MRKAVANA (mrkavana@gmail.com) - www.facebook.com/kavanathai

Aug 25, 2011

INSTALLING AND CONFIGURING SNORT ON REDHAT/CENTOS v5.5


Here are the steps to install Snort:
  1. yum clean all
  2. yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2-devel
  3. yum install pcre pcre-devel php php-common php-gd gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel mysql mysql-devel mysql-bench mysql-server glib2-devel
  4. Make sure libpcap (version 1.0.0) is installed. If a version less than 1 is installed, it won’t work. If you need to, you can download using the following commands:
    1. wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
    2. tar -xzf libpcap-1.0.0.tar.gz
    3. cd libpcap-1.0.0
    4. ./configure –prefix=/usr
    5. make
    6. make install
  5. wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
  6. Download libnet-1.0.2a.tar.gz (not .tgz file and not a later version) from http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz.140191.0.0.html
  7. Download the latest Snort binary from http://www.snort.org
  8. Download the latest daq from http://www.snort.org
  9. Download base-1.4.5.tar.gz from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/
    Command: wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
  10. Download ADOdb from http://sourceforge.net/projects/adodb/files/adodb-php-4-and-5/adodb-4991-for-php/adodb4991.tgz/download
  11. Download Barnyard2:
    wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  12. Install libdnet:
    1. cd libdnet-1.12
    2. ./configure
    3. make
    4. make install
  13. Install daq:
    1. tar -xf daq-0.5.tar
    2. cd daq-0.5.tar
    3. ./configure         <– Make sure you installed libpcap = 1.0.0 (as mentioned above) otherwise this will fail
    4. make
    5. make install
  14. Install barnyard2
    1. tar -xzf barnyard2-1.9.tar.gz
    2. cd barnyard2-1.9
    3. ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql/
    4. make
    5. make install
  15. Install snort:
    1. tar -xf snort-2.9.0.3.tar
    2. cd snort-2.9.0.3
    3. ./configure -with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin
    4. make
    5. make install
    6. groupadd snort
    7. useradd -g snort snort -s /sbin/nologin
    8. mkdir /etc/snort
    9. mkdir /etc/snort/rules
    10. mkdir /etc/snort/so_rules
    11. mkdir /var/log/snort
    12. chown snort:snort /var/log/snort
    13. cd /root/Snort/snort-2.9.0.3/etc
    14. cp * /etc/snort/
    15. Download latest Snort rules file from snort.org and install:
      1. Register an account at http://www.snort.org to get your Oinkcode
      2. wget http://www.snort.org/reg-rules/snortrules-snapshot-2902.tar.gz/a2dec5e394b80d5337fe9ed57151787139a2fe28 -O snortrules-snapshot-2902.tar.gz
        NOTE: To get the right version for that URL, look at what is available on the snort.org site under VRT Releases
      3. mkdir snortrules ; tar -xf snortrules-snapshot-2902.tar ; cd snortrules
      4. cp rules/* /etc/snort/rules
  16. Install ADOdb and base:
    1. cd /var/www/html
    2. cp ADODB4991.tar /var/www/html/
    3. cp base-1.4.5.tar.gz /var/www/html/
    4. tar -xf ADODB4991.tar
    5. tar -xzf base-1.4.5.tar.gz
    6. chown -R root:root base-1.4.5
    7. chmod 777 base-1.4.5
    8. vim /etc/php.ini and set the following line to be: error_reporting  =  E_ALL & ~E_NOTICE
    9. service httpd restart
Installation References:
  • http://www.snort.org/assets/159/Snort_2.9.0.3_FC14_Base.pdf
  • http://www.snort.org/assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf
Snort can run in one of 3 modes:
  1. Sniffer Mode: Captures packets on the wire and dumps them to your screen (console)
    1. Command (shows only TCP and IP headers): ./snort -v
    2. Command (shows data as well): ./snort -vd
    3. Command (shows data link layer headers as well): ./snort -vde
  2. Packet Logger Mode: Captures packets and logs them to a disk file
    1. Command: ./snort -dev -l /var/log/snort/
    2. Command (log in binary mode – faster): ./snort -dev -l /var/log/snort -b
    3. Command (to replay saved data): ./snort -dvr /var/log/snort/packet.log
      1. NOTE: You can also use something like tcpdump or Ethereal to replay saved file
  3. Network Intrusion Detection System (NIDS) Mode:
Additional Notes:
I tried these steps to install Snort via yum, worked fine, but had issues with rules after that (since the version provided by yum and version of rules don’t match):
  1. Verify requirements are met:
    1. libpcap installed
    2. PCRE installed
    3. libnet installed
    4. Barnyard installed
  2. wget http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-11.el5.art.noarch.rpm
  3. rpm -ivh atomic-release-1.0-11.el5.art.noarch.rpm
  4. yum clean all
  5. yum install snort

No comments:

Post a Comment