Posted by: kezhong | April 7, 2012

Install Snort 2.9.2.2 on CentOS 5.8 (X86_64)

Snort is a free lightweight network intrusion detection system(NIDS). The following steps are what I installed Snort 2.9.2.2 on my CentOS 5.8 server.

Install CentOS 5.8 (X86_64)
When I installed the operating system, I installed MySQL, HTTP, Development Tools and Development Libararies, and then update it the latest.

Install the necessary packages
# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

Download snort and its dependent packages
# mkdir /root/snortinstall
# cd /root/snortinstall
# wget http://www.snort.org/downloads/1538
# wget http://www.snort.org/downloads/1525
# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
# wget http://www.tcpdump.org/release/tcpdump-4.2.1.tar.gz
# wget http://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz/download
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

Install snort and its dependent packages
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tgz
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-2.9.2.2.tar.gz
# tar xvzf tcpdump-4.2.1.tar.gz

# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so.0
# rm libpcap.so.0.9
# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1
# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so

# cd /root/snortinstall/
# cd daq-0.6.2
# ./configure
# make
# make install

# cd ../pcre-8.30
# ./configure
# make
# make install

# cd ../libdnet-1.12
# ./configure
# make
# make install

# cd ../snort-2.9.2.2
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6  –enable-sourcefire
# make
# make install

# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/

Register on Snort official web site and download rules
# cd /root/snortinstall/
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules

Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”, change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”, change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128”

Setup MySQL Database
# echo “SET PASSWORD FOR root@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “create database snort;”|mysql -u root -p
# cd /root/snortinstall/
# cd snort-2.9.2.2
# mysql -u root -p -D snort < schemas/create_mysql
# echo “grant create, insert on root.* to snort@localhost”|mysql -u root -p
# echo “SET PASSWORD FOR snort@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “grant create,insert,select,delete,update on snort.* to snort@localhost”|mysql -u root -p

Download and install ADODB and BASE
# yum -y install php-pear
# pear upgrade –force http://download.pear.php.net/package/PEAR-1.9.1.tgz
# pear install Numbers_Roman
# pear install channel://pear.php.net/Numbers_Words-0.16.2
# pear install Image_Color
# pear install channel://pear.php.net/Image_Canvas-0.3.2
# pear install channel://pear.php.net/Image_Graph-0.7.2
# cd /root/snortinstall/
# wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
# cd /var/www
# tar xvzf /root/snortinstall/adodb511.tgz
# mv adodb5/ adodb/
# cd html/
# tar xvzf /root/snortinstall/base-1.4.5.tar.gz
# mv base-1.4.5/ base/
# cd base/
# cp base_conf.php.dist base_conf.php

Edit base_conf.php file, change parameters as below
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname   = ‘snort’;
$alert_host     = ‘localhost’;
$alert_port     = ”;
$alert_user     = ‘snort’;
$alert_password = ‘yourpassword’;

Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”

Secure the BASE
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords base

Edit the file /etc/httpd/conf/httpd.conf, and add the following lines
<Directory “/var/www/html/base”>
    AuthType Basic
    AuthName “SnortIDS”
    AuthUserFile /var/www/passwords/passwords
    Require user base
</Directory>

# touch /var/www/html/index.html
# service httpd restart

Install Barnyard2
# cd /root/snortinstall/
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
# tar xvzf barnyard2-1.8.tar.gz
# cd barnyard2-1.8
# ./configure –with-mysql-libraries=/usr/lib64/mysql/
# make
# make install
# cp etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo

Edit the file /etc/snort/barnyard2.conf,
change “config hostname:  thor” to “config hostname: localhost”
change “config interface: eth0” to “config interface:  eth2”
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Note: my eth0 use to launch the BASE web page, my eth2(don’t set IP) is myricom 10ge card and use for snort

Test
# /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth2
If it prompts “Initialization Complete”, it proves to work.

Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth2 up
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth2
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

Reboot and enjoy my pig to snort
# reboot

Reference
Install Snort 2.8.6 on CentOS 5.5
http://itmanager.blogs.com/notes/2011/04/how-to-install-snort-on-centos-56.html
http://ignoranceisfutile.com/node/18


Responses

  1. Thanks for this post. I’m receiving problems when doing the actual snort source configuration. When I try what you posted – ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6 –enable-sourcefire
    I get this error: configure: error: invalid variable name: `–with-mysql-libraries’

    If I try with 2 dashes on the arguments, and use –with-mysql instead of –with-mysql-libraries, like this: ./configure –with-mysql=/usr/lib64/mysql/ –-enable-ipv6 -–enable-sourcefire

    But I get this error:
    configure: error: unrecognized option: `-–enable-dynamicplugin’

    • what is your os? btw, you can use ./configure -h to check what parameters you have.

  2. when I just use the –with-mysql tag, I also get an error with DAQ, despite running ./configure, make, make install for the DAQ source. I also see DAQ file references on the system.

    ./configure: line 15188: daq-modules-config: command not found
    checking for daq_load_modules in -ldaq_static… no

    ERROR! daq_static library not found, go get it from
    http://www.snort.org/.

    • Make sure you can execute this: daq-modules-config –static –libs if not add /usr/local/bin to your path

  3. Thanks guys. Running Centos 5.7 (Final).
    Running this was all I needed to get Snort configured:

    PATH=$PATH:/usr/local/bin

    I’m receive the errors below when trying to make Snort. Trying to look in to this now, but will take any ideas.

    /usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.so when searching for -lmysqlclient
    /usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.a when searching for -lmysqlclient
    /usr/bin/ld: cannot find -lmysqlclient

  4. Running this command fixed the above error:

    export LDFLAGS=-L/usr/lib64/mysql

  5. I have Snort running through a span port, monitoring an HTTP/S server. Now the trick is getting the decrypted SSL traffic to Snort to passively monitor. I have the private key I need. Trying to follow guides like this, http://resources.infosecinstitute.com/ssl-decryption/, but I’m encountering errors when trying to compile viewssld. Please let me know if anyone has experience with this.

  6. configure: error: invalid variable name: `–with-mysql-libraries’

    do like this , i havn’t setup for ipv6 but this will help you to configur snort. #–./configure –with-mysql-libraries=/usr/lib/mysql/ -enable-dynamicplugin-enable-zlib -enable-sourcefire

  7. the install failed at the mysql steps; I could not get mysql to start.
    I’ve had to install mysql-server AND edit /etc/my.cnf to change
    datadir=/var/lib/mysql ==> datadir=/var/lib/mysql/mysql
    Note that it is a fresh install of Centos 2.6.18-308.11.1.el5

  8. helllo,,been cracking my head with this for a while.
    i am at the
    Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”

    firstly, 443 is not working. i try 80 and i get an empty page and cant find any area/button to click setup page? any help, thanks.

  9. anything after 2.9.3 database plugins are deprecated, problems with using -with-mysql-libraries. please see snort.org for more info

  10. I keep getting this error at the bottom of /var/log/messages any help would be greatly appreciated, this is what i used to compile and received no errors during:
    ./configure –with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-sourcefire

    from /var/log/messages when starting with:
    /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
    /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

    Jan 15 08:56:41 dh128 barnyard2[29300]: –== Initializing Barnyard2 ==–
    Jan 15 08:56:41 dh128 barnyard2[29300]: Initializing Input Plugins!
    Jan 15 08:56:41 dh128 barnyard2[29300]: Initializing Output Plugins!
    Jan 15 08:56:41 dh128 barnyard2[29300]: Parsing config file “/etc/snort/barnyard2.conf”
    Jan 15 08:56:50 dh128 barnyard2[29300]: Log directory = /var/log/barnyard2
    Jan 15 08:56:50 dh128 barnyard2[29300]: database: ‘mysql’ support is not compiled into this build of snort
    Jan 15 08:56:50 dh128 barnyard2[29300]: FATAL ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary ‘mysql’ support. If this build of snort was compiled by you, then re-run the the ./configure script using the ‘–with-mysql’ switch. For non-standard installations of a database, the ‘–with-mysql=DIR’ syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.

    Any help would be appreciated thank you.

    • Chris,
      If your using the last current snort that you will get an error when configuring it:
      [root@test01 snort-2.9.4]# ./configure –with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-sourcefire
      configure: WARNING: unrecognized options: –with-mysql-libraries

      So remove the –with-mysql-libraries and go on.
      Barnyard2 is saying that mysql support it missing:
      Jan 15 08:56:50 dh128 barnyard2[29300]: database: ‘mysql’ support is not compiled into this build of snort
      So you have build (configure ***–with-msyql-li..***; make ; make install) barnyard without mysql support…

      Have a check on this and let us know.

  11. Thank a lot , for publishing this beautiful post but have a poblem

    Create BASE AV
    # service httpd restart
    Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”

    not able to see link of Base av

    but there was a link of setup pages and aome php files thas it

  12. Hi Kezhong,
    Thank you for the guide.

    What is the reason that you apply 666 to a /var/log/barnyard2?
    Thanks.

  13. Many thanks, Kezhong. Adding the path variable was the one thing I needed to get snort compiled. You just saved me many hours of head-banging!

    Cheers

    Steve


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: