[Snort-users] Snort 2.9 on OpenWrt (18.06.1)

wkitty42 at windstream.net wkitty42 at windstream.net
Fri Jan 18 13:17:10 EST 2019


On 1/18/19 11:47 AM, Posting Stuff via Snort-users wrote:
> Hello!
> 
> I'm trying to figure out best practice for running Snort on OpenWrt (18.06.01). 
> I can get the package running but there are some challenges:
> 
> 1. Setting up rule sets natively is extremely manual.

do you mean writing your own?

> 2. Correcting rule errors is challenging

your rules or those from somewhere else?

> 3. Information on best rule sets to use (preprocessor, rules to use, Shared 
> objects) information is non-existing.

there is no "one size fits all"... each network is different and has different 
requirements... eg: i know of some that deny inbound TOR exit node traffic so 
they employ snort to detect and alert on those connections so they can be blocked...

> So here are my questions:
> 
> 1. Can I use pulledpork to process the rules updates off-box using CentOS 7?

you should be able to... the question is how to make them available to snort on 
your embedded OS device...

> 2. If the above isn't the right methodology, what is the best way to automate 
> correcting rules errors?

need an example to understand what "errors" you're speaking of...

> 3. Is there best practice information about running Snort on embedded OS devices?

i don't know other than turning off one of the file time stamp updates that 
leads to too many writes and "wears out" SD cards and such...

but(!) if you have a way to connect a USB HD to that device and point it to the 
rules files on it, that would be something to look into...

i don't know if you can use something like NFS or similar method of mounting the 
rules directory on a server where you process the rules files but that might be 
something to look into, too, if the device can handle it...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-users mailing list