10/29/2011

Installing Snort 2.9.1.2 on CentOS 5.7

CentOS 5.7 uses an older version of libpcap (0.9.4), but Snort's Data Acquisition Library (daq) needs a newer version of libpcap (>=1.0.0). The latter is not an issue with the CentOS 6.0. Vishesh Kumar [1] provides an excellent instructions to getting Snort 2.9 to run on RHEL 5 (http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html). The purpose of this post is not to duplicate his efforts, but to extend it slightly to include instructions for a complete Snort set-up.
  1. libpcap - http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz [3]
  2. daq : http://www.snort.org/downloads/1221 [2]
  3. snort : http://www.snort.org/downloads/1207 [2]
Download and install the libraries and software as per the instructions below;
  1. Enable the Extra Packaged for Enterprise Linux (EPEL) repository to enable the installation of additional packages not available under the standard repositories
    1. rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
    2. yum -y update
    3. yum -y upgrade
  2. Install developments to compile the libraries and source code, and additional libraries and header files that are required later on
    1. yum -y groupinstall 'Development Tools'
    2. yum -y install pcre-devel
    3. yum -y install libdnet-devel
    4. yum -y install zlib-devel
    5. yum -y install mysql mysql-server mysql-devel mysql-bench
  3. Download, compile and install libpcap
    1. wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
    2. cd libpcap-1.1.1
    3. ./configure --prefix=/usr
    4. make && make install
  4. Download, compile and install daq
    1. wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
    2. cd daq-0.6.2
    3. ./configure
    4. make && make install
  5. Download, compile and install snort
    1. wget http://www.snort.org/downloads/1207 -O snort-2.9.1.2.tar.gz
    2. cd snort-2.9.1.2
    3. ./configure --with-mysql
    4. make && make install
  6. Download, compile and install Barnyard2
    1. wget --no-check-certificate https://github.com/firnsy/barnyard2/tarball/master -O firnsy-barnyard2-405761e.tar.gz
    2. tar zxvf firnsy-barnyard2-405761e.tar.gz
    3. cd firnsy-barnyard2-405761e
    4. ./autogen.sh
    5. ./configure --with-mysql
    6. make && make install
  7. Create the snort database on the mysql enginer
    1. mysqladmin -u root -p create snort
    2. mysql -u root -p -D snort < schemas/create_mysql
    3. mysql -u root -p
      1. GRANT CREATE,INSERT ON root.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
      2. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE ON snort.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
  8. To get the current registered user rules, you need to sign up and obtain an Oinkcode. The Oinkcode will be used for downloading the rules and used with pulledpork.
    1. Sign in or request an account from https://www.snort.org/login
    2. Get your oinkcode after signing in from https://www.snort.org/account/oinkcode
    3. cd etc
    4. wget http://www.snort.org/reg-rules/snortrules-snapshot-.tar.gz/OINKCODE -O snortrules-snapshot-LATEST.tar.gz
    5. tar zxvf snortrules-snapshot-LATEST.tar.gz
  9. Setup the configuration and rules files for snort
    1. mkdir -p /etc/snort
    2. mv -f etc/* .
    3. rmdir etc/
    4. mv snortrules-snapshot-LATEST.tar.gz ../../
    5. rm -f Makefile Makefile.am Makefile.in
    6. cp -rf * /etc/snort/
  10. Edit the snort configuration
    1. vi /etc/snort/snort.conf
      1. ipvar HOME_NET
      2. var RULE_PATH rules
      3. var SO_RULE_PATH so_rules
      4. var PREPROC_RULE_PATH preproc_rules
      5. output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost
      6. output alert_syslog: LOG_LOCAL6 LOG_ALERT
  11. Edit the syslog.conf file to log alerts to separate file and restart the syslog daemon
    1. Include the line in syslog.conf "local6.*        /var/log/snort/alerts.log"
    2. /etc/rc.d/init.d/syslog restart
  12. Test the snort installation, and set-up environment to run snort if all OK
    1. snort -c /etc/snort/snort.conf -T
    2. useradd -G snort snort -s /bin/false
    3. chown -R root:snort /var/log/snort
    4. chmod -R g+w /var/log/snort
  13. Configure barnyard [4]
    1. mkdir -p /var/log/barnyard2
    2. chmod 666 /var/log/barnyard2
    3. touch /var/log/snort/barnyard2.waldo
    4. cp etc/barnyard2.conf /etc/snort/
    5. Edit the /etc/snort/barnyard2.conf
      1. output database: log, mysql, user=snort password= dbname=snort host=localhost
      2. config hostname:   localhost
      3. config interface:  eth0
  14. You can get snort to start automatically, but writing a customer script to start/stop/restart the daemon or simply kicking it off to start up when the machine boots. Edit the rc.local file and out the following in
    1. /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
    2. /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
Common Errors:
  1. ERROR: parser.c(5261) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
    Fatal Error, Quitting..
    1. mkdir -p /usr/local/lib/snort_dynamicrules
    2. cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/
  2. ERROR: /etc/snort/rules/web-misc.rules(555) Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content.
    Fatal Error, Quitting..
    1. The fast_pattern option cannot be used with the http_method string. Edit the web-misc.rules file and remove it from the snort rule. Do a search for "2010-0388" and remove the alert option fast_pattern from the alert rule.
  3. ERROR: /etc/snort/snort.conf(244) => 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompress'
    Fatal Error, Quitting..
    1. Edit the /etc/snort/snort.conf file and set the http_inspect compress_depth and decompress_depth to 65535 from 20480.
  4. ERROR: ByteExtract variable 'bugtraq' in rule [3:13897] is used before it is defined
    1. Ensure that the shared libraries copied above using "cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/" are for the correct distribution
    2. Ensure that the rules being used are for the version of snort being used.
Please note: 
  1. These instruction are for 32bit hardware, for 64bit machines you will need to select appropriate 64bit RPM packages or configure and compile with appropriate compiler switches. These are considered beyond the scope of this post.
  2. All instructions are executed with root privileges.
References:
  1. http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html
  2. http://www.snort.org/snort-downloads?
  3. http://www.tcpdump.org/#latest-release
  4. http://www.snort.org/assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf

No comments:

Post a Comment