Installing the SNORT IDS
Snort is an IDS (Intrusion Detection System). It has commercial, registered user and community (free) distributions. The main difference is that the community release gets updates to rules provided much later than the other options, and the community rules are a subset of the entitre rulebase.
The installation files, and links to dependancies that must also be installed, as well as snort sample rulesets and documentation are all available at http://snort.org.
This web page is a fast start, almost cut/paste method of installing the community editition of snort onto a Fedora server.
It is not entirely cut/paste as I am not providing wget commands for the downloads referenced from snort.org; as by the time you read this there may be later releases available there that you should be using instead. Also some of the cut/paste commands expect files to be under /home/mark/installs and you will need to customise those.
Assumptions
- install files are placed in /home/mark/installs (all the cut/paste commands assume that, where you need to change that if you use another location is highlighted)
- the extra yum installed packages were all I needed across multiple servers. You may need others
- you are very comfortable on the unix command line and understand what these steps are doing
SNORT IDS community edition fast instal guide
(A) Get the prerequisites
The barnyard2 and daq dependencies are covered in the next section, they are not available in package repos.
yum -y install \ libpcap libpcap-devel \ pcre pcre-devel \ libdnet libdnet-devel \ zlib-zlib-devel \ bison flex
(B) Get the required source files
These files are either directly available from snort.org or the snort.org site has links to them. It is preferable you use the links provided from the snort.org site rather than me provideing any here; that ensures you get the latest releases.
Download Download location snort-2.9.6.1.tar.gz snort.org community-rules.tar.gz snort.org snort_manual.pdf snort.org barnyard2-1.9.tar.gz link to it on snort.org daq-2.0.2.tar.gz link to it on snort.org snort_manual.pdf snort.org (optional, recomended, you will need it)
(C) Build and install them
Copy the tarballs to a work directory, I used /home/mark/installs. From within that work directory use the cut/paste commands below.
tar -zxf snort-2.9.6.1.tar.gz tar -zxf daq-2.0.2.tar.gz tar -zxf barnyard2-1.9.tar.gz cd barn*9 ./configure make make install cd ../daq*2 ./configure make make install cd ../sno*1 make make install
(D) Create the snort user
groupadd snort -g 1001 useradd -u 1001 -g snort -s /sbin/nologin -d /home/snort -c "snort user" snort
(E) Create and populate required directories and files
Pay special attention to the two highlighted lines, you may need to edit those rather than blindly cut/paste if you put the downloaded files anywhere other than /home/mark/installs.
mkdir /etc/snort cd /etc/snort cp -rp /home/mark/installs/snort-2.9.6.1/etc/* . # <--!! tar -zxvf /home/mark/installs/community-rules.tar.gz # <--!! chown -R snort:snort /etc/snort mkdir /var/log/snort chown snort:snort /var/log/snort mkdir /usr/local/lib/snort_dynamicrules chown snort:snort /usr/local/lib/snort_dynamicrules touch /etc/snort/community-rules/white_list.rules chown snort:snort /etc/snort/community-rules/white_list.rules touch /etc/snort/community-rules/black_list.rules chown snort:snort /etc/snort/community-rules/black_list.rules
(F) Customise the /etc/snort/snort.conf file
There is a fair bit of customisation needed against the supplied /etc/snort.conf file, I would suggest just moving the supplied one aside and download the snort.conf file I use, that will just work if you cut/paste the sections above correctly. So download this snort.conf.txt file and move it to /etc/snort/snort.conf and chown it to snort:snort.
By moving the origional aside you can do a diff against the supplied one and the one I provide if you are curious about the changes I have made.
(G) Create a startup script
For simplicity I just use the old sysV /etc/init.d method rather than the Fedora systemd method... simply because not all my machines run Fedora and if yours do not then you don't want instructions on setting it up to run under systemd anyway.
Download this marks_snort_initd.txt file, copy it to /etc/init.d/somename (in the example below I used marks_snort as somename, ie:/etc/init.d/snort_service). Edit it to change the interface="eth0" value to whatever interface you have facing the internet.
For Fedora just use chkconfig to create the start/stop sysV links for your 'somename' as below. My example of 'somename' is snort_service; use whatever you named the init.d file. For other *nix distributions you may need to create the links manually.
chkconfig snort_service --add chkconfig snort_service on chkconfig snort_service --list
(H) Start it running
And start it. With the chkconfig commands above it will start automatically on reboot, but you should test it
On Fedora 'service start snort_service'; on other *nixes using '/etc/init.d/snort_service start'
should work. Any errors will be logged to /var/log/messages.
If you have issues my provided init.d script can be run with '/etc/init.d/snort_service test' to get errors on your screen or '/etc/init.d/snort_service foreground'. Both those options do not run it in daemon mode so you can ctrl-c out, play, and try again if you wish.
(***) ongoing monitoring
An IDS is no use unless you check the logs. If you followed all the steps above and used my snort.conf and startup script then alerts will be logged with descriptions in the text file /var/log/snort/alert. The traffic that caused the alert is stored in a format that can be read by 'tcpdump -r filename' in files in /var/log/snort named snort.log.nnnnnn.
You may want to modify the config and startup scripts I supplied to record more information. But for general use where you do not want gigabytes of tcpip traffic stored in log files this is a good starting point.
I personally use nagios/nrpe to raise an alert if the filesize of the /var/log/snort/alert is
greater than zero bytes on any of my servers so I can look at it.
And I'm not sure if the community edition of snort blocks traffic or just reports on it.
But you need to put something in place to watch the alert file.