Snort is a powerful intrusion prevention/detection system. This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snort’s output, and the installation of a web front end gui called Snorby to help analyze those alerts.
The configuration I have outlined will run Snort as an IDS thus only gathering information on traffic it can see. Snort is open source and is a product of Sourcefire. For $2.7 Billion, Sourcefire was acquired by Cisco in 2013.
We will be going over the installation of Snort version 18.104.22.168 on CentOS 6.5 Minimal.
Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:
[root@snort-beta]# date Tue Jul 15 08:42:28 PDT
[root@snort-beta]# yum install -y ntpdate [root@snort-beta]# ntpdate 0.us.pool.ntp.org
We’re going to install some dependencies which will be needed going forward. Since we are also using CentOS minimal we will need to install a few applications.
yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man
Now let’s create a temporary directory to store some files we will be downloading.
mkdir tmp && cd tmp
Next we need to install more dependencies.
wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
Use the rpm command to install the dependencies we just downloaded.
rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
I’m downloading the rpm files from Snort.org
yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpm yum install -y https://www.snort.org/downloads/snort/snort-22.214.171.124-1.centos6.x86_64.rpm
I recommend signing up on Snort.org to get the registered rules. You’ll receive something called an Oinkcode. The oinkcode acts as an api key for downloading rule packets from URLs provided by snort.
Download and extract the Community Rules:
wget https://www.snort.org/downloads/community/community-rules.tar.gz tar -xvf community.tar.gz -C /etc/snort/rules
Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running 126.96.36.199 so I am looking for the snort rules which contain the numbers 2962:
wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz?oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxx tar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rules
Paste your oincode after the = sign.
Modify the ownership of the Snort directories.
cd /etc/snort chown -R snort:snort *