Today we’re going to go through the steps necessary to get Snort up and running on a 64-bit CentOS 6 box, dumping its alerts to MySQL.
Begin by installing CentOS 6. Installing no more than you need to is a good security practice, and also helps performance. With that in mind, try to keep the number of packages you include down to a minimum. This can be done simply by choosing the ‘Minimal’ install from the choices CentOS gives you. However, this will leave you without a desktop environment, meaning command-line only. If you feel more comfortable in a graphical environment, make sure you include the appropriate packages during installation.
After this is completed, the system will reboot and you’ll be presented with a login. Enter your credentials and we can begin working on Snort’s dependencies. Personally, I had to run the following commands to begin networking upon logging in:
(replace eth0 with your adapter)
ifconfig eth0 up dhclient eth0
Part I: Package installation
Let’s get our main packages installed. This will grab them from the CentOS6 Base repository, along with their respective dependencies.
yum install gcc gcc-c++ make libpcap libpcap-devel pcre-devel bison flex zlib zlib-devel mysql-server mysql-devel
Next we need libdnet, which isn’t available through the default CentOS repos. Let’s download it and compile from source.
Download the sourcecode from: http://libdnet.sourceforge.net/
tar zxvf libdnet-1.12.tgz ./configure, make, and make install
, and we’re done!
Finally, we need DAQ, which you can get from the snort website. Download and compile it the same way as libdnet.
– This should complete without any errors. In this version of CentOS, the MySQL libraries are placed in an unusual location, so we need to specify where they’re at. After it’s done configuring,
make make install
Next let’s move these snort files into the proper directory and make a user associated with Snort. The following commands will make a directory to hold the snort config and rulesets, and another directory to hold Snort logs.
Part II: Setting up users/directories
Adduser snort passwd snort -l mkdir -p /etc/snort/rules /var/log/snort chown -R root.snort /var/log/snort chmod -R 770 /var/log/snort
After these commands, copy everything from the folder etc in the directory you compiled from into /etc/snort. The file snort.conf will be in this directory.
Part III: MySQL Setup
Great! Now let’s handle the MySQL side of things. Nothing will be configured at this point so we need to set up MySQL a bit.
First, start MySQL with the command:
Then, add a password for the root mysql account.
Mysqladmin -u root password NEWPASSWORD
Log into MySQL with: (It will now ask you for your password)
mysql -u root -p
This will bring you into the MySQL console. Next let’s do our Snort-related changes.
mysql> create database snort; mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password'; mysql> exit;
Back at the standard command-line, let’s import our Snort database structure…
mysql -D snort -u snort -p < /snort/download/location/schemas/create_mysql
Part IV: Snort Configuration
MySQL should be all done at this point. Next we need to change our snort config file at /etc/snort/snort.conf. Change the following values:
- “ipvar HOME_NET any” to “ipvar HOME_NET 192.168.1.0/24”, reflecting your organization’s subnet and mask.
- “ipvar EXTERNAL_NET any” to “ipvar EXTERNAL_NET !$HOME_NET” to say that the external network is anything other than our internal subnet
- Optional: Explicitly define your rules location by modifying the line “var RULE_PATH”
- Uncomment the appropriate line and modify it to say the following:output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost
Part V: Installing Rules
Snort needs rules to identify potentially malicious traffic. These are patterns which, if Snort detects them on the network, will create an Alert. Rules can be found from a variety of sources on the internet, or you can write your own. A good starting point is the official Snort rulesets, available on their website at http://snort.org. You need to make an account in order to download them.
Installing rules is very easy. Simply download them from your preferred location, then copy everything with a .rules extension into your /etc/snort/rules directory. You then need to configure /etc/snort/snort.conf to include these rules. Scroll to the bottom of the config file to find this section.