{"id":1067,"date":"2012-08-22T16:23:46","date_gmt":"2012-08-22T08:23:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=1067"},"modified":"2012-08-22T16:24:20","modified_gmt":"2012-08-22T08:24:20","slug":"snort-installation-on-centos-6-2","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1067","title":{"rendered":"Snort Installation on CentOS 6.2"},"content":{"rendered":"<div>\n<h1 dir=\"LTR\">Tested On<\/h1>\n<p dir=\"LTR\">OS: CentOS 6.2 i386, CentOS x86_64, <a title=\"001. Snort Installation on CentOS 5.7\" href=\"http:\/\/nachum234.no-ip.org\/security\/snort\/snort-installation\/\">CentOS 5.7<\/a>, <a title=\"101. Snort installation on Ubuntu\" href=\"http:\/\/nachum234.no-ip.org\/?p=230\">Ubuntu 10.04 TLS<\/a><br \/> Snort Version:\u00a0Version 2.9.2.3 IPv6 GRE (Build 205)<br \/> Hardware:\u00a0Virtual Machine (VirtualBox 4.1.8)<\/p>\n<h1 dir=\"LTR\">About<\/h1>\n<p dir=\"LTR\">Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).<\/p>\n<p dir=\"LTR\">This guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.<\/p>\n<h1 dir=\"LTR\">Prerequisite<\/h1>\n<ul>\n<li>Update your system using yum update and reboot<\/li>\n<\/ul>\n<pre>yum update -y\r\nreboot<\/pre>\n<ul>\n<li>Install rpm forge repository\n<ul>\n<li>On i386 system<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div>\n<pre dir=\"LTR\">rpm -Uhv http:\/\/apt.sw.be\/redhat\/el6\/en\/i386\/rpmforge\/RPMS\/rpmforge-release-0.5.2-2.el6.rf.i686.rpm<\/pre>\n<ul>\n<ul>\n<li>On x86_64 system<\/li>\n<\/ul>\n<\/ul>\n<div>\n<pre dir=\"LTR\">rpm -Uhv http:\/\/apt.sw.be\/redhat\/el6\/en\/x86_64\/rpmforge\/RPMS\/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm<\/pre>\n<\/div>\n<\/div>\n<ul>\n<li>Install PCRE, libdnet and more prerequisite packages<\/li>\n<\/ul>\n<pre dir=\"LTR\">yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y<\/pre>\n<ul>\n<li>Create dir for Snort prerequisite sources<\/li>\n<\/ul>\n<pre dir=\"LTR\">mkdir \/usr\/local\/src\/snort\r\ncd \/usr\/local\/src\/snort<\/pre>\n<ul>\n<li>Download and install libpcap<\/li>\n<\/ul>\n<pre dir=\"LTR\">wget http:\/\/www.tcpdump.org\/release\/libpcap-1.3.0.tar.gz -O libpcap.tar.gz\r\ntar zxvf libpcap.tar.gz\r\ncd libpcap-*\r\n.\/configure &amp;&amp; make &amp;&amp; make install\r\necho \"\/usr\/local\/lib\" &gt;&gt; \/etc\/ld.so.conf\r\nldconfig -v<\/pre>\n<ul>\n<li>Download and install DAQ<\/li>\n<\/ul>\n<pre dir=\"LTR\">cd \/usr\/local\/src\/snort\r\nwget http:\/\/www.snort.org\/downloads\/1623 -O daq.tar.gz\r\ntar zxvf daq.tar.gz\r\ncd daq-*\r\n.\/configure &amp;&amp; make &amp;&amp; make install\r\nldconfig -v<\/pre>\n<ul>\n<li>Create snort user and group<\/li>\n<\/ul>\n<pre>groupadd snort\r\nuseradd -g snort snort<\/pre>\n<h1 dir=\"LTR\">Install Snort<\/h1>\n<ul>\n<li>Download and install Snort<\/li>\n<\/ul>\n<pre dir=\"LTR\">cd \/usr\/local\/src\/snort\r\nwget http:\/\/www.snort.org\/downloads\/1631 -O snort.tar.gz\r\ntar zxvf snort.tar.gz\u00a0\r\ncd snort-2*\r\n.\/configure --prefix \/usr\/local\/snort --enable-sourcefire &amp;&amp; make &amp;&amp; make install<\/pre>\n<ul>\n<li>Create links for Snort files<\/li>\n<\/ul>\n<pre>ln -s \/usr\/local\/snort\/bin\/snort \/usr\/sbin\/snort\r\nln -s \/usr\/local\/snort\/etc \/etc\/snort<\/pre>\n<ul>\n<li>Configure Snort startup script to run at startup<\/li>\n<\/ul>\n<pre dir=\"LTR\">cp rpm\/snortd \/etc\/init.d\/\r\nchmod +x \/etc\/init.d\/snortd\r\ncp rpm\/snort.sysconfig \/etc\/sysconfig\/snort\r\nchkconfig --add snortd<\/pre>\n<ul>\n<li>Delete following lines from snort startup file<\/li>\n<\/ul>\n<pre>vi \/etc\/init.d\/snortd<\/pre>\n<pre>...\r\n<del># check if more than one interface is given <\/del>\r\n<del>if [ `echo $INTERFACE|wc -w` -gt 2 ]; then<\/del>\r\n...\r\n<del>else <\/del>\r\n<del> # Run with a single interface (default) <\/del>\r\n<del> daemon \/usr\/sbin\/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF <\/del>\r\n<del>fi<\/del><\/pre>\n<ul>\n<li>Comment out the following variable in \/etc\/sysconfig\/snort and add \/ to the LOGDIR variable<\/li>\n<\/ul>\n<pre>vi \/etc\/sysconfig\/snort<\/pre>\n<pre>...\r\nLOGDIR=\/var\/log\/snort\/\r\n...\r\n#ALERTMODE=fast\r\n...\r\n#BINARY_LOG=1\r\n...<\/pre>\n<ul>\n<li>Download Snort rules files from http:\/\/www.snort.org\/snort-rules to \/usr\/local\/src\/snort<\/li>\n<\/ul>\n<pre dir=\"LTR\">You have to register to the site in order to get the free register user rules\r\nor you can pay and get the most update rules as a \"Subscriber user\"<\/pre>\n<ul>\n<li>Extract rules file in the new created directory<\/li>\n<\/ul>\n<pre dir=\"LTR\">cd \/usr\/local\/snort\r\ntar zxvf \/usr\/local\/src\/snort\/snortrules-snapshot-2*<\/pre>\n<ul>\n<li>Create directory for snort logging<\/li>\n<\/ul>\n<pre dir=\"LTR\">mkdir -p \/usr\/local\/snort\/var\/log\r\nchown snort:snort \/usr\/local\/snort\/var\/log\r\nln -s \/usr\/local\/snort\/var\/log \/var\/log\/snort<\/pre>\n<ul>\n<li>Create links for dynamic rules files and directories<\/li>\n<\/ul>\n<pre>ln -s \/usr\/local\/snort\/lib\/snort_dynamicpreprocessor \/usr\/local\/lib\/snort_dynamicpreprocessor\r\nln -s \/usr\/local\/snort\/lib\/snort_dynamicengine \/usr\/local\/lib\/snort_dynamicengine\r\nln -s \/usr\/local\/snort\/lib\/snort_dynamicrules \/usr\/local\/lib\/snort_dynamicrules<\/pre>\n<ul>\n<li>Set snort permissions<\/li>\n<\/ul>\n<pre>chown -R snort:snort \/usr\/local\/snort<\/pre>\n<ul>\n<li>Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin<\/li>\n<\/ul>\n<pre>vi \/usr\/local\/snort\/etc\/snort.conf<\/pre>\n<pre>...\r\n#preprocessor reputation: \\\r\n#\u00a0 \u00a0memcap 500, \\\r\n#\u00a0 \u00a0priority whitelist, \\\r\n#\u00a0 \u00a0nested_ip inner, \\\r\n# \u00a0 \u00a0whitelist $WHITE_LIST_PATH\/white_list.rules, \\\r\n#\u00a0 \u00a0blacklist $BLACK_LIST_PATH\/black_list.rules\r\n...\r\noutput unified2: filename snort.log, limit 128\r\n...<\/pre>\n<ul>\n<li>Create Dynamicrules directory<\/li>\n<\/ul>\n<pre>mkdir \/usr\/local\/snort\/lib\/snort_dynamicrules<\/pre>\n<ul>\n<li>Copy dynamicrules files\n<ul>\n<li>On i386 system<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>cp \/usr\/local\/snort\/so_rules\/precompiled\/RHEL-6-0\/i386\/2.9*\/*so \/usr\/local\/snort\/lib\/snort_dynamicrules\/<\/pre>\n<ul>\n<ul>\n<li>On x86_64 system<\/li>\n<\/ul>\n<\/ul>\n<pre>cp \/usr\/local\/snort\/so_rules\/precompiled\/RHEL-6-0\/x86-64\/2.9*\/*so \/usr\/local\/snort\/lib\/snort_dynamicrules\/<\/pre>\n<ul>\n<li>Dump the stub rules<\/li>\n<\/ul>\n<pre>snort -c \/usr\/local\/snort\/etc\/snort.conf --dump-dynamic-rules=\/usr\/local\/snort\/so_rules<\/pre>\n<ul>\n<li>Enable snort dynamic rules configuration in the end of snort.conf file<\/li>\n<\/ul>\n<pre>vi \/usr\/local\/snort\/etc\/snort.conf<\/pre>\n<pre>...\r\n# dynamic library rules\r\ninclude $SO_RULE_PATH\/bad-traffic.rules\r\ninclude $SO_RULE_PATH\/chat.rules\r\ninclude $SO_RULE_PATH\/dos.rules\r\ninclude $SO_RULE_PATH\/exploit.rules\r\ninclude $SO_RULE_PATH\/icmp.rules\r\ninclude $SO_RULE_PATH\/imap.rules\r\ninclude $SO_RULE_PATH\/misc.rules\r\ninclude $SO_RULE_PATH\/multimedia.rules\r\ninclude $SO_RULE_PATH\/netbios.rules\r\ninclude $SO_RULE_PATH\/nntp.rules\r\ninclude $SO_RULE_PATH\/p2p.rules\r\ninclude $SO_RULE_PATH\/smtp.rules\r\ninclude $SO_RULE_PATH\/snmp.rules\r\ninclude $SO_RULE_PATH\/specific-threats.rules\r\ninclude $SO_RULE_PATH\/web-activex.rules\r\ninclude $SO_RULE_PATH\/web-client.rules\r\ninclude $SO_RULE_PATH\/web-iis.rules\r\ninclude $SO_RULE_PATH\/web-misc.rules\r\n...<\/pre>\n<ul>\n<li>Test Snort configuration<\/li>\n<\/ul>\n<pre>snort -c \/usr\/local\/snort\/etc\/snort.conf -T<\/pre>\n<ul>\n<li>Update Snort rules automatically<\/li>\n<\/ul>\n<p>PulledPork is an opensource perl script that can update your rules files automatically.\u00a0To install PulledPork please go to this guide\u00a0<a title=\"104. Configure Snort automatic rules updating with PulledPork\" href=\"http:\/\/nachum234.no-ip.org\/?p=389\">Configure Snort automatic rules updating with PulledPork<\/a>.<\/p>\n<p>Snort installation completed. Now that we have a Snort server writing it\u2019s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.<\/p>\n<p>Here is a link for <a title=\"2. Barnyard Installation\" href=\"http:\/\/nachum234.no-ip.org\/?p=166\">Barnyard Installation<\/a>.<\/p>\n<p>Please visit\u00a0<a href=\"http:\/\/www.snort.org\/\">http:\/\/www.snort.org\/<\/a>\u00a0for more information about Snort configuration and usage.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p> Tested On <\/p>\n<p dir=\"LTR\">OS: CentOS 6.2 i386, CentOS x86_64, CentOS 5.7, Ubuntu 10.04 TLS Snort Version: Version 2.9.2.3 IPv6 GRE (Build 205) Hardware: Virtual Machine (VirtualBox 4.1.8)<\/p>\n<p> About <\/p>\n<p dir=\"LTR\">Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1067"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1067"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1067\/revisions"}],"predecessor-version":[{"id":1070,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1067\/revisions\/1070"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}