Snort3 on Ubuntu 20 - The Initial Setup
By Securitynik on 2021-02-05 22:03:49

Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.

Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.

Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.

For this post, we will leverage my previous post in conjunction with Snort on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the website as well as additional information from other sources.

This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.

securitynik@snort3:~$ lsb_release --all
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Note: If you choose to install VirtualBox tools from the "CD", you may get an error about  "**This system is currently not set up to build kernel modules.". To resolve, this execute:

securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms

As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:

securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

Depending on your install you may also need to install gcc and make

securitynik@snort3:~$ sudo apt-get install gcc make

Time if of great importance. To ensure your system time reflects your time zone, use the following commands. Note, also that you should consider taking advantage of NTP as I've done below, rather than manually configuring your time.

First list the available time zones

securitynik@snort3:~$ sudo timedatectl list-timezones


I will set mine as America/Toronto, while I set my time to UTC time and use a NTP server. Local time can be problematic when using NTP, as the time may not be properly updated during shifts to and from daylight saving time.
securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto
securitynik@snort3:~$ sudo timedatectl set-local-rtc False
securitynik@snort3:~$ sudo timedatectl set-ntp True

Verifying the time configuration.

securitynik@snort3:~$ sudo timedatectl 
               Local time: Wed 2021-01-27 11:14:29 EST 
           Universal time: Wed 2021-01-27 16:14:29 UTC 
                 RTC time: Wed 2021-01-27 16:14:29     
                Time zone: America/Toronto (EST, -0500)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones. 

With time properly configured, let's now install Snort3 by starting with its dependencies.

In my previous install, I did a lot of compiling of code. It looks like that is still the case at this time and will probably be that way for a while. I hope sooner rather than later, it is incorporated within a package manager.

Let's first create a directory to store our downloaded files
securitynik@snort3:~$ pwd
securitynik@snort3:~$ mkdir snort-files
securitynik@snort3:~$ cd snort-files/

Now that we are inside the snort-files folder, let's grab the pre-requisites.

securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \ 
autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \
pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \ 
libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \
libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Next install Safe C Library (safeclib) from GitHub.

securitynik@snort3:~/snort-files$ git clone
securitynik@snort3:~/snort-files$ cd safeclib/
securitynik@snort3:~/snort-files/safeclib$ build-aux/
securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install

Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.

securitynik@snort3:~/snort-files$ wget
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ cd pcre-8.44/
securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install

After pcre-8.44 we next install gperftools (originally Google Performance Tools)

securitynik@snort3:~/snort-files$ git clone
securitynik@snort3:~/snort-files/gperftools$ cd gperftools
securitynik@snort3:~/snort-files/gperftools$ ./ 
securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install

Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .

securitynik@snort3:~/snort-files$ wget
securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz 
securitynik@snort3:~/snort-files$ cd ragel-6.10/
securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install

Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.

securitynik@snort3:~/snort-files$ wget

securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz 
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a  boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz 

Let's grab Hyperscan.

securitynik@snort3:~/snort-files$ git clone
securitynik@snort3:~/snort-files$ cd hyperscan
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install
Install flatbuffers

securitynik@snort3:~/snort-files$ git clone
securitynik@snort3:~/snort-files$ mkdir flatbuffers-build
securitynik@snort3:~/snort-files$ cd flatbuffers-build/
securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers
securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install

Next up, install the Data Acquisition Library (DAQ)

securitynik@snort3:~/snort-files$ git clone
securitynik@snort3:~/snort-files$ cd libdaq/
securitynik@snort3:~/snort-files/libdaq$ ./bootstrap 
securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install

Wheewwww! That is a lot of pre-prequisites. Hopefully, they can package all of these up via package manager to make the install process easier. Note, if you don't install them in the order provided, you can expect to find one or more products complaining about dependency related to other products.

Finally, lets update the shared libraries.
securitynik@snort3:~$ sudo ldconfig

Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.

securitynik@snort3:~/snort-files$ wget
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3- 
securitynik@snort3:~/snort-files$ cd snort3-
securitynik@snort3:~/snort-files/snort3-$ ./ --prefix=/usr/local --enable-tcmalloc  --enable-shell --enable-large-pcap  
securitynik@snort3:~/snort-files/snort3-$ cd build/
securitynik@snort3:~/snort-files/snort3-$ make && sudo make install
Once I run snort --version, we see wat seems to suggest we are good to go.

scuritynik@snort3:~$ snort --version

   ,,_     -*> Snort++ <*-
  o"  )~   Version
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.44 2020-02-12
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.4.0 2021-01-28
           Using LZMA version 5.2.4

Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua 
o")~   Snort++
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Finished /usr/local/etc/snort/snort.lua:
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.