Snort is a open source network Intrusion Detection System and Intrusion Prevention System (IDS/IPS). more information
click this link
Here i am going to install Snort Intrusion Detection System ( IDS).
Installation:
Install the below packages using
yum command
[root@snort ~]# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++
[root@snort ~]# yum install libcap*
[root@snort ~]# yum install libpcap*
[root@snort ~]# yum install pcre*
Download the below packages using "wget" command
1.libdnet
2.daq
3.snort
Create a directory snort_install for store downloads
[root@snort ~]# mkdir /snort_install
change directory
[root@snort ~]# cd /snort_install/
[root@snort snort_install]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq-2.0.0.tar.gz
[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/snort-2.9.5.tar.gz -O snort-2.9.5.tar.gz
Extract,compile and install the "libdnet"
[root@snort snort_install]# tar -zxvf libdnet-1.12.tgz
[root@snort snort_install]# cd libdnet-1.12
[root@snort libdnet-1.12]# ./configure
[root@snort libdnet-1.12]# make && make install
Extract,compile and install the "DAQ"
[root@snort snort_install]# tar -zxvf daq-2.0.0.tar.gz
[root@snort snort_install]# cd daq-2.0.0
[root@snort daq-2.0.0]# ./configure
[root@snort daq-2.0.0]# make && make install
Extract,compile and install the "Snort"
[root@snort snort_install]# tar -zxvf snort-2.9.5.tar.gz
[root@snort snort_install]# cd snort-2.9.5
[root@snort snort-2.9.5]# ./configure
[root@snort snort-2.9.5]# make && make install
Snort Rule
We need to download the Snort rule from
this link
# wget http://www.snort.org/reg-rules/snortrules-snapshot-2945.tar.gz/38f33a5eb5f006c2ea77d1655001c0a5a9a5122c -O snortrules-snapshot-2945.tar.gz
[root@snort snort_install]# mkdir snort-rule
[root@snort snort_install]# mv snortrules-snapshot-2946.tar.gz snort-rule/
[root@snort snort_install]# tar -zxvf snortrules-snapshot-2946.tar.gz
Create a new group "snort"
[root@snort ~]# groupadd snort
Create a new user "snort" and change the shell "/sbin/nologin"
[root@snort ~]# useradd -g snort snort -s /sbin/nologin
Create some folder following path
[root@snort ~]# mkdir /etc/snort
[root@snort ~ ]# mkdir /etc/snort/rules
[root@snort ~]# mkdir /etc/snort/so_rules
[root@snort ~]# mkdir /etc/snort/preproc_rules
[root@snort ~]# mkdir /var/log/snort
[root@snort ~]# mkdir /usr/local/lib/snort_dynamicrules
Change the owner and group
[root@snort ~]# chown snort:snort /var/log/snort
We need to copy some files from "/snort_install" to appropriate location
[root@snort snort_install]# cd snort-2.9.5/etc/
[root@snort etc]# cp * /etc/snort/
We need to copy all the rules from "snort-rule" directory to appropriate location
[root@snort snort_install]# cd snort-rule
[root@snort snort-rule]# cp rules/* /etc/snort/rules/
[root@snort snort_install]# cp snort-rule/so_rules/precompiled/Centos-5-4/i386/2.9.4.6/* /etc/snort/so_rules/
[root@snort snort-rule]# cp preproc_rules/* /etc/snort/preproc_rules/
[root@snort snort-rule]# touch /etc/snort/rules/black_list.rules
[root@snort snort-rule]# touch /etc/snort/rules/white_list.rules
Snort Configuration:
Open and Edit the Snort configuration file
[root@snort ]# vim /etc/snort/snort.conf
ipvar HOME_NET 10.21.1.19 <------ IP Address of your server
var RULE_PATH /etc/snort/rules <---- Give correct path
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
#preprocessor normalize_ip4 <------ comment this 5 lines
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
output unified2: filename snort.u2, limit 128 ## line no :521
:wq
Snort Testing
[root@snort ~]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.5 GRE (Build 103)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.0 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Commencing packet processing (pid=4884)
Now snort is working.