Snort (Intrusion Detection Utility) Installation in Centos 6

snort

Definition

snort2SNORT  is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)[2] created by Martin Roesch in 1998.Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.In 2009, Snort entered InfoWorld’s Open Source Hall of Fame as one of the “greatest [pieces of] open source software of all time”.

Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

Before proceeding with Snort installation you will need to install the required packages.  Follow the steps to do prior to snort’s installation.

Pre-Installation

Make sure to have the latest version of  MySQL, HTTP, Development Tools and Development Libraries.

     Install the necessary packages needed to run snort successfully.

 #yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

      Yum install libcap, libpcap and pcre

#yum install libcap*
#yum install libpcap*
#yum install pcre*

      Install libdnet 1.12

#cd /
#mkdir snort_install
#cd snort_install
#wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
#tar -zxvf libdnet-1.12.tgz
#cd libdnet-1.12
#./configure
#make && make install

     Install daq version 2.0.0

#cd /snort_install
#wget http://www.snort.org/downloads/2103
#tar -zxvf daq-2.0.0.tar.gz
#cd daq-2.0.0
#./configure
#make && make install

     Install snort version 2.9.4

#cd /snort_install
#wget http://www.snort.org/downloads/2112
#tar -zxvf snort-2.9.4.tar.gz
#cd snort-2.9.4
#./configure
#make && make install

Post Installation Instruction

      prepare for rules installation

# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd /snort_install/snort-2.9.4/etc/
# cp * /etc/snort/

      Register on Snort official web site and download rules to  /snort_install directory

#cd /snort_install
#tar -zxvf snortrules-snapshot-2940.tar.gz
#cd rules/
#cp * /etc/snort/rules
#cp ../so_rules/precompiled/Centos-5-4/i386/2.9.4.0/* /etc/snort/so_rules
#cp ../preproc_rules/* /etc/snort/preproc_rules/

     Edit /etc/snort/snort.conf file

1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”,
change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”,
change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128″

    Install Barnyard 2

#cd /snort_install
#wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
#tar -zxvf barnyard2-1.9.tar.gz 
#cd barnyard2-1.9
#./configure 
#./configure --with-mysql-libraries=/usr/lib/mysql/
#make 
#make install
#cp etc/barnyard2.conf /etc/snort/
#mkdir /var/log/barnyard2
#chmod 666 /var/log/barnyard2
#touch /var/log/snort/barnyard2.waldo

       Setup MySQL Database

#echo "SET PASSWORD FOR root@localhost=PASSWORD('yourpassword');"| mysql -u root -p
#echo "create database snort;"| mysql -u root -p
#cd /snort_install/barnyard2-1.9
#mysql -u root -p -D snort < schemas/create_mysql
#echo "grant create, insert on root.* to snort@localhost;" | mysql -u root -p
#echo "SET PASSWORD FOR snort@localhost=PASSWORD('yourpassword');" | mysql -u root -p
#echo "grant create,insert,select,delete,update on snort.* to snort@localhost" | mysql -u root -p

     Edit the file /etc/snort/barnyard2.conf

change “config hostname: thor” to “config hostname: localhost”

change “config interface: eth0″ to “config interface: eth1″

add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort     host=localhost”
Note: the device eth1 may vary depending on your system set-up. The example given above is a 2 network device(eth0,eth1) setup where snort was applied to the second network device(eth1)
 

      Test

#/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1

    If it prompts “Initialization Complete”, it proves to work.

      or  Execute snort from command line

#snort -c /etc/snort/snort.conf -l /var/log/snort/

If testing and manual run working perfectly fine proceed with the next step

      Make Snort and Barnyard2 boot up automatically

Edit the file /etc/rc.local, add the below lines

/sbin/ifconfig eth1 up /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth1

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort   /barnyard2.waldo -D

Restart to test changes.

#init 6

References:

http://www.snort.org/

http://en.wikipedia.org/wiki/Snort_%28software%29

http://www.securixlive.com/

http://kezhong.wordpress.com/2012/04/07/install-snort-2-9-2-2-on-centos5-8x86_64/http://www.securixlive.com/

About these ads

8 thoughts on “Snort (Intrusion Detection Utility) Installation in Centos 6

  1. bibi says:

    hey,i make a mistake at step [Setup MySQL Database],ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    i can’t set password for it,how can i fix it ?tks !

  2. Ariel says:

    Hi, I am having the following problem when I am testing snort:

    pcap DAQ configured to passive.
    Acquiring network traffic from “eth1″.
    Reload thread starting…
    Reload thread started, thread 0xa6a99b70 (3454)
    ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!
    Fatal Error, Quitting.

    Some help please!

    • Hi,
      Check what ethernet device you are using. I used eth1 since i am using 2 network cards, one was assigned eth0 and the second is eth1 and i applied snort on the second network card. So in your case it depends what device alias was assigned by the system to your network card. Try running the command “ifconfig” on your centos command line to check it. Sorry about that. I will modify the blog post to avoid confusion.

  3. Mehdi says:

    I have this Error when i execute the test in the End of the tuto:

    ERROR: spo_unified2.c(321) Could not open /var/log/snort/snort.log.1382663621: Permission denied
    Fatal Error, Quitting..

    • Try changing the permission of the log file or check if the log directory is existing. It should be existing since its part of the instructions in this blog post. If in any case it is existing try to check the ownership of the directory…the user “snort” and group “snort” should be the owner. In case you need to change the owneship use the command below “chown snort:snort /var/log/snort”

  4. NEENU says:

    Hey !
    Thanks a lot..!
    i was trying to install snort since 2 weekkss..!!
    bt all my efforts were in wain..:(
    ur TUTORIAL i amazing;
    it helped me a lot.!
    n now m glad to tell u dat JUS BECAUSE OF UR TUTORIAL i have finished installing , starting n testing snort :) :)
    THANKS A LOT ! :)

  5. No problem! I am glad the post helped you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s