Installing snort on CentOS

From Notes_Wiki
Revision as of 13:06, 9 November 2012 by Saurabh (talk | contribs) (Created page with "=One can use these steps to install snort on CentOS 5.5 or later= The following steps work on CentOS-5.5 with snort-2.9.0.5, libpcap-1.1.1 and daq-0.5 perfectly. # <tt>chkcon...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

One can use these steps to install snort on CentOS 5.5 or later

The following steps work on CentOS-5.5 with snort-2.9.0.5, libpcap-1.1.1 and daq-0.5 perfectly.

  1. chkconfig mysqld on
  2. chkconfig httpd on
  3. service mysqld start
  4. service httpd start
  5. Configure yum
  6. Use 'yum -y install libnet libpcap libpcap-devel mysql-devel postgresql-devel unixODBC unixODBC-devel iptables-devel libdnet libdnet-devel'
  7. Download latest libpcap source code from official website (http://www.tcpdump.org/#latest-release)
  8. configure it using './configure --libdir=/usr/lib64'
  9. make and make install
  10. Download latest snort and daq source code from official snort website. ( http://www.snort.org/snort-downloads/ )
  11. configure daq using './configure --libdir=/usr/lib64'
  12. make and make install daq.
  13. export LDFLAGS='-L/usr/lib64/mysql -L/usr/lib64'
  14. Configure using
    ./configure --with-mysql --with-postgresql --with-odbc --enable-dynamicplugin --enable-inline-init-failopen --enable-64bit-gcc --enable-ipv6 --enable-zlib --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-linux-smp-stats --enable-pthread --enable-active-response --enable-normalizer --enable-reload --enable-react
  15. If you have made changes to configure options after running make earlier then use 'make clean' to remove old binaries and libraries so that new configure options take effect during next call to make.
  16. make
  17. make install
  18. groupadd snort
  19. useradd -gsnort -s/sbin/nologin snort
  20. mkdir -p /etc/snort/rules /var/log/snort /usr/local/lib/snort_dynamicrules
  21. cd etc/ (make not this is not /etc. it is the etc dir under the snort source code)
  22. cp * /etc/snort
  23. touch /etc/snort/rules/{white,black}_list.rules
  24. chown -R snort:snort /etc/snort/ /var/log/snort /usr/local/lib/snort_dynamicrules
  25. Edit file /etc/snort/snort.conf. Change lines to something like this
    var HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
    var EXTERNAL_NET any
    var RULE_PATH rules
    var SO_RULE_PATH so_rules
    var PREPROC_RULE_PATH preproc_rules
    var WHITE_LIST_PATH rules
    var BLACK_LIST_PATH rules
  26. Use 'cp snort_init.sh /etc/init.d/snort'. You can use init script from 2011-05-10-snort_init.txt after removing first two lines.
    (Sample snort_init.sh script is avaiable at http://internetsecurityguru.com/snortinit/snort. You would have to remove HTML tags after saving page as snort_init.sh from first and last few lines. Also replace all &amp; with & using '%s/&amp;/\&/gc' in vim. )
  27. Edit '/etc/init.d/snort' and configure correct interface to be used by snort
  28. chmod +x /etc/init.d/snort
  29. chkconfig --add snort
  30. chkconfig snort on
  31. Try service snort start. Use tail -50 /var/log/mesages to see what went wrong and comment the offending lines. For example following lines may require commenting
    1. All 'include $RULE_PATH/(.*)\.rules' type lines. You can use vim replace like '396,448s/^/\#/gc' to comment all contiguous rule lines.


Troubleshooting

Testing libpcap version

If daq reports error about libpcap version then we can test libpcap version installed on current system using following code:

#include <pcap/pcap.h>
#include <stdio.h>

int main()
{
printf("%s\n", pcap_lib_version());
return 0;
}

To check default libcap version compile using 'gcc -lpcap <source_file.c>'.