Friday, February 11, 2011

Install snort on CentOS 5

Download snort

Install required library: libpcap, pcre, libdnet

#yum install libpcap pcre libdnet 

Install snort from source code: 

Extract snort:

#tar xzvf snort-2.8.6.tar.gz 

Move to snort directory:

#cd snort-2.8.6 

Choose the option when configuring snort, example to add the option flexresp:

#./configure --enable-flexresp 
#make 
#make install


Test snort installation with: 

#snort --vde 

Configuring snort: 

Copy the snort config file (snort.conf) and others to /etc/snort (create this directory if it's not existed with #mkdir /etc/snort)

#cp snort-2.8.6/etc/* /etc/snort 

Edit snort.conf 

#vi /etc/snort/snort.conf 

var HOME_NET 192.168.1.0/24                       # Your network
var RULE_PATH /etc/snort/rules                    # Rules directory
var SO_RULE_PATH /etc/snort/so_rules              # so_rules directory
var PREPROC_RULE_PATH /etc/snort/preproc_rules    # preproc_rules directory
output alert_syslog: LOG_AUTH LOG_ALERT           # log snort with syslog format
include $RULE_PATH/local.rules                    # local rules

Run snort as an IDS with:

#snort -i eth0 -c /etc/snort/snort.conf

More option for snort to work more effective:

#snort -i eth0 -c /etc/snort/snort.conf -D -A fast -l /var/log/snort 

-D: run snort as daemon 
-A fast: fast log (source/destination IP/port) 
-l /var/log/snort: log directory (create if this is not existed)

Run snort when start up

Create snort init script:

#vi /etc/init.d/snort 

#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
# See how we were called.
case "$1" in
  start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        fi
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON -A fast -l /var/log/snort
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
  stop)
        echo -n "Shutting down snort service: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
  restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
  status)
        status $BASE
        RETVAL=$?
        ;;
  *)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL

Start snort on start up

#chmod +x /etc.init.d/snort 
#chkconfig --add snort 
#chkconfig --level 345 snort on

Run snort with:

#/etc/init.d/snort start 

Check if snort is running:

#ps --ef | grep snort

If snort failed when starting, check the /var/log/message

#tail -f /var/log/messages 

Create rule to test snort

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GET"; flow:to_server; content:"|47 45 54|"; resp:reset_both; resp:reset_both; resp:reset_both; sid:999001)

This rule need an option of snort is flexresp2, this rule will alert and log with a packet is TCP from outside to web server $HTTP_SERVERS at port $HTTP_PORT and contain the "content |47 45 54| " then snort send a RESET flag to both peer to tear down the connection and log with message "GET".
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)