Snort 3 and PulledPork Automated Setup Script

This bash script automates the full installation and initial configuration of the Snort 3 Intrusion Detection/Prevention System and PulledPork 3 rule management on Debian/Ubuntu-based Linux distributions.

The script compiles Snort 3 and its dependencies from source, sets up PulledPork for rule updates, and creates a systemd service to ensure Snort runs automatically on boot.

Features

• Automated Installation: Installs all necessary dependencies, including LibDAQ, cmake, and python3.

• Snort 3 from Source: Compiles and installs the latest version of Snort 3 from the official GitHub repository.

• PulledPork 3 Integration: Sets up PulledPork 3 to automatically download and manage Snort VRT rules.

• Automated Rule Updates: Configures a daily cron job to run PulledPork and restart the Snort service.

• Systemd Service: Creates and enables a systemd service for Snort 3, ensuring it starts on system boot.

Prerequisites

• A clean installation of a Debian or Ubuntu-based Linux distribution.

• Root privileges to run the script.

• A registered user account on Snort.org to obtain your personal Oinkcode for downloading the latest rule sets.

Usage

1. Download the script:

   wget https://your-repository-link/setup_snort3.sh
   chmod +x setup_snort3.sh
   
   
   

2. Run the script as root:

   sudo ./setup_snort3.sh
   
   
   

   The script will perform all installation and configuration steps automatically.

3. Post-Installation (Mandatory Steps): After the script completes, you must perform a few manual steps to finalize your setup.

   • Update PulledPork Configuration: Edit the PulledPork configuration file to add your unique Oinkcode.

     sudo nano /usr/local/pulledpork/pulledpork.conf
     
     
     

     Find the line that contains oinkcode = "<YOUR_OINKCODE>" and replace the placeholder with your actual code.

   • Update Snort Service File: Edit the Snort systemd service file to specify your network interface.

     sudo nano /etc/systemd/system/snort3.service
     
     
     

     Find the line that starts with ExecStart and replace the placeholder <YOUR_NETWORK_INTERFACE> with the name of your desired interface (e.g., eth0 or ens33).

   • Configure Snort.lua: Review the main Snort configuration file and update network variables.

     sudo nano /usr/local/etc/snort/snort.lua
     
     
     

     Ensure that HOME_NET and EXTERNAL_NET are set correctly for your network environment.

Activating Snort as an IPS

By default, Snort runs in IDS mode (detection only). To enable the Intrusion Prevention System (IPS) mode and allow Snort to actively block malicious traffic, you need to configure iptables to send packets to Snort for inspection.

1. Stop the Snort service:

   sudo systemctl stop snort3.service
   
   
   

2. Add iptables rules to send traffic to Snort:

   sudo iptables -A INPUT -j NFQUEUE
   sudo iptables -A FORWARD -j NFQUEUE
   
   
   

3. Start the Snort service in IPS mode:

   sudo systemctl start snort3.service
   
   
   

Switching Back to IDS Mode

You can easily revert to IDS mode by flushing the IPS iptables rules.

1. Stop the Snort service:

   sudo systemctl stop snort3.service
   
   
   

2. Remove iptables rules:

   sudo iptables -D INPUT -j NFQUEUE
   sudo iptables -D FORWARD -j NFQUEUE
   
   
   

3. Start the Snort service in IDS mode:

   sudo systemctl start snort3.service