Snort on 64-bit CentOS 6

Today we’re going to go through the steps necessary to get Snort up and running on a 64-bit CentOS 6 box, dumping its alerts to MySQL.

Begin by installing CentOS 6. Installing no more than you need to is a good security practice, and also helps performance. With that in mind, try to keep the number of packages you include down to a minimum. This can be done simply by choosing the ‘Minimal’ install from the choices CentOS gives you. However, this will leave you without a desktop environment, meaning command-line only. If you feel more comfortable in a graphical environment, make sure you include the appropriate packages during installation.

After this is completed, the system will reboot and you’ll be presented with a login. Enter your credentials and we can begin working on Snort’s dependencies. Personally, I had to run the following commands to begin networking upon logging in:

(replace eth0 with your adapter)

ifconfig eth0 up

dhclient eth0

Part I: Package installation

Let’s get our main packages installed. This will grab them from the CentOS6 Base repository, along with their respective dependencies.

yum install gcc gcc-c++ make libpcap libpcap-devel pcre-devel bison flex zlib zlib-devel mysql-server mysql-devel

Next we need libdnet, which isn’t available through the default CentOS repos. Let’s download it and compile from source.

Download the sourcecode from: http://libdnet.sourceforge.net/

tar zxvf libdnet-1.12.tgz

./configure, make, and make install

, and we’re done!

Finally, we need DAQ, which you can get from the snort website. Download and compile it the same way as libdnet.

./configure –with-mysql-libraries=/usr/lib64/mysql

– This should complete without any errors. In this version of CentOS, the MySQL libraries are placed in an unusual location, so we need to specify where they’re at. After it’s done configuring,

make

make install

Next let’s move these snort files into the proper directory and make a user associated with Snort. The following commands will make a directory to hold the snort config and rulesets, and another directory to hold Snort logs.

Part II: Setting up users/directories

Adduser snort

passwd snort -l

mkdir -p /etc/snort/rules /var/log/snort

chown -R root.snort /var/log/snort

chmod -R 770 /var/log/snort

After these commands, copy everything from the folder etc in the directory you compiled from into /etc/snort. The file snort.conf will be in this directory.

Part III: MySQL Setup

Great! Now let’s handle the MySQL side of things. Nothing will be configured at this point so we need to set up MySQL a bit.

First, start MySQL with the command:

/etc/init.d/mysqld start

Then, add a password for the root mysql account.

Mysqladmin -u root password NEWPASSWORD

Log into MySQL with: (It will now ask you for your password)

mysql -u root -p

This will bring you into the MySQL console. Next let’s do our Snort-related changes.

mysql> create database snort;

mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';

mysql> exit;

Back at the standard command-line, let’s import our Snort database structure…

mysql -D snort -u snort -p < /snort/download/location/schemas/create_mysql

Part IV: Snort Configuration

MySQL should be all done at this point. Next we need to change our snort config file at /etc/snort/snort.conf. Change the following values:

      1. ipvar HOME_NET any” to “ipvar HOME_NET 192.168.1.0/24”, reflecting your organization’s subnet and mask.
      2. ipvar EXTERNAL_NET any” to “ipvar EXTERNAL_NET !$HOME_NET” to say that the external network is anything other than our internal subnet
      3. Optional: Explicitly define your rules location by modifying the line “var RULE_PATH
      4. Uncomment the appropriate line and modify it to say the following:output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost

Part V: Installing Rules

Snort needs rules to identify potentially malicious traffic. These are patterns which, if Snort detects them on the network, will create an Alert. Rules can be found from a variety of sources on the internet, or you can write your own. A good starting point is the official Snort rulesets, available on their website at http://snort.org. You need to make an account in order to download them.

Installing rules is very easy. Simply download them from your preferred location, then copy everything with a .rules extension into your /etc/snort/rules directory. You then need to configure /etc/snort/snort.conf to include these rules. Scroll to the bottom of the config file to find this section.

4 thoughts on “Snort on 64-bit CentOS 6

  1. You can also build from the source RPMs on the snort website for both libdaq and snort itself. In order to get past the MySQL lib issue though, you need to export the right environment variable (or patch the ‘configure’ script). I did:

    export MYSQL_LIB_DIR=/usr/lib64/mysql
    rpmbuild -bb SPECS/snort.spec –with mysql

    Still need to install libdnet from source, but this keeps at least two packages in the RPM database for easy cleaning later. 😉

  2. with the release of snort 2.9, snort has also become commercial. I remember the days when snort was so easy to configure. By removing the database feature snort has now taken steps into the world just like nessus did and there will be another program which will do the same thing as snort does.

Leave a Reply

Your email address will not be published. Required fields are marked *