Howto Install SNORT IDS


Spec files

I rebuild my snort package, you can search or downloaded the snort rpm package snort-2.9.0.5.src.rpm.
i make little bit changes in my spec file,
extract src.rpm package using rpm2cpio snort-2.9.0.5.src.rpm | cpio -idv
edit the spec.file and change this line into

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-decoder-preprocessor-rules --enable-targetbased \
  --enable-dynamicplugin  --enable-zlib --enable-ipv6 --enable-normalizer
 "
and start to rebuild the package. read my manual how to build a package from source 


Installation

yum localinstall libdnet-1.12-7.x86_64.rpm libdnet-progs-1.12-7.x86_64.rpm libdnet-devel-1.12-7.x86_64.rpm
yum localinstall libpcap1-devel-1.1.1-9.x86_64.rpm libpcap1-1.1.1-9.x86_64.rpm
yum localinstall daq-0.5-1.x86_64.rpm
yum localinstall snort-2.9.0.5-1.x86_64.rpm
yum localinstall barnyard2-1.9-1.x86_64.rpm
Download snort rules from official website snortrules-snapshot-2904.tar.gz

you can also install snort and barnyard using source package and configure the snort installation with
--enable-dynamicplugin  --enable-zlib --enable-ipv6 --enable-normalizer 

And follow this configurations

Configuration

snort

make snort log file directory
mkdir /var/log/snort/
chown snort:snort /var/log/snort/
edit snort config file at /etc/snort/snort.conf
change ipvar into var
set HOME_NET to your ip subnet
var HOME_NET 192.168.1.0/24
setup path to your rule path
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
remark dynamic rules and preprocessors because we dont need it
# path to dynamic rules libraries
### dynamicdetection directory /usr/local/lib/snort_dynamicrules

# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
### preprocessor normalize_ip4
### preprocessor normalize_tcp: ips ecn stream
### preprocessor normalize_icmp4
### preprocessor normalize_ip6
### preprocessor normalize_icmp6
set the output to
output unified2: filename snort.log, limit 128
extract snortrules-snapshot-2904.tar.gz and put these folder into /etc/snort
rules
so_rules
preproc_rules 

barnyard2

make directory for barnyard2 log
mkdir -p /var/log/barnyard2/
make waldo file for barnyard2
touch /var/log/snort/barnyard2.waldo

edit baryard2 config at /etc/snort/barnyard2.conf
setup path for barnyard2 where the snort config files use
# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map

# set the directory for any output logging
#
config logdir: /var/log/barnyard2
# set the hostname and interface
config hostname:        ketoprak.humor.com
config interface:       eth0
# enable the year being shown in timestamps
#
config show_year
# define the full waldo filepath.
#
config waldo_file: /var/log/snort/barnyard2.waldo
# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2
# set output alert mode
output alert_full

oinkmaster

Download oink master from here
http://pkgs.org/download/centos-5-rhel-5/atomic-i386/oinkmaster-2.0-0.el5.art.noarch.rpm.html
Install the package
[root@ketoprak tmp]# yum localinstall oinkmaster-2.0-0.el5.art.noarch.rpm -y --nogpgcheck
locate the file to make sure the files was install correctly, and oinkmaster.pl has been send to /usr/bin/
[root@ketoprak tmp]# locate oink
/etc/oinkmaster.conf
/usr/bin/oinkmaster.pl
/usr/share/doc/oinkmaster-2.0
/usr/share/doc/oinkmaster-2.0/ChangeLog
/usr/share/doc/oinkmaster-2.0/LICENSE
/usr/share/doc/oinkmaster-2.0/README
/usr/share/doc/oinkmaster-2.0/README.gui
/usr/share/doc/oinkmaster-2.0/README.templates
/usr/share/doc/oinkmaster-2.0/README.win32
/usr/share/doc/oinkmaster-2.0/UPGRADING
/usr/share/doc/oinkmaster-2.0/template-examples.conf
/usr/share/man/man1/oinkmaster.1.gz

Check the snort version using
snort -v
and the result is
[root@ketoprak ~]# snort -v
Running in packet dump mode
       --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet
       --== Initialization Complete ==--
,,_     -*> Snort! <*-
 o"  )~   Version 2.9.0.5 (Build 135) 
  '    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 6.6 06-Feb-2006
          Using ZLIB version: 1.2.3

Edit the oinkmaster.conf locate at /etc/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/<filename> 
edit like this
url = http://www.snort.org/pub-bin/oinkmaster.cgi/ee4075a398290459/snortrules-snapshot-2861.tar.gz
note:
you will get the oinkcode from snort official website after you register,

Run Snort and Barnyard and Oinkmaster

First run snort service
snort -c /etc/snort/snort.conf -i eth0
then run the Barnyard2
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
then run the Oinkmaster
oinkmaster.pl -o <snort rules located>
oinkmaster.pl -o /etc/snort/rules
make the crontab schedule
# crontab -e 
 0 3 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1

Comments