How to install snort on centos 5.5

How to install snort on centos 5.5

This guide is a step by step on how to install from source snort-2.9.0.5 on CentOS 5.5 64bits it should work the same way for RedHat.
Also with the mysql option enabled.

The pre-requisites are:

  • libtool.x86_64
  • mysql-server
  • gcc
  • gcc-c++
  • mysql-devel

The requisites are:

  • libpcap >= 1.0
  • daq-0.5
  • libdnet-1.12
  • pcre-8.12

I recomend using the DAG repository:
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Then on  /etc/yum.repos.d/CentOS-Base.repo You should then have
[dag]
name=CentOS-$releasever – Contrib
mirrorlist=http://apt.sw.be/redhat/el4/en/$ARCH/dag
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=0
enabled=0

Then update:
# yum update

First off, you should take notice that the version of libpcap required by Snort,
The one in CentOS repositories is outdated they are only up to version 0.9.4.

Remove the current libpcap:
# yum remove libpcap libpcap-devel

Install some basic requisites:
# yum install gcc mysql-devel mysql-server libtool.x86_64
# yum -y install gcc-c++
# yum -y install libdnet.x86_64 libdnet-devel.x86_64

Create a directory and put all needed packages here:
# mkdir snort-install && cd snort-install

Download the files:
snort-2.9.1.tar.gz
# wget http://www.snort.org/downloads/1107
daq-0.5.tar.gz
# wget http://www.snort.org/downloads/860
libpcap-1.1.1
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
pcre-8.12
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.13.tar.gz

LIBPCAP:
# tar -zxvf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure –prefix=/usr
# make all &&  make install
# ldconfig
# ldconfig -p | grep libpcap

DAQ:
# tar -zxvf daq-0.5.tar.gz
# cd daq-0.5
# ./configure –with-libpcap-libraries=/usr/lib/

PCRE:
# tar -zxvf pcre-8.12.tar.gz
# cd pcre-8.12
# ./configure –enable-utf8
# make all && make install

SNORT:
# tar -zxvf snort-2.9.0.5.tar.gz
# cd snort-2.9.0.5
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –with-libpcap-libraries=/usr/lib –with-daq-libraries=/usr/local/lib/daq –enable-zlib –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling
#  make &&  make install

Consider Other Snort build options:
OPTIONS : –enable-ipv6 –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling –enable-zlib

To make it work, you still need to download the rules package from the snort website, and copy to each correct folder
then setup the snort.conf file.

Hope this howto is usefull to someone.

Snort HowTo Confiure/Start: (this is not a step by step, these is just the main idea of it)

First we must have a network card that sees all these traffic.
I do this via a special VMWare Network Port, created with the security Promiscius Enabled
and assign that to the Snort Server. This way all traffic on that ESX server will be seen by that interface.
ESX setup:

Home>Inventory>Hosts and Clusters> Go into the ESX server, Configuration, Networking
Go into the propreties of vSwitch you want to sniff the traffic and create a new Port and set:
Genreal>Vlan ID: all (4095)
Security: Promiscous Mode [X] Accept
OK

Now assign that Port into the virtual snort server and configure the network card:

Then we must configure the interface, (on Debian, Ubuntu):
Setup the interface to promiscuos mode
/etc/sysconfig/network-scripts/ifcfg-eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Now you must setup the /etc/snort/snort.conf accorind to your setup
Then download the rules to right folders, and tune the sniffing using threashold.conf

I recomend running manual first to see any erros
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort

Then to finaly startup I use this bash:
#!/bin/bash -e
#Start Promiscuos Interface
ifup eth1
# Start snort
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort -D
# Start barnyard
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
-G /etc/snort/gen-msg.map
-S /etc/sid-msg.map
-d /var/log/snort
-f snort.u2
-w /var/log/snort/barnyard2.waldo
-D

References:
http://secnut.blogspot.com/2011/03/compiling-snort.html

10 Thoughts

  1. Helped a lot, thank you!
    Seems, that I didn’t need to compile pcre separately on Centos 5.6 , just installed with yum.

  2. Thanks Felipe, it’s a great tutorial. I’ve managed to install this snort version with your help after several fail attempts.

    Ricardo C.

  3. hi,
    i am getting this error plz help
    root@bt:~/matrix/neo/wireshark/snort/snort-2.9.0.5# /usr/local/bin/snort -g snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort
    /usr/local/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

  4. Hey ,

    Nice post ! ! !

    Thanx after a lot of googliing i am able to install snort.
    Keep posting .

    suresh prajapati

Leave a Reply

Your email address will not be published. Required fields are marked *

VAMOVE *

*