Installing snort on CentOS
From Notes_Wiki
<yambe:breadcrumb>Snort configuration</yambe:breadcrumb>
One can use these steps to install snort on CentOS 5.5 or later
The following steps work on CentOS-5.5 with snort-2.9.0.5, libpcap-1.1.1 and daq-0.5 perfectly.
- chkconfig mysqld on
- chkconfig httpd on
- service mysqld start
- service httpd start
- Configure yum
- Use 'yum -y install libnet libpcap libpcap-devel mysql-devel postgresql-devel unixODBC unixODBC-devel iptables-devel libdnet libdnet-devel'
- Download latest libpcap source code from official website (http://www.tcpdump.org/#latest-release)
- configure it using './configure --libdir=/usr/lib64'
- make and make install
- Download latest snort and daq source code from official snort website. ( http://www.snort.org/snort-downloads/ )
- configure daq using './configure --libdir=/usr/lib64'
- make and make install daq.
- export LDFLAGS='-L/usr/lib64/mysql -L/usr/lib64'
- Configure using
- ./configure --with-mysql --with-postgresql --with-odbc --enable-dynamicplugin --enable-inline-init-failopen --enable-64bit-gcc --enable-ipv6 --enable-zlib --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-linux-smp-stats --enable-pthread --enable-active-response --enable-normalizer --enable-reload --enable-react
- If you have made changes to configure options after running make earlier then use 'make clean' to remove old binaries and libraries so that new configure options take effect during next call to make.
- make
- make install
- groupadd snort
- useradd -gsnort -s/sbin/nologin snort
- mkdir -p /etc/snort/rules /var/log/snort /usr/local/lib/snort_dynamicrules
- cd etc/ (make not this is not /etc. it is the etc dir under the snort source code)
- cp * /etc/snort
- touch /etc/snort/rules/{white,black}_list.rules
- chown -R snort:snort /etc/snort/ /var/log/snort /usr/local/lib/snort_dynamicrules
- Edit file /etc/snort/snort.conf. Change lines to something like this
- var HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
- var EXTERNAL_NET any
- var RULE_PATH rules
- var SO_RULE_PATH so_rules
- var PREPROC_RULE_PATH preproc_rules
- var WHITE_LIST_PATH rules
- var BLACK_LIST_PATH rules
- Use 'cp snort_init.sh /etc/init.d/snort'. You can use init script from 2011-05-10-snort_init.txt after removing first two lines.
- (Sample snort_init.sh script is avaiable at http://internetsecurityguru.com/snortinit/snort. You would have to remove HTML tags after saving page as snort_init.sh from first and last few lines. Also replace all & with & using '%s/&/\&/gc' in vim. )
- Edit '/etc/init.d/snort' and configure correct interface to be used by snort
- chmod +x /etc/init.d/snort
- chkconfig --add snort
- chkconfig snort on
- Try service snort start. Use tail -50 /var/log/mesages to see what went wrong and comment the offending lines. For example following lines may require commenting
- All 'include $RULE_PATH/(.*)\.rules' type lines. You can use vim replace like '396,448s/^/\#/gc' to comment all contiguous rule lines.
Troubleshooting
Testing libpcap version
If daq reports error about libpcap version then we can test libpcap version installed on current system using following code:
#include <pcap/pcap.h> #include <stdio.h> int main() { printf("%s\n", pcap_lib_version()); return 0; }
To check default libcap version compile using 'gcc -lpcap <source_file.c>'.
<yambe:breadcrumb>Snort configuration</yambe:breadcrumb>