How to Snort on CentOS 64-bit

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire.

Pre-requisites Softwares

Mysql
mysql-bench
mysql-server
mysql-devel
mysqlclient10
php-mysql
httpd
gcc
pcre-devel
php-gd
gd
mod_ssl
glib2-devel
gcc-c++
libpcap-devel
php
php-pear
yum-utils

Assuming you already installed your latest 64-bit CentOS, configured important services like Apache,PHP and your mysql server, make sure your server packages are updated as well by issuing

yum update

Installation of Snort

Download the lateset Snort source file on Snort’s official Site @ snort.org. As of this moment, the latest version is 2.8.6. You can find it at http://www.snort.org/downloads

wget  http://dl.snort.org/snort-current/snort-2.8.6.tar.gz

Go to your favorite root install directory (mine is /usr/local/src) and extract the file

tar zxvf snort-2.8.6.tar.gz

Compile. If you are using the 32-bit OS, it’s very rare that you encounter errors. For 64-bit, it’s quite pain In the ass, errors like libmysqlclient cannot be found since it will look for /lib/mysql instead of lib64/mysql. In order to solve that issue, you need to add extra parameters to your configure .

cd snort-2.8.6
./configure -with-mysql --enable-dynamicplugin --with-mysql-libraries=/usr/lib64/mysql
make
make install

Create snort user and group

groupadd snort
useradd -g snort snort -s /sbin/nologin

Create snort directory files

mkdir -p /etc/snort
mkdir -p /etc/snort/rules
mkdir /var/log/snort

Copy files on the root installation folder of snort to /etc/snort

cd etc/
cp * /etc/snort

Modify your snort.conf and make these changes, assuming your network is 192.168.1.0/24

var RULE_PATH /etc/snort/rules
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET

Uncomment the lines (create if none):

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Download the snort init file for easy management of snort service

cd /etc/init.d
wget http://www.freelinuxtutorials.com/freefiles/snort
chmod 755 snort
chkconfig snort on

Installation and Configuration of OinkMaster

Downloading the snort rules on the snort.org website is a little bit tricky. Even if you can sign up an account, you cannot directly download those rules and you’ll receive a 403 Forbidden error. There are ways to get it, you either get it by paying a subscription or get the registered user release.

Download the OinkMaster source file in SourceForge @ oinkmaster.sourceforge.net

cd /usr/local/src
wget http://nchc.dl.sourceforge.net/project/oinkmaster/oinkmaster/2.0/oinkmaster-2.0.tar.gz

Extract the file and read the INSTALL file for details

tar zxvf oinkmaster-2.0.tar.gz
cd oinkmaster-2.0
less INSTALL

Copy oinkmaster.pl,oinkmaster.conf and oinkmaster.1 on your suitable directory

cp oinkmaster.pl /usr/local/bin
cp oinkmaster.conf /etc
cp oinkmaster.1 /usr/local/man/man1

Edit oinkmaster configuration, change the settings on the line “ url = “. Download the snort rule same with your snort version. Use snort –V to check.

[root@localhost oinkmaster-2.0]# snort -V
 
,,_     -*> Snort! <*-
o”  )~   Version 2.8.6 (Build 38)
””    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 6.6 06-Feb-2006

You will see line similar to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi//filename

e.g.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/f8ff7c46785aac436c9f596059863b145d285abc/snortrules-snapshot-CURRENT.tar.gz

Save and exit

Assuming your rules directory is /etc/snort/rules. Update the rules by executing:

oinkmaster.pl -o /etc/snort/rules

Create a non-root user for schedule run of oinkmaster daily

group add oink
useradd -g oink oink -s /sbin/nologin

Create the crontab

su - oink
crontab -e
 
01 4 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” darwin@freelinuxtutorials.com

This will run the oinkmaster daily @ 4:01AM and send email

You will see an email like this:

Loading /etc/oinkmaster.conf
Loading /etc/autodisable.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz… done.
Archive successfully downloaded, unpacking… done.
Setting up rules structures… done.
Processing downloaded rules… disabled 0, enabled 0, modified 0, total=8464
Setting up rules structures… done.
Comparing new files to the old ones… done.
[***] Results from Oinkmaster started 20100518 05:33:38 [***]
[*] Rules modifications: [*]
None.
[*] Non-rule line modifications: [*]
None.
[*] Added files: [*]
None.

Set-up database in MySQL

This will serve as database for snort to make it easy to look up on events and it is a requirement of the BASE monitoring tool

mysql -u root -p

Mysql> create database snort;
mysql> GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost IDENTIFIED by ‘snortpass’;
mysql>exit

Execute the command below to create tables

mysql –u root –p snort < /usr/local/src/snort-2.8.6/schemas/create_mysql

Install Barnyard

Download and extract barnyard#cd /usr/local/src

wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
tar zxvf barnyard-0.2.0

Patch and configure for 64-bit. This is another pain in the ass, coz if you don’t patch the barnyard, you will get an error something like “ERROR: Invalid packet length:”

cd barnyard-0.2.0
wget http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff
patch -p1 < barnyard.64bit.diff

You will something like this:

[root@localhost barnyard-0.2.0]# patch -p1 < barnyard.64bit.diff
patching file src/barnyard.h
patching file src/event.h
patching file src/input-plugins/dp_alert.h
patching file src/util.c
patching file src/util.h

Edit op_acid_db.c and the line “mysql->reconnect = 1; “ below

cd /usr/local/src/barnyard-0.2.0/src/output-plugins
vi  op_acid_db.c

From:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
while(mysql_ping(mysql) != 0)
 
To:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
mysql->reconnect = 1;
while(mysql_ping(mysql) != 0)

Compile

./configure --enable-mysql  --with-mysql-libraries=/usr/lib64/mysql
make
make install

Copy barnyard.conf on /etc/snort

cp etc/barnyard.conf /etc/snort

Configure barnyard.conf. Change the ffg:

from:
config interface: fxp0
to:
config interface: eth0

Add these lines if not existing, the database details should be same on the one you configure on your database.

output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snortpass
output log_acid_db: mysql, database snort, server localhost, user snort, password snortpass, detail full

Create a waldo file for barnyard.a. Execute on the CLI and let it go until on the message “Not Using PCAP_FRAMES”, run it for few seconds and stop it by pressing Ctrl-c

snort –c /etc/snort/snort.conf

Open another CLI and check your /var/log/snort, you will see files like :

-rw-r–r– 1 root root    400 May 20 15:04 snort.alert.1274330319
-rw-r–r– 1 root root   7484 May 20 15:04 snort.log.1274330319

Create a file barnyard.waldo and put this line

/var/log/snort snort.log 1274330319 0

Save and exit
We used 1274330319 as the 10 digit suffix on snort.log

Copy the barnyard init file same as we did on snort.

wget http://www.freelinuxtutorials.com/freefiles/barnyard
chmod 755 barnyard
chkconfig barnyard on

Start barnyard service

[root@localhost snort]# service barnyard start
Starting Barnyard: Barnyard Version 0.2.0 (Build 32)
31165
[  OK  ]

Install BASE

Install first the following packages used for graphing of BASE

pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman

Download and install ADODB

wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
cd /var/www/
tar zxvf /usr/local/src/adodb480.tgz

Download and configure BASE

wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.5.tar.gz
cd /var/www/html
tar –zxvf /usr/local/src/base-1.3.5.tar.gz
mv base-1.3.5/ base/

Copy base_conf.php.dist to base_conf.php

cp base_conf.php.dist base_conf.php

Edit base_conf.php and insert/edit the parameters below:

$BASE_urlpath = “/base”;
$DBlib_path = “/var/www/adodb/ “;
$DBtype = “mysql”;
$alert_dbname = “snort”;
$alert_host = “localhost”;
$alert_port = “”;
$alert_user = “snort”;
$alert_password = “password on your snort DB”;

Access the sensor on your browser

http://192.168.1.x/base

You should now see the BASE startup banner, click the “setup page” link and follow the instructions.
You can create an htaccess to secure the base directory if you want

Testing Snort

Create a simple rule under the /etc/snort/rules and named it as local.rules. Make sure the line below is uncommented on snort.conf to make it work

include $RULE_PATH/local.rules

Create local.rules and insert this line:

alert tcp any any <> any 80 (msg: “Test web activity”;sid:1000001;)

Save and exit. Now restart your Snort and open a web browser,and go to any websites

You should see number of events with SID 1000001 indicating the your snort is working. Just check the alert links and categories to verify your testing.

Credits