Howto Install SNORT IDS

Spec files

I rebuild my snort package, you can search or downloaded the snort rpm package snort-
i make little bit changes in my spec file,
extract src.rpm package using rpm2cpio snort- | cpio -idv
edit the spec.file and change this line into

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-decoder-preprocessor-rules --enable-targetbased \
  --enable-dynamicplugin  --enable-zlib --enable-ipv6 --enable-normalizer
and start to rebuild the package. read my manual how to build a package from source 


yum localinstall libdnet-1.12-7.x86_64.rpm libdnet-progs-1.12-7.x86_64.rpm libdnet-devel-1.12-7.x86_64.rpm
yum localinstall libpcap1-devel-1.1.1-9.x86_64.rpm libpcap1-1.1.1-9.x86_64.rpm
yum localinstall daq-0.5-1.x86_64.rpm
yum localinstall snort-
yum localinstall barnyard2-1.9-1.x86_64.rpm
Download snort rules from official website snortrules-snapshot-2904.tar.gz

you can also install snort and barnyard using source package and configure the snort installation with
--enable-dynamicplugin  --enable-zlib --enable-ipv6 --enable-normalizer 

And follow this configurations



make snort log file directory
mkdir /var/log/snort/
chown snort:snort /var/log/snort/
edit snort config file at /etc/snort/snort.conf
change ipvar into var
set HOME_NET to your ip subnet
setup path to your rule path
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
remark dynamic rules and preprocessors because we dont need it
# path to dynamic rules libraries
### dynamicdetection directory /usr/local/lib/snort_dynamicrules

# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
### preprocessor normalize_ip4
### preprocessor normalize_tcp: ips ecn stream
### preprocessor normalize_icmp4
### preprocessor normalize_ip6
### preprocessor normalize_icmp6
set the output to
output unified2: filename snort.log, limit 128
extract snortrules-snapshot-2904.tar.gz and put these folder into /etc/snort


make directory for barnyard2 log
mkdir -p /var/log/barnyard2/
make waldo file for barnyard2
touch /var/log/snort/barnyard2.waldo

edit baryard2 config at /etc/snort/barnyard2.conf
setup path for barnyard2 where the snort config files use
# set the appropriate paths to the file(s) your Snort process is using.
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/
config sid_file:            /etc/snort/

# set the directory for any output logging
config logdir: /var/log/barnyard2
# set the hostname and interface
config hostname:
config interface:       eth0
# enable the year being shown in timestamps
config show_year
# define the full waldo filepath.
config waldo_file: /var/log/snort/barnyard2.waldo
# Step 2: setup the input plugins
# this is not hard, only unified2 is supported ;)
input unified2
# set output alert mode
output alert_full


Download oink master from here
Install the package
[root@ketoprak tmp]# yum localinstall -y --nogpgcheck
locate the file to make sure the files was install correctly, and has been send to /usr/bin/
[root@ketoprak tmp]# locate oink

Check the snort version using
snort -v
and the result is
[root@ketoprak ~]# snort -v
Running in packet dump mode
       --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet
       --== Initialization Complete ==--
,,_     -*> Snort! <*-
 o"  )~   Version (Build 135) 
  '    By Martin Roesch & The Snort Team:
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 6.6 06-Feb-2006
          Using ZLIB version: 1.2.3

Edit the oinkmaster.conf locate at /etc/oinkmaster.conf
url =<oinkcode here>/<filename> 
edit like this
url =
you will get the oinkcode from snort official website after you register,

Run Snort and Barnyard and Oinkmaster

First run snort service
snort -c /etc/snort/snort.conf -i eth0
then run the Barnyard2
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
then run the Oinkmaster -o <snort rules located> -o /etc/snort/rules
make the crontab schedule
# crontab -e 
 0 3 * * * /usr/local/bin/ -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1


Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder

openvpn howto make OCSP server using OpenSSL [Part2]