Snort is a free lightweight network intrusion detection system(NIDS). The following steps are what I installed Snort 2.9.2.2 on my CentOS 5.8 server.
Install CentOS 5.8 (X86_64)
When I installed the operating system, I installed MySQL, HTTP, Development Tools and Development Libararies, and then update it the latest.
Install the necessary packages
# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++
Download snort and its dependent packages
# mkdir /root/snortinstall
# cd /root/snortinstall
# wget http://www.snort.org/downloads/1538
# wget http://www.snort.org/downloads/1525
# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
# wget http://www.tcpdump.org/release/tcpdump-4.2.1.tar.gz
# wget http://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz/download
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
Install snort and its dependent packages
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tgz
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-2.9.2.2.tar.gz
# tar xvzf tcpdump-4.2.1.tar.gz
# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so.0
# rm libpcap.so.0.9
# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1
# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so
# cd /root/snortinstall/
# cd daq-0.6.2
# ./configure
# make
# make install
# cd ../pcre-8.30
# ./configure
# make
# make install
# cd ../libdnet-1.12
# ./configure
# make
# make install
# cd ../snort-2.9.2.2
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6 –enable-sourcefire
# make
# make install
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/
Register on Snort official web site and download rules
# cd /root/snortinstall/
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules
Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”, change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”, change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128”
Setup MySQL Database
# echo “SET PASSWORD FOR root@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “create database snort;”|mysql -u root -p
# cd /root/snortinstall/
# cd snort-2.9.2.2
# mysql -u root -p -D snort < schemas/create_mysql
# echo “grant create, insert on root.* to snort@localhost”|mysql -u root -p
# echo “SET PASSWORD FOR snort@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “grant create,insert,select,delete,update on snort.* to snort@localhost”|mysql -u root -p
Download and install ADODB and BASE
# yum -y install php-pear
# pear upgrade –force http://download.pear.php.net/package/PEAR-1.9.1.tgz
# pear install Numbers_Roman
# pear install channel://pear.php.net/Numbers_Words-0.16.2
# pear install Image_Color
# pear install channel://pear.php.net/Image_Canvas-0.3.2
# pear install channel://pear.php.net/Image_Graph-0.7.2
# cd /root/snortinstall/
# wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
# cd /var/www
# tar xvzf /root/snortinstall/adodb511.tgz
# mv adodb5/ adodb/
# cd html/
# tar xvzf /root/snortinstall/base-1.4.5.tar.gz
# mv base-1.4.5/ base/
# cd base/
# cp base_conf.php.dist base_conf.php
Edit base_conf.php file, change parameters as below
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘yourpassword’;
Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”
Secure the BASE
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords base
Edit the file /etc/httpd/conf/httpd.conf, and add the following lines
<Directory “/var/www/html/base”>
AuthType Basic
AuthName “SnortIDS”
AuthUserFile /var/www/passwords/passwords
Require user base
</Directory>
# touch /var/www/html/index.html
# service httpd restart
Install Barnyard2
# cd /root/snortinstall/
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
# tar xvzf barnyard2-1.8.tar.gz
# cd barnyard2-1.8
# ./configure –with-mysql-libraries=/usr/lib64/mysql/
# make
# make install
# cp etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
Edit the file /etc/snort/barnyard2.conf,
change “config hostname: thor” to “config hostname: localhost”
change “config interface: eth0” to “config interface: eth2”
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Note: my eth0 use to launch the BASE web page, my eth2(don’t set IP) is myricom 10ge card and use for snort
Test
# /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth2
If it prompts “Initialization Complete”, it proves to work.
Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth2 up
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth2
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
Reboot and enjoy my pig to snort
# reboot
Reference
Install Snort 2.8.6 on CentOS 5.5
http://itmanager.blogs.com/notes/2011/04/how-to-install-snort-on-centos-56.html
http://ignoranceisfutile.com/node/18