Snort - Install
2015/04/05 |
Install network based IDS ( Intrusion Detection System ) "Snort".
|
|
[1] | Install required packages for builing Snort. |
# install from EPEL [root@dlp ~]# yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
|
[2] | Install Daq. Make sure the latest one and download it on following site. ⇒ https://www.snort.org/downloads |
[root@dlp ~]#
[root@dlp ~]# wget https://www.snort.org/downloads/snort/daq-2.0.4.src.rpm rpmbuild --rebuild daq-2.0.4.src.rpm [root@dlp ~]# rpm -Uvh ./rpmbuild/RPMS/x86_64/daq-2.0.4-1.x86_64.rpm Preparing... ############################## [100%] 1:daq ############################## [100%] |
[3] | Install Snort. Make sure the latest one and download it on the site above. |
[root@dlp ~]#
[root@dlp ~]# wget https://www.snort.org/downloads/snort/snort-2.9.7.2-1.src.rpm rpm -Uvh snort-2.9.7.2-1.src.rpm 1:snort ############################## [100%]
[root@dlp ~]#
vi ./rpmbuild/SPECS/snort.spec SNORT_BASE_CONFIG="--prefix=%{_prefix} \ --bindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir}/snort \ --with-libpcap-includes=%{_includedir} \ --enable-targetbased \ # line 133: add --enable-zlib \ --enable-ipv6 \ --enable-normalizer \ --enable-sourcefire \ --enable-control-socket"[root@dlp ~]# rpmbuild -bb ./rpmbuild/SPECS/snort.spec [root@dlp ~]# rpm -Uvh ./rpmbuild/RPMS/x86_64/snort-2.9.7.2-1.x86_64.rpm Preparing... ############################## [100%] 1:snort ############################## [100%] |
[4] |
Register as a user on the site below to get rule file for Snort.
⇒ https://www.snort.org/users/sign_up
After registration, sign in the site below and download rule file [snortrules-snapshot-xxxx.tar.gz]
and then, upload it to your server.
After uploading rule file, locate it like follows.
⇒ https://www.snort.org/users/sign_in |
[root@dlp ~]# tar zxvf snortrules-snapshot-2972.tar.gz [root@dlp ~]# mv rules so_rules preproc_rules /etc/snort/ mv: overwrite `/etc/snort/rules'? y |
[5] | Configure and start Snort. |
[root@dlp ~]#
vi /etc/snort/snort.conf # line 45: change to your own local network ipvar HOME_NET 10.0.0.0/24
# line 48: change ipvar EXTERNAL_NET !$HOME_NET
# line 105: change var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules
# line 113: change var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
[root@dlp ~]#
vi /etc/sysconfig/snort # line 15: change to the interface for monitoring (specify "ALL" if monitored all) INTERFACE= eth0
mkdir /usr/local/lib/snort_dynamicrules [root@dlp ~]# chown snort. /usr/local/lib/snort_dynamicrules [root@dlp ~]# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules [root@dlp ~]# /etc/rc.d/init.d/snortd start Starting snort: Spawning daemon child... My daemon child 12623 lives... Daemon parent exiting (0) |
[6] | Add a test local rule to verify working. |
[root@dlp ~]#
vi /etc/snort/rules/local.rules # add follows to the end : monitor portscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
[root@dlp ~]#
/etc/rc.d/init.d/snortd restart Starting snort: Spawning daemon child... My daemon child 12623 lives... Daemon parent exiting (0) # logs are recorded if portscan is detected like follows [root@dlp ~]# cat /var/log/snort/alert 04/05-15:34:09.052709 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 10.0.0.249 -> 10.0.0.30 |