What is Snort
As described in its site:
This is a really powerful
Prerequisite:
- any Centos 6.x, fully updated
- root access (in this document all commands are executed as root)
- Epel repo ready
1 – install all packages you needed
2 – get the last sources
go to www.snort.org and take a look to the last version available to download
in our case
daq-2.0.6-1
snort-2.9.7.6-1
wget https://www.snort.org/downloads/snort/daq-2.0.6-1.src.rpm
wget https://www.snort.org/downloads/snort/snort-2.9.7.6-1.src.rpm
3 – Compile daq
rpm -Uvh ./rpmbuild/RPMS/x86_64/daq-2.0.6-1.x86_64.rpm
(NB in case it is a i686 processor, like my howe fw, it is a little different path like ./rpmbuild/RPMS/i686/daq-2.0.6-1.i686.rpm)
4 – Compile Snort
Before compiling Snort we are going to change a little the configuration file to make it able to manage more features like zipped connections, IPv6, etc
Extract files:
vi ./rpmbuild/SPECS/snort.spec
around line 133 change the configuration files adding red lines
–bindir=%{_sbindir} \
–sysconfdir=%{_sysconfdir}/snort \
–with-libpcap-includes=%{_includedir} \
–enable-targetbased \
–enable-zlib \
–enable-ipv6 \
–enable-normalizer \
–enable-sourcefire \
–enable-control-socket”
save and compile
rpm -Uvh /root/rpmbuild/RPMS/x86_64/snort-2.9.7.6-1.x86_64.rpm
DONE!! Compiled and installed
5 – Configuration
Snort is based on rules that needs to be regular updated. Let’s go for the first setup.
Complete rules are released to registered people, so you need to go to www.snort.org register yourself, confirm your email and download the snort rules.
There is a subscription too, rules for subscribers are immediately updated, 30 days later are released to registered people.
Last rules I downloaded are snortrules-snapshot-2976.tar.gz.and I moved to /root
cd /root/snortrules
tar -xvf ../snortrules-snapshot-2976.tar.gz
mv -f rules so_rules preproc_rules /etc/snort/
#not to do if an update
mv -f * /etc/snort/
Let’s go to edit /etc/snort/snort.conf
# line 45: change to your own local network
# line 48: change
# line 105:
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules# line 113: change
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules#in dynamic part (check your path)# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-2.9.7.6_dynamicpreprocessor/# path to base preprocessor engine
dynamicengine /usr/lib64/snort-2.9.7.6_dynamicengine/libsf_engine.so# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
IMPORTANT: default generic configuration for IP is quite wide and can generate false positive. So for a long time monitoring is suggested to put your network, so SNORT will monitor for attacks OUT -> IN.
But in case you want to check if there is malicious software even inside, better to leave the standard configuration
ipvar HOME_NET any# Set up the external network addresses. Leave as “any” in most situations
ipvar EXTERNAL_NET any
Then you need to tell the network card you want to monitor. Possible values are All or the name of the network card/s. In case of multiple name they must be inserted with quotation markes: “eth0, eth1”
# line 15: change to the interface for monitoring (use your external interface)
ATTENTION: take the name of the interface from your ifconfig
chown snort. /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
6 – start Snort
7 – what to see and where
Snort logs any problem in
/var/log/snort/eth0/alert.log
you will be able to find problem like
[…] by Cisco. If you have a firewall build with a Linux box, it is quite simple to install on this box: how to install snort. I case you have a standard appliance (a standard firewall), you can not install any specific […]