Snort – Installation

Installation

As of I write this page, the latest version is 2.9.11.1, so I will use this version as an example. you can find the latest method in following page: https://snort.org

Option 1 Install from package

yum install https://snort.org/downloads/snort/daq-2.0.6-1.f21.x86_64.rpm
 
yum install https://snort.org/downloads/snort/snort-2.9.11.1-1.f25.x86_64.rpm

Option 2 Install from Source

Dependencies:

sudo yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel

Install DAQ first, then install snort.

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

wget https://snort.org/downloads/snort/snort-2.9.11.1.tar.gz
 tar xvzf daq-2.0.6.tar.gz

cd daq-2.0.6
 ./configure && make && sudo make install
 tar xvzf snort-2.9.11.1.tar.gz

cd snort-2.9.11.1
 ./configure --enable-sourcefire && make && sudo make install

Run as a service:

if you wish to run Snort on CentOS as a service in the background you should download a startup script from Snort documentation. Use the following commands to get and install a startup script for your system.

wget https://www.snort.org/documents/snort-startup-script-for-centos -O ~/snortd
sudo chmod 755 ~/snortd && sudo mv ~/snortd /etc/init.d/

Configuring Snort to run in NIDS mode

Start with updating the shared libraries using the command underneath.

sudo ldconfig

Snort on CentOS gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.

If you installed Snort with yum you can skip this command.

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Setting up username and folder structure

To run Snort on CentOS safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Then create the folder structure to house the Snort configuration, just copy over the commands below. If you installed Snort using yum these directories should have already been added at install, but check to make sure.

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

Set the permissions for the new directories accordingly.

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create new files for the white and blacklists as well as the local rules.

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

Then if you installed Snort from the source code, copy over the configuration files from the download folder. Skip this if you installed Snort with yum.

sudo cp ~/snort_src/snort-2.9.11.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.11.1/etc/*.map /etc/snort

How to install Snort on CentOS :

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/136/original/Snort_3_on_CentOS_7.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20180829%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180829T033449Z&X-Amz-Expires=172800&X-Amz-SignedHeaders=host&X-Amz-Signature=7e73a8dadb08b4226051a37f5413c94695f4e93f4170b82b19ebed6a243feed0

http://frankfu.click/files/snort/Snort_3_on_CentOS_7.pdf

How to Install Snort on CentOS 7

Rules

Snort provides three tiers of rule sets, community, registered and subscriber rules.

Community rules are freely available though slightly limited.
By registering for free on their website you get access to your Oink code, which lets you download the registered users rule sets.
Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.

Option 1. Using community rules

If you just want to quickly test out Snort, grab the community rules using wget with the command below.

wget https://www.snort.org/rules/community -O ~/community.tar.gz

Extract the rules and copy them to your configuration folder.

sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules

By default, Snort on CentOS expects to find a number of different rule files which are not included in the community rules. Comment out the unnecessary lines using the next command.

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

Option 2. Obtaining registered user rules

You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.

Replace the <oinkcode> in the following command with your personal code.

wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz

Once downloaded, extract the rules and copy them over to your configuration directory.

sudo tar -xvf ~/registered.tar.gz -C /etc/snort

The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.

Configuring the network and rule sets

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file for editing with the following command.

sudo vi /etc/snort/snort.conf

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

# Setup the network addresses you are protecting
ipvar HOME_NET <server public IP>/32
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

In the same snort.conf file, scroll down to the section 6 and set the output for pcap to log under filename of tcpdump.log like below.

# pcap

output log_tcpdump: tcpdump.log

The way to read the log is using one of commands listed below:

sudo snort -r /var/log/snort/tcpdump.log.[timestamp]

sudo tcpdump -r /var/log/snort/tcpdump.log.[timestamp]

Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.

include $RULE_PATH/local.rules

If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.

include $RULE_PATH/community.rules

To add more rules, simply add more lines below

Using different NIC for snort service(snortd)

https://www.linuxquestions.org/questions/linux-software-2/change-interface-listen-on-snort-877108/

The snortd will listen on the interface name eth0 by default, however, your Linux machine may use another name, such as ens33 for me.

In this case, if you start the service, it may pop up an error as below:

Aug 27 19:44:31 localhost snort[5634]: pcap DAQ configured to passive.

Aug 27 19:44:31 localhost snort[5634]: Acquiring network traffic from “eth0“.

Aug 27 19:44:31 localhost snort[5634]: Initializing daemon mode

Aug 27 19:44:31 localhost snort[5635]: Daemon initialized, signaled parent pid: 5634

Aug 27 19:44:31 localhost snort[5635]: Reload thread starting…

Aug 27 19:44:31 localhost snort[5635]: Reload thread started, thread 0x7f4ffe319700 (5636)

Aug 27 19:44:31 localhost systemd: PID file /var/run/snort_eth0.pid not readable (yet?) after start.

Aug 27 19:44:31 localhost snortd: [ OK ]#015[ OK ]
Aug 27 19:44:31 localhost snort[5635]: FATAL ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!

You may find the direct error is “Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!”

But if you read the message above, the root reason is it is trying to listen on network interface eth0, which is not existing in my system.

This issue does not happen if you use snort command, such as:

sudo snort -A console -i ens33 -u snort -g snort -c /etc/snort/snort.conf

But do happen if you use sudo systemctl start snortd

The solution is replace all the eth0 into ens33 in my case:

sudo vi /etc/init.d/snortd

Go into command mode by type : , then type

1,$ s/eth0/ens33/g

press enter, which will replace all eth0 with ens33 for me.

Then restart the linux and give it a try.

logging

When Snort is logging data from different hosts, it can create a directory for each host under/var/ log/snort for the log files.

For example, to modify the default location of log files to /snortlog, use the following line in snort.conf file:

config logdir: /snortlog

You can also change the location of log files using – l command line option when starting Snort.

There are several ways to log the data, including text, binary, and database

Text

The following command logs all Snort data in /var/log/snort directory in addition to displaying it on the console.

snort -dev -l /var/log/snort

On high-speed networks, logging data in ASCII format in many different files may cause high overhead.

Binary

In this case, snort logs all data to a single file in raw binary form. A typical command for this type of log is :

  snort -l /tmp -b

View the binary data:

The -r command line switch is used to specify a file name with Snort. The following command will display the cap- tured data from file snort.log.1037840339.

snort -dev -r /tmp/snort.log.1037840339| more

You can display a particular type of data from the log file. The following command displays all TCP type data from the log file:

snort -dev -r / tmp/snort.log.1037840339 tcp

You can also use the tcpdump program to read files with -r switch.

tcpdump -r /tmp/snort.log.1037840514

Reference

https://snort.org/documents