Installing Snort on CentOS

Intrusion Prevention SystemSnort is a powerful intrusion prevention/detection system. This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snort’s output, and the installation of a web front end gui called Snorby to help analyze those alerts.

The configuration I have outlined will run Snort as an IDS thus only gathering information on traffic it can see. Snort is open source and is a product of Sourcefire. For $2.7 Billion, Sourcefire was acquired by Cisco in 2013.

We will be going over the installation of Snort version 2.9.6.2 on CentOS 6.5 Minimal.

Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:

[root@snort-beta]# date
Tue Jul 15 08:42:28 PDT

Install ntpdate

[root@snort-beta]# yum install -y ntpdate
 [root@snort-beta]# ntpdate 0.us.pool.ntp.org

Install Dependencies

We’re going to install some dependencies which will be needed going forward. Since we are also using CentOS minimal we will need to install a few applications.

yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man

Now let’s create a temporary directory to store some files we will be downloading.

mkdir tmp && cd tmp

Next we need to install more dependencies.

wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Use the rpm command to install the dependencies we just downloaded.

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm 
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Install Snort

I’m downloading the rpm files from Snort.org

yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpm
yum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86_64.rpm

I recommend signing up on Snort.org to get the registered rules. You’ll receive something called an Oinkcode. The oinkcode acts as an api key for downloading rule packets from URLs provided by snort.

Download and extract the Community Rules:

wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running 2.9.6.2 so I am looking for the snort rules which contain the numbers 2962:

wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz?oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
tar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Paste your oincode after the = sign.

Modify the ownership of the Snort directories.

cd /etc/snort
chown -R snort:snort *

Locate and Modify the snort.conf file

Continue Reading…


VCP5 Notes – Objective 1.4 – Secure vCenter Server

Lately I haven’t been able to allocate as much time as I’d like towards studying for the VCP5 exam. Hopefully, with my completed projects at work I can ramp up the studies again. This time I began studying security with vCenter Server. The biggest take away, in my opinion, is the creation of privileges and roles. This is an important topic for environments which have multiple VMware administrators.

If you’re following along with my series of notes you will find the following table of contents helpful.

Objective 1.1 – Install and Configure vCenter Server
Objective 1.2 – Install and Configure VMware ESXi
Objective 1.3 – Plan and Perform Upgrades of vCenter Server and VMware ESXi
Objective 1.4 – Secure vCenter Server

Identify common vCenter Server privileges and roles

  • vCenter permissions are based on role-based access control (RBAC)
  • Three types of roles
    • No Access – When assigned to an object, user cannot see that object when logging into vCenter.
    • Read Only – Can see the objects but cannot manage them.
    • Administrator – Has all privileges.
  • Sample
    • Clone the role and give it a new name
    • Virtual machine power user
    • Virtual machine user
    • Resource pool administrator
    • VMware consolidated backup user
    • Datastore consumer
    • Network consumer
  • Custom
    • When creating additional roles in vCenter.

Describe how permissions are applied and inherited in vCenter Server

  • Apply the role to the highest object in the inventory to which permissions will apply and then allow permissions to propagate to child objects.
  • Most specific and most directly applied permissions wins.
  • Permission applied directly to an object supersedes a permission that has been inherited.
  • Permissions applied to a user supersedes that of which was inherited by being in a group.

Configure and administer the ESXi firewall

  • Allow/block services and ports and/or IP addresses.
  • By default, blocks all incoming and outgoing traffic except for SSH, DNS, DHCP, and SNMP.

Continue Reading…

VCP5 Notes – Objective 1.3 – Plan and Perform Upgrades of vCenter Server and VMware ESXi

After reading VMware’s VCP5 Official Certification Guide I have begun my second phase of studying which is going through each of the objectives, one by one.

I read through the objective and it’s subtopics and write notes as I go for each section. This allows me to fully understand what the exam will test me on and help me memorize what I need to know.

Objective 1.1 – Install and Configure vCenter Server
Objective 1.2 – Install and Configure VMware ESXi
Objective 1.3 – Plan and Perform Upgrades of vCenter Server and VMware ESXi

Moving on to upgrading vCenter Server and VMware ESXi.. this will contain mostly bullet points and less pictures.

Identify upgrade requirements for ESXi hosts

  • Supported Upgrades to ESXi 5.1
    • ESX/ESXi 4.0, 4.0 U1, 4.0 U2, 4.0 U4
    • ESX/ESXi 4.1, 4.1 U1, 4.1 U2, 4.1 U3
    • ESXi 5.0, 5.0 U1
  • Hardware Requirements
    • Use VMware Compatibility Guide for supported platforms.
    • 64-bit x86 CPUs only.
    • Requires at least two cores.
    • Supports LAHF and SAHF CPU instructions.
    • Requires NX/XD bit to be enabled for the CPU in the BIOS.
    • Supports x64 multicore processors.
    • Minimum 2GB of RAM.

Identify steps required to upgrade a vSphere Implementation

  • Run vCenter Host Agent Pre-Upgrade Checker.
  • Upgrade vCenter Server.
  • Install vSphere Client.
  • Upgrade vSphere Update Manager.
  • Use Update Manager to upgrade ESX/ESXi hosts.
  • Use Update Manager to upgrade the virtual machines.
  • Upgrade product licenses.
  • Use vSphere Client to upgrade to VMFS5.

Continue Reading…