How to install snort


AllCloud Blog:
Cloud Insights and Innovation

Tested On

OS: CentOS 6.3 i386, CentOS x86_64
Snort Version: Version 2.9.4.6 GRE (Build 73)
Hardware: Virtual Machine (VirtualBox 4.1.22)

About

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).

This installation guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.

Prerequisite

  • Update your system using yum update and reboot
yum update -y
reboot
  • Install EPEL repository
rpm -Uvh https://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm
  • Install PCRE, libdnet and more prerequisite packages
yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y
  • Create dir for Snort prerequisite sources
mkdir /usr/local/src/snort
cd /usr/local/src/snort
  • Download and install libpcap
wget https://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gz
tar zxvf libpcap.tar.gz
cd libpcap-*
./configure && make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig -v
  • Download and install DAQ
cd /usr/local/src/snort
wget https://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq-*
./configure && make && make install
ldconfig -v
  • Create snort user and group
groupadd snort
useradd -g snort snort

Install Snort

  • Download and install Snort
cd /usr/local/src/snort
wget https://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
tar zxvf snort.tar.gz 
cd snort-2*
./configure --prefix /usr/local/snort --enable-sourcefire && make && make install
  • Create links for Snort files
ln -s /usr/local/snort/bin/snort /usr/sbin/snort
ln -s /usr/local/snort/etc /etc/snort
  • Configure Snort startup script to run at startup
cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig --add snortd
  • Delete following lines from snort startup file
vi /etc/init.d/snortd
...
# check if more than one interface is given 
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
...
else 
 # Run with a single interface (default) 
 daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF 
fi
  • Comment out the following variable in /etc/sysconfig/snort and add / to the LOGDIR variable
vi /etc/sysconfig/snort
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
  • Download Snort rules files from https://www.snort.org/snort-rules to /usr/local/src/snort
You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a "Subscriber user"
  • Extract rules file in the new created directory
cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*
  • Create directory for snort logging
mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort
  • Create links for dynamic rules files and directories
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
  • Set snort permissions
chown -R snort:snort /usr/local/snort
  • Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin
vi /usr/local/snort/etc/snort.conf
...
#preprocessor reputation: 
#   memcap 500, 
#   priority whitelist, 
#   nested_ip inner, 
#    whitelist $WHITE_LIST_PATH/white_list.rules, 
#   blacklist $BLACK_LIST_PATH/black_list.rules
...
output unified2: filename snort.log, limit 128
...
  • Create Dynamicrules directory
mkdir /usr/local/snort/lib/snort_dynamicrules
  • Copy dynamicrules files
    • On i386 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
    • On x86_64 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
  • Dump the stub rules
snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
  • Enable snort dynamic rules configuration in the end of snort.conf file
vi /usr/local/snort/etc/snort.conf
...
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
...
  • Test Snort configuration
snort -c /usr/local/snort/etc/snort.conf -T
  • Update Snort rules automatically

PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

Here is a link for Barnyard Installation.

Please visit https://www.snort.org/ for more information about Snort configuration and usage.

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir