packet6.com http://www.packet6.com/installing-snort-on-centos/

Rowell Dionicio

How to Install Snort on CentOS

Part 1 Installing Snort on CentOSPart 2 Installing PulledPork and Barnyard2Part 3 Installing Snorby

Snort is a powerful intrusion prevention/detection system. This is a three part series going through the installationof Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snortsoutput, and the installation of a web front end gui called Snorby to help analyze those alerts.

The configuration I have outlined will run Snort as an IDS thus only gathering information on traffic it can see.Snort is open source and is a product of Sourcefire. For $2.7 Billion, Sourcefire was acquired by Cisco in 2013.

We will be going over the installation of Snort version 2.9.6.2 on CentOS 6.5 Minimal.

Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:

[root@snort-beta]# dateTue Jul 15 08:42:28 PDT

Install ntpdate[root@snort-beta]# yum install -y ntpdate [root@snort-beta]# ntpdate 0.us.pool.ntp.org

Install DependenciesWere going to install some dependencies which will be needed going forward. Since we are also using CentOSminimal we will need to install a few applications.

yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man

Now lets create a temporary directory to store some files we will be downloading.

mkdir tmp && cd tmp

Next we need to install more dependencies.

wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpmwget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Use the rpm command to install the dependencies we just downloaded.

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Install SnortIm downloading the rpm files from Snort.org

yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpm

yum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86_64.rpm

I recommend signing up on Snort.org to get the registered rules. Youll receive something called an Oinkcode. Theoinkcode acts as an api key for downloading rule packets from URLs provided by snort.

Download and extract the Community Rules:

wget https://www.snort.org/downloads/community/community-rules.tar.gztar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort yourerunning. In this case, I am running 2.9.6.2 so I am looking for the snort rules which contain the numbers 2962:

wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz?oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxtar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Paste your oincode after the = sign.

Modify the ownership of the Snort directories.

cd /etc/snortchown -R snort:snort *

Locate and Modify the snort.conf filecd /etc/snortvi snort.conf

There are many changes to make here. You can download an example of my snort.conf file and modify it to yourenvironment. Some of the values are as follows. Just search for them in your configuration file:

var RULE_PATH /etc/snort/rulesipvar HOME_NET any #or set to a network such as 172.21.0.0/16ipvar EXTERNAL_NET !$HOME_NETvar SO_RULE_PATH /etc/snort/rules/so_rulesvar PREPROC_RULE_PATH /etc/snort/rules/preproc_rulesvar WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rules

Modify the Output string under Step 6 of the snort.conf file:

output unified2: filename snort.log, limit 128

Test SnortUse this command to run Snort in test mode. It will tell you if there is anything wrong with running Snort.

snort -T -i -u snort -g snort -c /etc/snort/snort.conf

If you get this error:

snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file ordirectory

Type in the following commands:

/sbin/ldconfigupdatedb

-T is the self-test mode switch.

-i tells Snort what interface to use to gather traffic. You need to specific the interface youre using right after.

-u sets the user that will run the process.

-g sets the group that will run the process.

-c sets the configuration file to use.

Modify /etc/sysconfig/snortModify the Snort sysconfig file which holds variables for the startup file:

Change the interface which Snort is using to the interface you will use on your server to sniff traffic.Comment out ALERTMODE and BINARY_LOG. If you dont do this your alerts will not write to the MySQLdatabase in a later setup.

Viewing LogsIf the self-test runs successfully you can run Snort without the -T switch and replace it with a -D, for daemon. It willrun Snort in the background. Once Snort is running and sniffing traffic, it should output to /var/log/snort.

The snort.log file will be in Unified2 format which means you cant open it in Wireshark. Anything Snort thinks isbad will trigger an alert. All alerts go into a file called alert within /var/log/snort/.

For now, you have Snort running and dumping logs into a directory. Next up in this series I will discuss autoupdating your Snort rule sets using Pulledpork.

ResourcesMy working snort.conf file. Ive disabled most of the rules except one. This was only to get a simple test going.

Here is an example of my /etc/sysconfig/snort file.

How to Install Snort on CentOSInstall ntpdateInstall Dependencies

Install SnortLocate and Modify the snort.conf fileTest SnortModify /etc/sysconfig/snortViewing LogsResources