Installing Snort, Barnyard,
Pulledpork and Snorby on CentOS 6.6
Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort output is in binary format(unified2), so we need a tool to parse this binary format. For this task we use Barnyard2, which is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. Snort needs rules and periodically have to update them. Here comes Pulledpork, a perl script that keeps Snort’s rules updated. Finally we need a nice front-end in order to analyze easier the alerts that Snort
produces. For this purpose we will installSnorby, a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power(you can find a demo hereusrername: demo@snorby.org password: snorby). We will install 2.9.7.2 version of Snort which is the latest version. Configuring Snort and all the other stuff that is required is a boring job. So @petkoutroumpisand I made a simple bash script that automate all the process. You can find the bash script atgithub. Nevertheless below is step by step the full installation.
Before begin with the installation disable selinux
vi /etc/selinux/config and change the line SELINUX=enforcing
to
SELINUX=disabled
andrebboot.
Install some prerequisite packages.
yum -y install vim wget man make gcc flex bison
zlibzlib-devellibpcaplibpcap-develpcrepcre-develtcpdumpgcc-c++ mysql-server
mysqlmysql-devellibtoolperl-libwww-perlperl-Archive-Tar perl-Crypt-SSLeaygitgcc libxml2 libxml2-devel libxsltlibxslt-develhttpd
curl-develhttpd-develapr-develapr-util-devellibXrenderfontconfiglibXext ruby-devel unzip xz
Now we will install libdnet and daq from source:
cd /usr/local/src wget
http://sourceforge.net/projects/libdnet/files/libdnet/libdnet-
1.11/libdnet-1.11.tar.gz tar -zxvf libdnet-1.11.tar.gz cd libdnet-1.11
./configure --with-pic make
sudo make install cd /usr/local/src
wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz tar -zxvf daq-2.0.4.tar.gz cd daq-2.0.4 ./configure make
sudo make install
It’s time to install Snort:
cd /usr/local/src
wget https://snort.org/downloads/snort/snort-2.9.7.2.tar.gz tar -zxvf snort-2.9.7.2.tar.gz cd snort-2.9.7.2
./configure --enable-sourcefire make
sudo make install
Issue the commands below to config snort properly:
sudomkdir -p /etc/snort/rules sudomkdir -p /var/log/snort/eth0 sudomkdir /var/log/barnyard2
sudomkdir -p /usr/local/lib/snort_dynamicrules sudomkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/local.rules
sudo touch /var/log/snort/eth0/barnyard2.waldo sudo touch /etc/snort/sid-msg.map cd /usr/local/src/snort-2.9.7.2 sudocpetc/* /etc/snort sudogroupadd -g 40000 snort
sudouseradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort cd /etc/snort
sudochown -R snort:snort *
sudochown -R snort:snort /var/log/snort
We have to modify the following variables in our /etc/snort/snort.conf file. This assumes that the network we are going to monitor is 192.168.0.0/24.
? ? ? ? ? ? ?
var RULE_PATH /etc/snort/rules ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
Or you can give the following two commands to change the /etc/snort/snort.conf file:
sudosed -i -e '/^include \\$RULE_PATH/s/^/#/' -e '/^var RULE_PATH/s/\\.\\.\\/rules/\\/etc\\/snort\\/rules/' -e '/^var SO_RULE/s/\\.\\.\\/so_rules/so_rules/' \\
-e '/^var PREPROC/s/\\.\\.\\/.*/preproc_rules/' -e '/^var WHITE/s/\\.\\..*/\\/etc\\/snort\\/rules/' -e '/^var BLACK/s/\\.\\..*/\\/etc\\/snort\\/rules/' \\
-e '/# unified2/a output unified2: filename snort.log, limit 128' -e '/^dynamicdetection/s/^/#/' -e '/^ipvar HOME_NET/s/any/192.168.0.0\\/24/' \\
-e '/^ipvar EXTERNAL_NET/s/any/!\\$HOME_NET/' /etc/snort/snort.conf
sudosed -i -e '/#include.*local\\.rules/s/#//' /etc/snort/snort.conf
Continue with some more configurations for snort:
cd /usr/local/src
sudochown -R snort:snort daq-2.0.4 sudochown -R snort:snort snort-2.9.7.2 sudochown -R snort:snortsnort_dynamicsrc sudochmod -R 700 daq-2.0.4 sudochmod -R 700 snort-2.9.7.2 sudochmod -R 700 snort_dynamicsrc cd snort-2.9.7.2
sudocp rpm/snortd /etc/init.d/snort
sudocp rpm/snort.sysconfig /etc/sysconfig/snort sudochmod 700 /etc/init.d/snort sudochmod 700 /etc/sysconfig/snort cd /usr/sbin
sudo ln -s /usr/local/bin/snort snort
sudocp /etc/sysconfig/snort /etc/sysconfig/snort_default sudosed -i -e '/PASS_FIRST/s/^/#/' -e '/^ALERTMODE/s/^/#/' -e '/^DUMP_APP/s/^/#/' -e '/^BINARY_LOG/s/^/#/' -e
'/^NO_PACKET_LOG/s/^/#/' -e '/^PRINT_INTERFACE/s/^/#/' /etc/sysconfig/snort cd /var/log
sudochmod 700 snort
sudochown -R snort:snort snort cd /usr/local/lib
sudochown -R snort:snort snort*
sudochown -R snort:snortsnort_dynamic* sudochown -R snort:snortpkgconfig