Comprehensive Guide to Snort3 and Guardian Setup: Troubleshooting, Configuration, and Tests

Mainly documenting my experiments, some file locations and commands are adjusted according to my installation conditions.

Using snort3, not successful yet, the main differences currently are the snort configuration file and alert file, I’ll try again later with snort2.

1. Install guardian,

Download URL https://www.chaotic.org/guardian/

Unpack

wget https://www.chaotic.org/guardian/
tar -zxvf guardian-1.7.tar.gz

Configure (the original tutorial linked to etc/snort, but based on my earlier steps, it was /usr/local/etc/snort, so I changed it here.)

# cd guardian-1.7
# touch /usr/local/etc/snort/guardian.ignore
# touch /usr/local/etc/snort/guardian.target
# touch /var/log/snort/guardian.log
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /usr/local/etc/snort

Edit guardian configuration file, vi /usr/local/etc/snort/guardian.conf

Interface   ens33
LogFile    /var/log/snort/guardian.log
AlertFile   /var/log/snort/alert_json.txt             //location of the alert file
IgnoreFile  /usr/local/etc/snort/guardian.ignore        //whitelist
targetFile   /usr/local/etc/snort/guardian.target        //blacklist
TimeLimit 120                       //blocking time, in seconds

Start guardian

/usr/bin/perl /usr/local/bin/guardian.pl -c /usr/local/etc/snort/guardian.conf
# or navigate to the directory containing guardian.pl

root@y:~/snort_src/guardian-1.7# perl ./guardian.pl -c /usr/local/etc/snort/guardian.conf
OS shows Linux
My IP address and interface are: 192.168.79.131       ens33
Loaded 0 addresses from /usr/local/etc/snort/guardian.ignore
Loaded 0 addresses from /usr/local/etc/snort/guardian.target
Becoming a daemon..
root@y:~/snort_src/guardian-1.7#

First error occurred

Reference link: https://www.jianshu.com/p/7fcb7a0e553a

Not sure which system the first use belongs to, directly used the second command to install the compatibility package for perl4

cpan Perl4::CoreLibs

Another error occurred

According to a blog, I found out HostIpAddr was missing earlier. Remove the comment before HostIpAddr and add the address

vim /usr/local/etc/snort/guardian.conf 
HostIpAddr 192.168.79.131

No more errors now

Stop Guardian

ps -ef|grep guardian
kill -9 pid

Image source: https://www.cnblogs.com/atai/p/14393027.html

2. Linkage Test

Test if the rules are loaded effectively, edit /usr/local/etc/rules/local.rules, and add the following two rules

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:“OUT”; sid:5000005)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“IN”; sid:5000006)

Rule explanation: Alert on all TCP traffic between external and internal networks to test your snort.conf configuration.

Start snort and check if there are logs in the alert

# snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules
# cd /var/log/snort
# tail -f alert_json.txt 

If you can see logs, it indicates that the snort.conf configuration is correct, and you can proceed with the following tests. Otherwise, please check the snort.conf configuration, as well as the snort directory and file permissions.

Linkage Test

If the previous test passed, remove or comment out the two rules you added in /usr/local/etc/rules/local.rules.

vi /usr/local/etc/rules/local.rules

Log in to another Windows test host (Note: Scanning from the same machine may cause the snort host to be inaccessible), open a browser, and download x-scan from http://tools.hetianlab.com/tools/X-Scan-v3.3-cn.rar and extract it. Double-click the file to open x-scan.

Set Scan Parameters

Click the “Scan Parameters” button, set the specified IP range to your snort host’s IP address, and in the “Global Settings” “Scan Module”, select “Select All”. In “Plugin Settings”, select all options for “SNMP-related settings”, “NETBIOS-related settings”, and “Vulnerability detection script settings”. Click the start button to start the scan.

Observe if there are alert logs in the alert

# cd /var/log/snort
# tail -f alert

Once alert logs are found, start the linkage between guardian and iptables.

# /usr/bin/perl /usr/local/bin/guardian.pl -c /usr/local/etc/snort/guardian.conf

Execute iptables -L on the snort host to see if any rules have been added. If there are rules, the experiment is successful.

Problem Solving for an Unsuccessful Experiment

The experiment failed, and no rules were added. It seems like the guardian downloaded was not the originally recommended one for the lab (original link is invalid, found another one online), so the configuration might not work well.

The following corrections come from a Bilibili video (【Network Security Tutorial】Manually Build a Snort System! Snort+Iptables+Guardian Linkage Experiment on CentOS 7_哔哩哔哩_bilibili)

1. I couldn’t find scripts for several files… so I found a script online (link: https://blog.51cto.com/chenguang/7823276), but I’m not familiar with scripting languages and unsure if the spaces align correctly in some parts

The following modified guardian file locations are in the places copied earlier, /usr/local/bin

#!/bin/bash 
cd /usr/local/bin
# The start function is responsible for starting the guardian program. It first updates the PATH environment variable to include the local binary path, then starts the guardian program using the specified configuration file.
start()
{
# Add /usr/local/bin to the PATH environment variable 
        export PATH=$PATH:/usr/local/bin 
# Start the guardian.pl script using /etc/guardian.conf 
        /usr/local/bin/guardian.pl -c /usr/local/etc/snort/guardian.conf
}

# The stop function is responsible for stopping the guardian program. It first checks if guardian is running, and if so, kills the process; otherwise, it outputs "guardian is not running ....".
stop()
{
# Search for a process named 'guardian.pl *-c' 
        ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
# Judgement statement; if the process exists, terminate it 
        if [ $? -eq 0 ];
        then
        kill `ps aux |grep 'guardian.pl *-c' `
# If the process doesn't exist, output "guardian is not running ...." 
        else
        echo "guardian is not running ...." 
        fi
}
# The status function checks if the guardian process is running; if it is, outputs "guardian is running ....", otherwise outputs "guardian is not running ....".
status()
{
        ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
        if [ $? -eq 0 ];
        then
        echo "guardian is running ...." 
        else
        echo "guardian is not running ...." 
        fi
}
# Executes different functions based on the parameter ($1) passed
case "$1" in
# If the parameter is start, call the start function 
start)
start
;;
# If the parameter is stop, call the stop function 
stop)
stop
;;
# If the parameter is restart, call the stop function first, then call the start function 
restart)
stop
start
;;
# If the parameter is status, call the status function 
status)
status;;
*)
# If the parameter is not one of the above, output the usage instructions 
echo $"Usage: $0 {start|stop|restart|status}" 
esac

Execute the script

bash guardian.sh

Add content to guardian_block.sh

/sbin/iptables -I INPUT -p tcp -s $source -i &interface -j REJECT --reject-with tcp-reset

Add content to guardian_unblock.sh

/sbin/iptables -D INPUT -p tcp -s $source -i $interface -j REJECT --reject-with
tcp-reset

Check guardian status

root@y:/usr/local/bin# bash guardian.sh status
guardian is running ....

2. Run snort (it usually involves the snort.conf file, but I’m following a lua setup without a conf file)

snort -c /usr/local/etc/snort/snort.lua -i ens33 -A fast

3. Modify local.rules

alert icmp any any -> any any (msg:"snort test";dsize:>65499;itype:8;sid:10000003;rev:1;)

tail -f /var/log/snort/alert_json.txt

Hmm… still not working, continuing to troubleshoot. With video support, I made some adjustments to the pl file.

Attempted modification based on the address here (different from my file locations, but print output seems not to affect much)

Line 190

Lines 233 and 234

Found another guardian download link: https://c4pr1c3.github.io/cuc-ns/chap0x09/exp.html