Definition
SNORT is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)[2] created by Martin Roesch in 1998.Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.In 2009, Snort entered InfoWorld’s Open Source Hall of Fame as one of the “greatest [pieces of] open source software of all time”.
Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.
Before proceeding with Snort installation you will need to install the required packages. Follow the steps to do prior to snort’s installation.
Pre-Installation
Make sure to have the latest version of MySQL, HTTP, Development Tools and Development Libraries.
Install the necessary packages needed to run snort successfully.
#yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++
Yum install libcap, libpcap and pcre
#yum install libcap* #yum install libpcap* #yum install pcre*
Install libdnet 1.12
#cd / #mkdir snort_install #cd snort_install #wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz #tar -zxvf libdnet-1.12.tgz #cd libdnet-1.12 #./configure #make && make install
Install daq version 2.0.0
#cd /snort_install #wget http://www.snort.org/downloads/2103 #tar -zxvf daq-2.0.0.tar.gz #cd daq-2.0.0 #./configure #make && make install
Install snort version 2.9.4
#cd /snort_install #wget http://www.snort.org/downloads/2112 #tar -zxvf snort-2.9.4.tar.gz #cd snort-2.9.4 #./configure #make && make install
Post Installation Instruction
prepare for rules installation
# groupadd snort # useradd -g snort snort -s /sbin/nologin # mkdir /etc/snort # mkdir /etc/snort/rules # mkdir /etc/snort/so_rules # mkdir /etc/snort/preproc_rules # mkdir /var/log/snort # chown snort:snort /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # cd /snort_install/snort-2.9.4/etc/ # cp * /etc/snort/
Register on Snort official web site and download rules to /snort_install directory
#cd /snort_install #tar -zxvf snortrules-snapshot-2940.tar.gz #cd rules/ #cp * /etc/snort/rules #cp ../so_rules/precompiled/Centos-5-4/i386/2.9.4.0/* /etc/snort/so_rules #cp ../preproc_rules/* /etc/snort/preproc_rules/
Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”,
change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”,
change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128″
Install Barnyard 2
#cd /snort_install #wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz #tar -zxvf barnyard2-1.9.tar.gz #cd barnyard2-1.9 #./configure #./configure --with-mysql-libraries=/usr/lib/mysql/ #make #make install #cp etc/barnyard2.conf /etc/snort/ #mkdir /var/log/barnyard2 #chmod 666 /var/log/barnyard2 #touch /var/log/snort/barnyard2.waldo
Setup MySQL Database
#echo "SET PASSWORD FOR root@localhost=PASSWORD('yourpassword');"| mysql -u root -p
#echo "create database snort;"| mysql -u root -p
#cd /snort_install/barnyard2-1.9
#mysql -u root -p -D snort < schemas/create_mysql
#echo "grant create, insert on root.* to snort@localhost;" | mysql -u root -p
#echo "SET PASSWORD FOR snort@localhost=PASSWORD('yourpassword');" | mysql -u root -p
#echo "grant create,insert,select,delete,update on snort.* to snort@localhost" | mysql -u root -p
Edit the file /etc/snort/barnyard2.conf
change “config hostname: thor” to “config hostname: localhost”
change “config interface: eth0″ to “config interface: eth1″
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Test
#/usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1
If it prompts “Initialization Complete”, it proves to work.
or Execute snort from command line
#snort -c /etc/snort/snort.conf -l /var/log/snort/
If testing and manual run working perfectly fine proceed with the next step
Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth1 up /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort /barnyard2.waldo -D
Restart to test changes.
#init 6
References:
http://en.wikipedia.org/wiki/Snort_%28software%29
