Linux Blog

Installing Snort

After the system comes back up, login as root. The first step is to install prerequisites for Snort. The following packages are required:

mysql-server
mysql-bench
mysql-devel
mysqlclient10
libpcap
libpcap-devel
pcre-devel


To make sure they are all installed execute the following:

# yum install mysql-server mysql-bench mysql-devel mysqlclient10 libpcap libpcap-devel pcre-devel

After the packages are installed configure mysql database by following these steps:

Start mysql server by executing:

# /etc/init.d/mysqld start

Set mysql root password by executing:

# mysqladmin -u root password 'password'

Download the latest tarball from snort. At the time of writing this article the latest version is 2.8.3.1 and the tarball is http://www.snort.org/dl/snort-2.8.3.1.tar.gz

You can use wget to download it into "/tmp" directory:

# cd /tmp
# wget http://www.snort.org/dl/snort-2.8.3.1.tar.gz

Next uncompress the tarball:

# tar xvzf snort-2.8.3.1.tar.gz

Change directory into the snort distributable:

# cd snort-2.8.3.1

Create user and group to be used by snort:

# groupadd snort
# useradd -g snort snort

Build snort:

# ./configure --with-mysql --prefix=/usr
# make all
# make install

Next we need to create the database where snort will log the events:

# mysql -p

Enter your mysql root password.

# mysql> create database snort;

Configure database user for snort:

# mysql> grant create, insert, select, delete, update on snort.* to snort@"localhost";
# mysql> set password for snort@"localhost"=password('password');
# mysql> exit

Now create mysql tables for snort:

# cd schemas
# cd schemas
# mysql -p snort < create_mysql


Enter mysql root password you set earlier.

Now you need to download the latest rules for snort. First you need to register with Snort and obtain a key. After getting the key you can download the rules from this URL: http://www.snort.org/pub-bin/oinkmaster.cgi/[your_key]/snortrules-snapshot-2.8.tar.gz

You can download the latest rules to /tmp directory using wget:

# cd /tmp
# wget http://www.snort.org/pub-bin/oinkmaster.cgi/[your_key]/snortrules-snapshot-2.8.tar.gz

Now uncompress the latest rules to /etc/snort directory:

# mkdir -p /etc/snort/rules
# cd /etc/snort
# tar xvzf /tmp/snortrules-snapshot-2.8.tar.gz

Move the content of etc to the current (snort) directory:

# mv etc/* .
# rmdir etc

 vvvvvv

Now configure snort.conf using your favorite editor. I will use "vi"

# vi snort.conf

Change the "HOME_NET" variable to your local area network, the network you wish to protect, such as:

var HOME_NET [192.168.0.0/24]

And change the "EXTERNAL_NET" to include everything bu the HOME_NET:

var EXTERNAL_NET !$HOME_NET

Change RULE_PATH to:

var RULE_PATH /etc/snort/rules

Remove the comment from the last line:

#include threshold.conf

This is the file where you will tune your ruleset.

Change all references from "/usr/local" to "/usr". For example:

dynamicpreprossesor /usr/local/lib/snort_dynamicpreprossesor/libsf_dcerpc_preproc.so

needs to be changed to:

dynamicpreprossesor /usr/lib/snort_dynamicpreprossesor/libsf_dcerpc_preproc.so

Finally add this line to the end of the file:

output database: log, mysql, user=snort password=password dbname=snort host localhost

This line will enable logging to mysql.

Adjust other variables as needed.

Snort is all ready to go. Now we need to configure the startup scripts for mysql and snort.

In order to start mysql during bootup run the following:

# chkconfig --level 345 mysqld on

The procedure is more complicated for snort as we need to manually adjust the startup scripts. First we will copy sysconfig and startup scripts from the snort distribution:

# cd /tmp/snort-2.8.3.1
# cd rpm
# cp snortd /etc/init.d/
# cp snort.sysconfig /etc/sysconfig/snort

Make snortd executable:

# chmod 755 /etc/init.d/snortd

Edit snort startup file:

# vi /etc/init.d/snortd

Change all references from "/sbin/snort" to "/bin/snort".

Edit snort sysconfig file:

# vi /etc/sysconfig/snort

Change variable "INTERFACE" to the interfaces that will be used for packet capture.

Save the file.

Now you need to create the directory where Snort will store it's log files:

# mkdir -p /var/log/snort
# chown snort:snort /var/log/snort

As the last step you should make snort start automatically at boot:

# chkconfig --add snortd
# chkconfig --level 345 snortd

Reboot the system. When the system comes back you should have a working Snort sensor. The alerts will be logged to "/var/log/snort/alert" file as well as mysql database. Mysql database is where BASE is going to get it's alerts from.

Use /etc/snort/threshold.conf file to tune false positives. Instructions how to accomplish this task can be found within the file itself.

Pages: 1 · 2 · 3