CentOS 6
Sponsored Link

Snort - Install
2015/04/05
 
Install network based IDS ( Intrusion Detection System ) "Snort".
[1] Install required packages for builing Snort.
# install from EPEL

[root@dlp ~]#
yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
[2] Install Daq. Make sure the latest one and download it on following site.
⇒ https://www.snort.org/downloads
[root@dlp ~]#
wget https://www.snort.org/downloads/snort/daq-2.0.4.src.rpm
[root@dlp ~]#
rpmbuild --rebuild daq-2.0.4.src.rpm

[root@dlp ~]#
rpm -Uvh ./rpmbuild/RPMS/x86_64/daq-2.0.4-1.x86_64.rpm

Preparing...                ############################## [100%]
   1:daq                    ############################## [100%]
[3] Install Snort. Make sure the latest one and download it on the site above.
[root@dlp ~]#
wget https://www.snort.org/downloads/snort/snort-2.9.7.2-1.src.rpm
[root@dlp ~]#
rpm -Uvh snort-2.9.7.2-1.src.rpm

   1:snort                  ############################## [100%]
[root@dlp ~]#
vi ./rpmbuild/SPECS/snort.spec
SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-targetbased \
                   
# line 133: add

                   --enable-zlib \
                   --enable-ipv6 \
                   --enable-normalizer \
                   --enable-sourcefire \
                   --enable-control-socket"

[root@dlp ~]#
rpmbuild -bb ./rpmbuild/SPECS/snort.spec

[root@dlp ~]#
rpm -Uvh ./rpmbuild/RPMS/x86_64/snort-2.9.7.2-1.x86_64.rpm

Preparing...                ############################## [100%]
   1:snort                  ############################## [100%]
[4]
Register as a user on the site below to get rule file for Snort.
⇒ https://www.snort.org/users/sign_up
After registration, sign in the site below and download rule file [snortrules-snapshot-xxxx.tar.gz] and then, upload it to your server.
⇒ https://www.snort.org/users/sign_in
After uploading rule file, locate it like follows.
[root@dlp ~]#
tar zxvf snortrules-snapshot-2972.tar.gz

[root@dlp ~]#
mv rules so_rules preproc_rules /etc/snort/

mv: overwrite `/etc/snort/rules'? y
[5] Configure and start Snort.
[root@dlp ~]#
vi /etc/snort/snort.conf
# line 45: change to your own local network

ipvar HOME_NET
10.0.0.0/24
# line 48: change

ipvar EXTERNAL_NET
!$HOME_NET
# line 105: change

var SO_RULE_PATH
/etc/snort/so_rules

var PREPROC_RULE_PATH
/etc/snort/preproc_rules
# line 113: change

var WHITE_LIST_PATH
/etc/snort/rules

var BLACK_LIST_PATH
/etc/snort/rules
[root@dlp ~]#
vi /etc/sysconfig/snort
# line 15: change to the interface for monitoring (specify "ALL" if monitored all)

INTERFACE=
eth0
[root@dlp ~]#
mkdir /usr/local/lib/snort_dynamicrules

[root@dlp ~]#
chown snort. /usr/local/lib/snort_dynamicrules

[root@dlp ~]#
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

[root@dlp ~]#
/etc/rc.d/init.d/snortd start

Starting snort: Spawning daemon child...
My daemon child 12623 lives...
Daemon parent exiting (0)
[6] Add a test local rule to verify working.
[root@dlp ~]#
vi /etc/snort/rules/local.rules
# add follows to the end : monitor portscan

preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
[root@dlp ~]#
/etc/rc.d/init.d/snortd restart

Starting snort: Spawning daemon child...
My daemon child 12623 lives...
Daemon parent exiting (0)
# logs are recorded if portscan is detected like follows

[root@dlp ~]#
cat /var/log/snort/alert

04/05-15:34:09.052709  [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] 
                       [Priority: 2] {PROTO:255} 10.0.0.249 -> 10.0.0.30
 
Tweet