Snort is a powerful intrusion prevention/detection system. This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snort’s output, and the installation of a web front end gui called Snorby to help analyze those alerts.
The configuration I have outlined will run Snort as an IDS thus only gathering information on traffic it can see. Snort is open source and is a product of Sourcefire. For $2.7 Billion, Sourcefire was acquired by Cisco in 2013.
We will be going over the installation of Snort version 18.104.22.168 on CentOS 6.5 Minimal. Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:
We’re going to install some dependencies which will be needed going forward. Since we are also using CentOS minimal we will need to install a few applications.
Now let’s create a temporary directory to store some files we will be downloading.
Next we need to install more dependencies.
Use the rpm command to install the dependencies we just downloaded.
I’m downloading the rpm files from Snort.org
I recommend signing up on Snort.org to get the registered rules. You’ll receive something called an Oinkcode. The oinkcode acts as an api key for downloading rule packets from URLs provided by snort. Download and extract the Community Rules:
Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running 22.214.171.124 so I am looking for the snort rules which contain the numbers 2962:
Paste your oincode after the = sign. Or you can download the xxx-2962.tar.gz directly from here. (Snort download)
Modify the ownership of the Snort directories.
Locate and Modify the snort.conf file
There are many changes to make here. You can download an example of my snort.conf file and modify it to your environment. Some of the values are as follows. Just search for them in your configuration file:
Modify the Output string under Step 6 of the snort.conf file:
Use this command to run Snort in test mode. It will tell you if there is anything wrong with running Snort.
Modify /etc/sysconfig/snort which holds variables for the startup file:
Here is an example of my /etc/sysconfig/snort file.
If the self-test runs successfully you can run Snort without the -T switch and replace it with a -D, for daemon. It will run Snort in the background. Once Snort is running and sniffing traffic, it should output to /var/log/snort.
The snort.log file will be in Unified2 format which means you can’t open it in Wireshark. Anything Snort thinks is bad will trigger an alert. All alerts go into a file called alert within /var/log/snort/. For now, you have Snort running and dumping logs into a directory. Next up in this series I will discuss auto updating your Snort rule sets usingPulledpork.
If you get this error:
Type in the following commands:
If you get this error:
* What is an oinkcode?
* Protect your network with Snort
* Wiki of installation guide for CentOS 6.3
* Installing PulledPork and Barnyard2 for Snort