====== Snort 3 sur Debian 12 - IDS/IPS Professionnel ======
===== 1. Préparation =====
=== 1.1 Prérequis Système ===
| **Composant** | **Exigence** | **Vérification** |
|---------------------|-------------------|--------------------------|
| Debian 12 | Mise à jour | `lsb_release -a` |
| CPU | 2+ cœurs | `nproc` |
| RAM | 4GB+ | `free -h` |
| Interface réseau | Mode promiscuité | `ip link show eth0` |
=== 1.2 Installation des Dépendances ===
**Inspiré de [[https://www.it-connect.fr/securing-debian-12/|IT-Connect Hardening Debian]]** :
sudo apt update && sudo apt full-upgrade -y
sudo apt install -y build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev cmake flex bison libdumbnet-dev libhwloc-dev liblzma-dev libssl-dev libunwind-dev libflatbuffers-dev libmnl-dev
===== 2. Installation de Snort 3 =====
=== 2.1 Compilation depuis Sources ===
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.58.0.tar.gz
tar -xzvf 3.1.58.0.tar.gz
cd snort3-3.1.58.0/
./configure_cmake.sh --prefix=/usr/local --enable-hardened-build
cd build
make -j$(nproc)
sudo make install
**Optimisation IT-Connect** :
echo "/usr/local/lib" | sudo tee /etc/ld.so.conf.d/snort3.conf
sudo ldconfig
=== 2.2 Configuration de Base ===
sudo mkdir -p /etc/snort/{rules,so_rules,preproc_rules,log}
sudo cp -r snort3-3.1.58.0/etc/* /etc/snort/
===== 3. Configuration Avancée ====
=== 3.1 Fichier snort.lua ===
**Configuration minimale sécurisée** :
HOME_NET = "192.168.1.0/24"
EXTERNAL_NET = "!$HOME_NET"
ips = {
mode = inline,
variables = default_variables,
rules = [[ include $RULE_PATH/snort3-community.rules ]],
enable_builtin_rules = true
}
whitelist = {
path = '/etc/snort/rules/whitelist.rules',
}
=== 3.2 Règles et Listes Blanches ===
**Téléchargement des règles** :
wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz
tar -xzvf snort3-community-rules.tar.gz -C /etc/snort/rules/
**Exemple de whitelist** :
# Autoriser le monitoring Nagios
pass tcp 192.168.1.50 any -> $HOME_NET 5666
===== 4. Intégration Système ====
=== 4.1 Service Systemd ===
[Unit]
Description=Snort 3 IDS/IPS
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -c /etc/snort/snort.lua -R /etc/snort/rules/snort3-community.rules \
-i eth0 -s 65535 -k none -l /var/log/snort -A fast
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
=== 4.2 Activation ===
sudo systemctl daemon-reload
sudo systemctl enable --now snort3
===== 5. Monitoring et Analyse ====
=== 5.1 Outils Recommandés ===
| **Outil** | **Installation** | **Usage** |
|--------------------|-------------------------------|--------------------------|
| Barnyard2 | `sudo apt install barnyard2` | Traitement des logs |
| Snorby | Via Docker | Interface Web |
| PulledPork | Depuis GitHub | Mise à jour des règles |
=== 5.2 Commandes de Diagnostic ===
# Vérifier le trafic bloqué
sudo grep "\[Drop\]" /var/log/snort/alert_fast.txt
# Statistiques en temps réel
sudo snort -c /etc/snort/snort.lua --dump-stats
===== 6. Documentation Complémentaire ====
* [[https://www.it-connect.fr/snort-3-ids-ips/|IT-Connect : Guide Snort 3]]
* [[https://snort.org/downloads#snort-downloads|Règles Officielles Snort]]
* [[https://github.com/snort3/snort3/discussions|Forum Communautaire]]
✓ Mettre à jour les règles **hebdomadairement**
✓ Monitorer les **faux positifs** via whitelist
✓ Isoler l'interface de capture dans un **VLAN dédié**
Activez **l'équilibrage de charge** pour les réseaux à haut débit :
sudo ethtool -L eth0 rx 4