Installation
As of I write this page, the latest version is 2.9.11.1, so I will use this version as an example. you can find the latest method in following page: https://snort.org
Option 1 Install from package
yum install https://snort.org/downloads/snort/daq-2.0.6-1.f21.x86_64.rpm yum install https://snort.org/downloads/snort/snort-2.9.11.1-1.f25.x86_64.rpm
Option 2 Install from Source
Dependencies:
sudo yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel
Install DAQ first, then install snort.
wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz wget https://snort.org/downloads/snort/snort-2.9.11.1.tar.gz tar xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && sudo make install tar xvzf snort-2.9.11.1.tar.gz cd snort-2.9.11.1 ./configure --enable-sourcefire && make && sudo make install
Run as a service:
if you wish to run Snort on CentOS as a service in the background you should download a startup script from Snort documentation. Use the following commands to get and install a startup script for your system.
wget https://www.snort.org/documents/snort-startup-script-for-centos -O ~/snortd sudo chmod 755 ~/snortd && sudo mv ~/snortd /etc/init.d/
Configuring Snort to run in NIDS mode
Start with updating the shared libraries using the command underneath.
sudo ldconfig
Snort on CentOS gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.
If you installed Snort with yum you can skip this command.
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
Setting up username and folder structure
To run Snort on CentOS safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Then create the folder structure to house the Snort configuration, just copy over the commands below. If you installed Snort using yum these directories should have already been added at install, but check to make sure.
sudo mkdir -p /etc/snort/rules sudo mkdir /var/log/snort sudo mkdir /usr/local/lib/snort_dynamicrules
Set the permissions for the new directories accordingly.
sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
Create new files for the white and blacklists as well as the local rules.
sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/local.rules
Then if you installed Snort from the source code, copy over the configuration files from the download folder. Skip this if you installed Snort with yum.
sudo cp ~/snort_src/snort-2.9.11.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.11.1/etc/*.map /etc/snort
How to install Snort on CentOS :
https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/136/original/Snort_3_on_CentOS_7.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20180829%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180829T033449Z&X-Amz-Expires=172800&X-Amz-SignedHeaders=host&X-Amz-Signature=7e73a8dadb08b4226051a37f5413c94695f4e93f4170b82b19ebed6a243feed0
or
http://frankfu.click/files/snort/Snort_3_on_CentOS_7.pdf
Rules
Snort provides three tiers of rule sets, community, registered and subscriber rules.
- Community rules are freely available though slightly limited.
- By registering for free on their website you get access to your Oink code, which lets you download the registered users rule sets.
- Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.
Option 1. Using community rules
If you just want to quickly test out Snort, grab the community rules using wget with the command below.
wget https://www.snort.org/rules/community -O ~/community.tar.gz
Extract the rules and copy them to your configuration folder.
sudo tar -xvf ~/community.tar.gz -C ~/ sudo cp ~/community-rules/* /etc/snort/rules
By default, Snort on CentOS expects to find a number of different rule files which are not included in the community rules. Comment out the unnecessary lines using the next command.
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
Option 2. Obtaining registered user rules
You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.
Replace the <oinkcode> in the following command with your personal code.
wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz
Once downloaded, extract the rules and copy them over to your configuration directory.
sudo tar -xvf ~/registered.tar.gz -C /etc/snort
The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.
Configuring the network and rule sets
With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file for editing with the following command.
sudo vi /etc/snort/snort.conf
Find these sections shown below in the configuration file and change the parameters to reflect the examples here.
# Setup the network addresses you are protecting ipvar HOME_NET <server public IP>/32 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules # Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
In the same snort.conf file, scroll down to the section 6 and set the output for pcap to log under filename of tcpdump.log like below.
# pcap output log_tcpdump: tcpdump.log
The way to read the log is using one of commands listed below:
sudo snort -r /var/log/snort/tcpdump.log.[timestamp] sudo tcpdump -r /var/log/snort/tcpdump.log.[timestamp]
Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.
include $RULE_PATH/local.rules
If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.
include $RULE_PATH/community.rules
To add more rules, simply add more lines below
Using different NIC for snort service(snortd)
https://www.linuxquestions.org/questions/linux-software-2/change-interface-listen-on-snort-877108/
The snortd will listen on the interface name eth0 by default, however, your Linux machine may use another name, such as ens33 for me.
In this case, if you start the service, it may pop up an error as below:
Aug 27 19:44:31 localhost snort[5634]: pcap DAQ configured to passive.
Aug 27 19:44:31 localhost snort[5634]: Acquiring network traffic from “eth0“.
Aug 27 19:44:31 localhost snort[5634]: Initializing daemon mode
Aug 27 19:44:31 localhost snort[5635]: Daemon initialized, signaled parent pid: 5634
Aug 27 19:44:31 localhost snort[5635]: Reload thread starting…
Aug 27 19:44:31 localhost snort[5635]: Reload thread started, thread 0x7f4ffe319700 (5636)
Aug 27 19:44:31 localhost systemd: PID file /var/run/snort_eth0.pid not readable (yet?) after start.
Aug 27 19:44:31 localhost snortd: [ OK ]#015[ OK ]
Aug 27 19:44:31 localhost snort[5635]: FATAL ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!
You may find the direct error is “Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!”
But if you read the message above, the root reason is it is trying to listen on network interface eth0, which is not existing in my system.
This issue does not happen if you use snort command, such as:
sudo snort -A console -i ens33 -u snort -g snort -c /etc/snort/snort.conf
But do happen if you use sudo systemctl start snortd
The solution is replace all the eth0 into ens33 in my case:
sudo vi /etc/init.d/snortd
Go into command mode by type : , then type
1,$ s/eth0/ens33/g
press enter, which will replace all eth0 with ens33 for me.
Then restart the linux and give it a try.
logging
When Snort is logging data from different hosts, it can create a directory for each host under/var/ log/snort for the log files.
For example, to modify the default location of log files to /snortlog, use the following line in snort.conf file:
config logdir: /snortlog
You can also change the location of log files using – l
command line option when starting Snort.
There are several ways to log the data, including text, binary, and database
Text
The following command logs all Snort data in /var/log/snort directory in addition to displaying it on the console.
snort -dev -l /var/log/snort
On high-speed networks, logging data in ASCII format in many different files may cause high overhead.
Binary
In this case, snort logs all data to a single file in raw binary form. A typical command for this type of log is :
snort -l /tmp -b
View the binary data:
The -r command line switch is used to specify a file name with Snort. The following command will display the cap- tured data from file snort.log.1037840339.
snort -dev -r /tmp/snort.log.1037840339| more
You can display a particular type of data from the log file. The following command displays all TCP type data from the log file:
snort -dev -r / tmp/snort.log.1037840339 tcp
You can also use the tcpdump program to read files with -r switch.
tcpdump -r /tmp/snort.log.1037840514
Reference
https://snort.org/documents