How to Install / Configure SNORT IDS on CentOS 6.x / 7.x

Security is a big issue for all networks in today’s enterprise environments. Many methods have developed to secure the network infrastructures and communication over the internet. Among them Snort is a leading open source network intrusion detection and prevention system and a valuable security framework. Its a packet sniffer that monitors network traffic in real time and scrutinize each packet in depth to find any dangerous payload or suspicious anomalies. Using Snort intrusion detection mechanism, we can collect and use information from known types of attacks and find out if some trying to attack our network or particular host. So the information gathered in this way can be well used to harden our networks to prevent from hackers and intruders that can also be useful for legal purposes.

This article describes the configuration, compilation and installation of SNORT 2.9.7.x and DAQ-2.0.x using the CentOS 7.0 Operating systems and other components.

Prepare the OS

We are going to setup SNORT IDS under the following Operating Systems and its components

  • Virtualization Environment: VMware Workstation
  • HOST Operating System: Microsoft Windows 7
  • GUEST Operating System: CentOS 7.0 (64-bit version)
  • System Resources: CPU 2.0 GHz RAM 4 GB

In CentOS 7 Virtual Machine, we configured its network settings with Static IP, Gateway and DNS entry to make sure that its connected with the internet through its Ethernet interface that will be used as a port to monitor traffic.

Installing Prerequisites

Following packages are mandatory to setup SNORT, so make sure to install these before start compiling SNORT or DAQ. Almost all these libraries can be installed by using yum command.

[[email protected] ~]# rpm -qa | grep gcc
libgcc-4.8.2-16.2.el7_0.x86_64
gcc-4.8.2-16.2.el7_0.x86_64

[[email protected] ~]# rpm -qa | grep flex
flex-2.5.37-3.el7.x86_64

[[email protected] ~]# rpm -qa | grep bison
bison-2.7-4.el7.x86_64

[[email protected] ~]# rpm -qa | grep zlib
zlib-1.2.7-13.el7.x86_64
zlib-devel-1.2.7-13.el7.x86_64

[[email protected] ~]# rpm -qa | grep libpcap
libpcap-1.5.3-4.el7_1.2.x86_64
libpcap-devel-1.5.3-4.el7_1.2.x86_64

[[email protected] ~]# rpm -qa | grep tcpdump
tcpdump-4.5.1-2.el7.x86_64

[[email protected] ~]# rpm -qa | grep libdnet-devel
libdnet-devel-1.12-13.1.el7.x86_64

Installing Data Acquisition (DAQ 2.0.5)

We can obtain SNORT and DAQ latest installation packages from its official website and copy its RPM package download link available for CentOS.

[[email protected] ~]# yum install https://snort.org/downloads/snort/daq-2.0.5-1.centos7.x86_64.rpm

Data Acquisition

Installing SNORT 2.9.7

Similarly we will install Snort by using below command with yum repository.

[[email protected] ~]# yum install https://snort.org/downloads/snort/snort-2.9.7.3-1.centos7.x86_64.rpm

Installing snort

Installing SNORT Rules:

In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.

Signup with Snort

Let’s sign in with the World most powerful detection software and to download its rules that are most important to be aware from the latest threats.

Snort Signin

Downloading Snort Rules

After sign in to Snort, now we will be able to download its rules that we need to install and work for Snort.

Snort Rules

Updating Snort Rule using Pulled Pork

Pulled Pork for Snort rule management is designed to make Snort rules fly! With the intent of handling all rules. Its code pulls the rules that we need to handle our Snort rules.

Downloading PulledPork

Pulled Pork apackage is available on the Git hub, by using the following command we will get its package on the snort server with git clone command.

[[email protected] ~]# git clone https://github.com/shirkdog/pulledpork.git

PulledPork Clone

Setup Pulled Pork

[[email protected] pulledpork]# cp pulledpork.pl /usr/local/bin
[[email protected] pulledpork]# chmod +x /usr/local/bin/pulledpork.pl
[[email protected] pulledpork]# cp etc/*.conf /etc/snort

Now we will configure PulledPork and place the Oinkcode in its configuration file, we will place it in its configuration file after getting it from our registered user.

Oincode

Creating files that PulledPork requires as.

[[email protected] ~]# mkdir /etc/snort/rules/iplists
[[email protected] ~]# touch /etc/snort/rules/iplists/default.blacklist

Testing PullPork

Let’s start a test to confirm that pulledpork is functional.

[[email protected] ~]# /usr/local/bin/pulledpork.pl -V
PulledPork v0.7.0 – Swine Flu !

Once the PulledPork works with its successful test results, we now moves forward to configure it with Snort by updating few configurations parameters.

Configure Snort

We want to enable the dynamic rules, so for this purpose we make sure the second line in /etc/snort/snort.conf is not commented.

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/lib64/snort-2.9.7.3_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules

Now execute the following 3 commands to add the include rules as follow.

echo “include \$RULE_PATH/snort.rules” >> /etc/snort/snort.conf
echo “include \$RULE_PATH/local.rules” >> /etc/snort/snort.conf
echo “include \$RULE_PATH/so_rules.rules” >> /etc/snort/snort.conf

Starting Pulled Pork

Now running the following command we will run pulledpork and update your rules as belwo.

[[email protected] ~]# pulledpork.pl -c /etc/snort/pulledpork/pulledpork.conf


Rule Stats…
New:——-686
Deleted:—4
Enabled Rules:—-365
Dropped Rules:—-0
Disabled Rules:—45
Total Rules:——410
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

We always have to restart snort service after updating your rules. So make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

[[email protected] ~]# service snort restart
Updating Snort Rules using Pulled Pork

Conclusion

Congratulations, if you have outputs similar to the above after restating PulledPork and restarting snort service then you have successfully Configured PulledPork with Snort.

One Response

  1. Tusune

Leave a Reply