdir ${PREFIX_DIR}/etc/rules/snort3-community-rules/ && cp * ${PREFIX_DIR}/etc/rules/snort3-community-rules/
WORKDIR $HOME
RUN tar -xvzf feodotracker.tar.gz && ls && cd feodotracker && mkdir ${PREFIX_DIR}/etc/rules/feodotracker/ && cp * ${PREFIX_DIR}/etc/rules/feodotracker/
WORKDIR $HOME
RUN tar -xvzf appid-rules.tar.gz && cd appid-rules && mkdir ${PREFIX_DIR}/etc/rules/appid-rules/ && cp * ${PREFIX_DIR}/etc/rules/appid-rules/
WORKDIR $HOME
RUN tar -xvzf emerging-rules.tar.gz && cd emerging-rules && mkdir ${PREFIX_DIR}/etc/rules/emerging-rules/ && cp * ${PREFIX_DIR}/etc/rules/emerging-rules/
RUN snort --version RUN snort --version
# Install OpenAppID # Install OpenAppID
WORKDIR $HOME WORKDIR $HOME
COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz
RUN tar -xzvf OpenAppId-23020.tar.gz && cp -R odp /usr/local/lib/ RUN tar -xzvf OpenAppId-23020.tar.gz && mkdir -p /usr/local/lib/openappid && cp -r odp /usr/local/lib/openappid
# Set up SSH
RUN mkdir /var/run/sshd
RUN echo 'root:screencast' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
RUN echo "export VISIBLE=now" >> /etc/profile
EXPOSE 22
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY entrypoint.sh ${HOME}/entrypoint.sh COPY entrypoint.sh ${HOME}/entrypoint.sh

BIN
appid-rules.tar.gz Normal file
View File

Binary file not shown.

210
docker-compose.yml
View File

@ -10,20 +10,206 @@ services:
volumes: volumes:
- ./snort-conf:/usr/local/etc/snort - ./snort-conf:/usr/local/etc/snort
- ./snort-rules.txt:/usr/local/etc/rules/local.rules - ./snort-rules.txt:/usr/local/etc/rules/local.rules
- ./logs:/var/log/snort #- ./logs:/var/log/snort
ports: - ./logstash_ingest_data:/var/log/snort
- 22:22
networks: networks:
snort_lan: snort_lan:
# ping:
# image: willfarrell/ping setup:
# environment: image: elasticsearch:${STACK_VERSION}
# HOSTNAME: snort volumes:
# TIMEOUT: 10 - certs:/usr/share/elasticsearch/config/certs
# networks: user: "0"
# snort_lan: command: >
bash -c '
if [ x${ELASTIC_PASSWORD} == x ]; then
echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
exit 1;
elif [ x${KIBANA_PASSWORD} == x ]; then
echo "Set the KIBANA_PASSWORD environment variable in the .env file";
exit 1;
fi;
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
echo -ne \
"instances:\n"\
" - name: es01\n"\
" dns:\n"\
" - es01\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
" - name: kibana\n"\
" dns:\n"\
" - kibana\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
> config/certs/instances.yml;
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
fi;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
echo "Waiting for Elasticsearch availability";
until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
echo "Setting kibana_system password";
until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
echo "All done!";
'
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"]
interval: 1s
timeout: 5s
retries: 120
networks:
snort_lan:
es01:
depends_on:
setup:
condition: service_healthy
image: elasticsearch:${STACK_VERSION}
labels:
co.elastic.logs/module: elasticsearch
volumes:
- certs:/usr/share/elasticsearch/config/certs
- esdata01:/usr/share/elasticsearch/data
ports:
- ${ES_PORT}:9200
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- discovery.type=single-node
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/es01/es01.key
- xpack.security.http.ssl.certificate=certs/es01/es01.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/es01/es01.key
- xpack.security.transport.ssl.certificate=certs/es01/es01.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${ES_MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
networks:
snort_lan:
kibana:
depends_on:
es01:
condition: service_healthy
image: kibana:${STACK_VERSION}
labels:
co.elastic.logs/module: kibana
volumes:
- certs:/usr/share/kibana/config/certs
- kibanadata:/usr/share/kibana/data
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://es01:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
- XPACK_SECURITY_ENCRYPTIONKEY=${ENCRYPTION_KEY}
- XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=${ENCRYPTION_KEY}
- XPACK_REPORTING_ENCRYPTIONKEY=${ENCRYPTION_KEY}
mem_limit: ${KB_MEM_LIMIT}
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
networks:
snort_lan:
filebeat01:
depends_on:
es01:
condition: service_healthy
image: elastic/filebeat:${STACK_VERSION}
user: root
volumes:
- certs:/usr/share/filebeat/certs
- filebeatdata01:/usr/share/filebeat/data
- "./filebeat_ingest_data/:/usr/share/filebeat/ingest_data/"
- "./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"
- "/var/lib/docker/containers:/var/lib/docker/containers:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
- ELASTIC_USER=elastic
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- ELASTIC_HOSTS=https://es01:9200
- KIBANA_HOSTS=http://kibana:5601
- LOGSTASH_HOSTS=http://logstash01:9600
networks:
snort_lan:
logstash01:
depends_on:
es01:
condition: service_healthy
kibana:
condition: service_healthy
image: logstash:${STACK_VERSION}
labels:
co.elastic.logs/module: logstash
user: root
volumes:
- certs:/usr/share/logstash/certs
- logstashdata01:/usr/share/logstash/data
- "./logstash_ingest_data/:/usr/share/logstash/ingest_data/"
- "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro"
environment:
- xpack.monitoring.enabled=false
- ELASTIC_USER=elastic
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- ELASTIC_HOSTS=https://es01:9200
networks:
snort_lan:
networks: networks:
snort_lan: snort_lan:
driver: bridge driver: bridge
#volumes:
# snort: volumes:
certs:
driver: local
esdata01:
driver: local
kibanadata:
driver: local
logstashdata01:
driver: local
filebeatdata01:
driver: local

BIN
emerging-rules.tar.gz Normal file
View File

Binary file not shown.

8
entrypoint.sh
View File

@ -1,6 +1,8 @@
ip route del default interface="eth0"
#ip route add default via 192.168.88.108
ip route add default dev eth0
ip route del default
ip add sh $interface
ip route add default dev $interface
ip link set dev $interface promisc on
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

BIN
feodotracker.tar.gz Normal file
View File

Binary file not shown.

30
filebeat.yml Normal file
View File

@ -0,0 +1,30 @@
filebeat.inputs:
- type: filestream
id: default-filestream
paths:
- ingest_data/*.txt
- ingest_data/*.log
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
processors:
- add_docker_metadata: ~
setup.kibana:
host: ${KIBANA_HOSTS}
username: ${ELASTIC_USER}
password: ${ELASTIC_PASSWORD}
output.elasticsearch:
hosts: ${ELASTIC_HOSTS}
username: ${ELASTIC_USER}
password: ${ELASTIC_PASSWORD}
ssl.enabled: true
ssl.certificate_authorities: "certs/ca/ca.crt"

0
logs/alert_csv.txt Normal file
View File

0
logs/alert_fast.txt Normal file
View File

613
logs/supervisor.log Normal file
View File

@ -0,0 +1,613 @@
--------------------------------------------------
o")~ Snort++ 3.3.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
alert_csv
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Loading ../rules/local.rules:
Finished ../rules/local.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4239 0 4239 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4239
text rules: 4239
option chains: 4239
chain headers: 325
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 472 58 148 22
src 170 15 0 0
dst 775 150 0 0
both 6 11 0 0
total 1423 234 148 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 72 20
dhcp: 2 2
dns: 28 7
file_id: 219 219
ftp: 90 4
ftp-data: 1 96
http: 2084 255
http2: 2084 255
http3: 2084 255
imap: 35 117
irc: 5 2
kerberos: 3 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 69 17
nntp: 2 0
pop3: 23 117
rdp: 5 0
sip: 5 5
smtp: 129 2
snmp: 18 7
ssdp: 3 0
ssl: 20 42
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 7071 1437
--------------------------------------------------
fast pattern groups
src: 114
dst: 312
any: 8
to_server: 69
to_client: 49
--------------------------------------------------
search engine (ac_bnfa)
instances: 335
patterns: 10790
pattern chars: 175259
num states: 123288
num match states: 10510
memory scale: MB
total memory: 3.68362
pattern memory: 0.578426
match list memory: 1.33591
transition memory: 1.72839
fast pattern only: 7096
appid: MaxRss diff: 226524
appid: p--------------------------------------------------
o")~ Snort++ 3.3.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
alert_csv
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Loading ../rules/local.rules:
Finished ../rules/local.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4239 0 4239 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4239
text rules: 4239
option chains: 4239
chain headers: 325
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 472 58 148 22
src 170 15 0 0
dst 775 150 0 0
both 6 11 0 0
total 1423 234 148 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 72 20
dhcp: 2 2
dns: 28 7
file_id: 219 219
ftp: 90 4
ftp-data: 1 96
http: 2084 255
http2: 2084 255
http3: 2084 255
imap: 35 117
irc: 5 2
kerberos: 3 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 69 17
nntp: 2 0
pop3: 23 117
rdp: 5 0
sip: 5 5
smtp: 129 2
snmp: 18 7
ssdp: 3 0
ssl: 20 42
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 7071 1437
--------------------------------------------------
fast pattern groups
src: 114
dst: 312
any: 8
to_server: 69
to_client: 49
--------------------------------------------------
search engine (ac_bnfa)
instances: 335
patterns: 10790
pattern chars: 175259
num states: 123288
num match states: 10510
memory scale: MB
total memory: 3.68362
pattern memory: 0.578426
match list memory: 1.33591
transition memory: 1.72839
fast pattern only: 7096
appid: MaxRss diff: 225688
appid: p--------------------------------------------------
o")~ Snort++ 3.3.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
alert_csv
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Loading ../rules/local.rules:
Finished ../rules/local.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4239 0 4239 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4239
text rules: 4239
option chains: 4239
chain headers: 325
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 472 58 148 22
src 170 15 0 0
dst 775 150 0 0
both 6 11 0 0
total 1423 234 148 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 72 20
dhcp: 2 2
dns: 28 7
file_id: 219 219
ftp: 90 4
ftp-data: 1 96
http: 2084 255
http2: 2084 255
http3: 2084 255
imap: 35 117
irc: 5 2
kerberos: 3 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 69 17
nntp: 2 0
pop3: 23 117
rdp: 5 0
sip: 5 5
smtp: 129 2
snmp: 18 7
ssdp: 3 0
ssl: 20 42
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 7071 1437
--------------------------------------------------
fast pattern groups
src: 114
dst: 312
any: 8
to_server: 69
to_client: 49
--------------------------------------------------
search engine (ac_bnfa)
instances: 335
patterns: 10790
pattern chars: 175259
num states: 123288
num match states: 10510
memory scale: MB
total memory: 3.68362
pattern memory: 0.578426
match list memory: 1.33591
transition memory: 1.72839
fast pattern only: 7096
appid: MaxRss diff: 228004
appid: p--------------------------------------------------
o")~ Snort++ 3.3.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
alert_csv
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Loading ../rules/local.rules:
Finished ../rules/local.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4239 0 4239 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4239
text rules: 4239
option chains: 4239
chain headers: 325
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 472 58 148 22
src 170 15 0 0
dst 775 150 0 0
both 6 11 0 0
total 1423 234 148 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 72 20
dhcp: 2 2
dns: 28 7
file_id: 219 219
ftp: 90 4
ftp-data: 1 96
http: 2084 255
http2: 2084 255
http3: 2084 255
imap: 35 117
irc: 5 2
kerberos: 3 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 69 17
nntp: 2 0
pop3: 23 117
rdp: 5 0
sip: 5 5
smtp: 129 2
snmp: 18 7
ssdp: 3 0
ssl: 20 42
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 7071 1437
--------------------------------------------------
fast pattern groups
src: 114
dst: 312
any: 8
to_server: 69
to_client: 49
--------------------------------------------------
search engine (ac_bnfa)
instances: 335
patterns: 10790
pattern chars: 175259
num states: 123288
num match states: 10510
memory scale: MB
total memory: 3.68362
pattern memory: 0.578426
match list memory: 1.33591
transition memory: 1.72839
fast pattern only: 7096
appid: MaxRss diff: 226732
appid: p

24
logstash.conf Normal file
View File

@ -0,0 +1,24 @@
input {
file {
#https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html
#default is TAIL which assumes more data will come into the file.
#change to mode => "read" if the file is a compelte file. by default, the file will be removed once reading is complete -- backup your files if you need them.
mode => "tail"
path => "/usr/share/logstash/ingest_data/*"
}
}
filter {
}
output {
elasticsearch {
index => "logstash-%{+YYYY.MM.dd}"
hosts=> "${ELASTIC_HOSTS}"
user=> "${ELASTIC_USER}"
password=> "${ELASTIC_PASSWORD}"
cacert=> "certs/ca/ca.crt"
}
}

0
logstash_ingest_data/alert_csv.txt Normal file
View File

6
logstash_ingest_data/alert_fast.txt Normal file
View File

@ -0,0 +1,6 @@
08/22-19:30:41.554941 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3
08/22-19:30:42.578554 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3
08/22-19:30:43.602594 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3
08/22-19:30:44.626660 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3
08/22-19:30:45.650654 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3
08/22-19:30:46.674630 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3

154
logstash_ingest_data/supervisor.log Normal file
View File

@ -0,0 +1,154 @@
--------------------------------------------------
o")~ Snort++ 3.3.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
alert_csv
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
cip
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
process
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading ips.rules:
Loading ../rules/snort3-community-rules/snort3-community.rules:
Finished ../rules/snort3-community-rules/snort3-community.rules:
Loading ../rules/local.rules:
Finished ../rules/local.rules:
Finished ips.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 4239 0 4239 /usr/local/etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 4239
text rules: 4239
option chains: 4239
chain headers: 325
flowbits: 48
flowbits not checked: 23
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 472 58 148 22
src 170 15 0 0
dst 775 150 0 0
both 6 11 0 0
total 1423 234 148 22
--------------------------------------------------
service rule counts to-srv to-cli
dcerpc: 72 20
dhcp: 2 2
dns: 28 7
file_id: 219 219
ftp: 90 4
ftp-data: 1 96
http: 2084 255
http2: 2084 255
http3: 2084 255
imap: 35 117
irc: 5 2
kerberos: 3 0
ldap: 0 1
mysql: 3 0
netbios-dgm: 1 1
netbios-ns: 4 3
netbios-ssn: 69 17
nntp: 2 0
pop3: 23 117
rdp: 5 0
sip: 5 5
smtp: 129 2
snmp: 18 7
ssdp: 3 0
ssl: 20 42
sunrpc: 68 4
telnet: 12 6
tftp: 1 0
wins: 1 0
total: 7071 1437
--------------------------------------------------
fast pattern groups
src: 114
dst: 312
any: 8
to_server: 69
to_client: 49
--------------------------------------------------
search engine (ac_bnfa)
instances: 335
patterns: 10790
pattern chars: 175259
num states: 123288
num match states: 10510
memory scale: MB
total memory: 3.68362
pattern memory: 0.578426
match list memory: 1.33591
transition memory: 1.72839
fast pattern only: 7096
appid: MaxRss diff: 230232
appid: p

17
snort-conf/snort.lua
View File

@ -21,7 +21,7 @@
-- HOME_NET and EXTERNAL_NET must be set now -- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting -- setup the network addresses you are protecting
HOME_NET = '192.168.88.0/24' HOME_NET = '[10.0.0.0/8, 192.0.0.0/8, 172.0.0.0/8]'
-- set up the external network addresses. -- set up the external network addresses.
-- (leave as "any" in most situations) -- (leave as "any" in most situations)
@ -99,7 +99,7 @@ appid =
{ {
-- appid requires this to use appids in rules -- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from' --app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib', app_detector_dir = '/usr/local/lib/openappid',
log_stats = true, log_stats = true,
} }
@ -196,6 +196,9 @@ ips =
include $RULE_PATH/snort3-community-rules/snort3-community.rules include $RULE_PATH/snort3-community-rules/snort3-community.rules
include $RULE_PATH/local.rules include $RULE_PATH/local.rules
]] ]]
--include $RULE_PATH/appid-rules/appid.rules
--include $RULE_PATH/feodotracker/feodotracker.rules
} }
-- use these to configure additional rule actions -- use these to configure additional rule actions
@ -255,11 +258,13 @@ rate_filter =
-- event logging -- event logging
-- you can enable with defaults from the command line with -A <alert_type> -- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs -- uncomment below to set non-default configs
--alert_csv = { } alert_csv = {
file = true,
}
alert_fast = { alert_fast = {
file = true, file = true,
packet = false, packet = false,
limit = 10, limit = 10,
} }
--alert_full = { } --alert_full = { }
--alert_sfsocket = { } --alert_sfsocket = { }

3
supervisord.conf
View File

@ -1,9 +1,6 @@
[supervisord] [supervisord]
nodaemon=true nodaemon=true
[program:sshd]
command=/usr/sbin/sshd -D
#[program:snort-agent] #[program:snort-agent]
#command=/usr/bin/python3 /usr/local/src/snort-agent/snort-agent.py #command=/usr/bin/python3 /usr/local/src/snort-agent/snort-agent.py
#stdout_logfile=/var/log/supervisor.log #stdout_logfile=/var/log/supervisor.log