Set up snort on OpenWrt

After installing the MMC/SD card mod, I have enough room to install snort on my wrt54gs. So, this paper will assume that the package will be set up on the MMC/SD card. Which is mounted on /opt. You can read about setting up the MMC/SD card on this page.

Installing the package

To install snort on your wrt54gs install the following package

root@Hellhound:~# ipkg -d opt install snort_2.4.4-1_mipsel.ipk

This will install snort in the directory /opt.

Remote syslog

I want snort to log all its messages to a remote syslog server. I already discussed this on the page which discussed using fwbuilder with OpenWrt. Look on this page to set up wallwatcher.

Downloading rules files

We need to get some rule files. These rule files can be downloaded from the snort website. Download the snort 2.4 rule files from this website. These rule files need to be unpacked in the directory /opt/etc/snort/rules/

root@Hellhound:~# tar zxf snortrules-pr-2.4.tar.gz

Setting up snort

Now we have to set up the snort.conf file. In this file, many snort settings are configured. We want to set up snort in a way it will log all messages to our remote syslog, it this case wallwatcher. The first thing we have to do is to set the option HOME_NET

var HOME_NET 192.168.1.0/24

Next, we have to uncomment a line in the snort.conf file.

output alert_syslog: LOG_AUTH LOG_ALERT

We need to change the rules path

var RULE_PATH /opt/etc/snort/rules

At the bottom of the snort.conf there are a lot of rule files included. Make sure you comment all the rule files at first. Just to make sure that we do not flood the memory of the wrt54gs and hang the device when we start snort.

Make the directory snort in the directory /var/log

root@Hellhound:~# mkdir /var/log/snort

Giving snort a test run

To check if snort is running correctly on your device, give the following command on the prompt and open a website in your favorite browser.

root@Hellhound:~# snort -v -i vlan1

This will give you the following output

01/25-22:02:12.344117 195.37.77.141:80 -> 10.0.0.100:2053
TC`1 P TTL:46 TOS:0x0 ID:55048 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xC5D2F3DE Ack: 0xBD63343B Win: 0x5B4 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

End the test run by pressing crtl-C.

Running Snort

Now we know snort runs okay, we set up the rule files. These can be uncommented at the bottom of the /opt/etc/snort/snort.conf file. I would advise you to enable the rule files one by one and keep an eye on your memory usage. After each run of snort check your memory and determine if you can enable another rule. Run snort with the following command.

root@Hellhound:~# snort -c /opt/etc/snort/snort.conf -i vlan1&

Check your memory usage by the following command

root@Hellhound:~# top

If snort is detecting any “bad” traffic, it will be logged to your remote syslog server.

Checking your setup

Snort can be quiet sometimes, how do we check if snort is doing its job?? To check your setup, kill the snort proces that is running at the moment. Make sure you have the LOCAL.RULES enabled in the snort.conf file. Then edit local.rules and add the following line of code.

alert ip any any -> any any (msg:"Got an IP Packet"; classtype:not-suspicious; sid:2000000; rev:1;)

Now start snort with the following command

root@Hellhound:~# snort -c /opt/etc/snort/snort.conf -i vlan1&

And keep a good eye on your remote syslog server…. I will start logging network traffic.