How to install snort on centos 5.5

How to install snort on centos 5.5

This guide is a step by step on how to install from source snort- on CentOS 5.5 64bits it should work the same way for RedHat.
Also with the mysql option enabled.

The pre-requisites are:

  • libtool.x86_64
  • mysql-server
  • gcc
  • gcc-c++
  • mysql-devel

The requisites are:

  • libpcap >= 1.0
  • daq-0.5
  • libdnet-1.12
  • pcre-8.12

I recomend using the DAG repository:
# rpm -Uhv

Then on  /etc/yum.repos.d/CentOS-Base.repo You should then have
name=CentOS-$releasever – Contrib

Then update:
# yum update

First off, you should take notice that the version of libpcap required by Snort,
The one in CentOS repositories is outdated they are only up to version 0.9.4.

Remove the current libpcap:
# yum remove libpcap libpcap-devel

Install some basic requisites:
# yum install gcc mysql-devel mysql-server libtool.x86_64
# yum -y install gcc-c++
# yum -y install libdnet.x86_64 libdnet-devel.x86_64

Create a directory and put all needed packages here:
# mkdir snort-install && cd snort-install

Download the files:
# wget
# wget
# wget
# wget

# tar -zxvf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure –prefix=/usr
# make all &&  make install
# ldconfig
# ldconfig -p | grep libpcap

# tar -zxvf daq-0.5.tar.gz
# cd daq-0.5
# ./configure –with-libpcap-libraries=/usr/lib/

# tar -zxvf pcre-8.12.tar.gz
# cd pcre-8.12
# ./configure –enable-utf8
# make all && make install

# tar -zxvf snort-
# cd snort-
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –with-libpcap-libraries=/usr/lib –with-daq-libraries=/usr/local/lib/daq –enable-zlib –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling
#  make &&  make install

Consider Other Snort build options:
OPTIONS : –enable-ipv6 –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling –enable-zlib

To make it work, you still need to download the rules package from the snort website, and copy to each correct folder
then setup the snort.conf file.

Hope this howto is usefull to someone.

Snort HowTo Confiure/Start: (this is not a step by step, these is just the main idea of it)

First we must have a network card that sees all these traffic.
I do this via a special VMWare Network Port, created with the security Promiscius Enabled
and assign that to the Snort Server. This way all traffic on that ESX server will be seen by that interface.
ESX setup:

Home>Inventory>Hosts and Clusters> Go into the ESX server, Configuration, Networking
Go into the propreties of vSwitch you want to sniff the traffic and create a new Port and set:
Genreal>Vlan ID: all (4095)
Security: Promiscous Mode [X] Accept

Now assign that Port into the virtual snort server and configure the network card:

Then we must configure the interface, (on Debian, Ubuntu):
Setup the interface to promiscuos mode
iface eth1 inet manual
up ifconfig $IFACE up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Now you must setup the /etc/snort/snort.conf accorind to your setup
Then download the rules to right folders, and tune the sniffing using threashold.conf

I recomend running manual first to see any erros
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort

Then to finaly startup I use this bash:
#!/bin/bash -e
#Start Promiscuos Interface
ifup eth1
# Start snort
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort -D
# Start barnyard
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
-G /etc/snort/
-S /etc/
-d /var/log/snort
-f snort.u2
-w /var/log/snort/barnyard2.waldo


10 Thoughts

  1. Helped a lot, thank you!
    Seems, that I didn’t need to compile pcre separately on Centos 5.6 , just installed with yum.

  2. Thanks Felipe, it’s a great tutorial. I’ve managed to install this snort version with your help after several fail attempts.

    Ricardo C.

  3. hi,
    i am getting this error plz help
    root@bt:~/matrix/neo/wireshark/snort/snort- /usr/local/bin/snort -g snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort
    /usr/local/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

  4. Hey ,

    Nice post ! ! !

    Thanx after a lot of googliing i am able to install snort.
    Keep posting .

    suresh prajapati

Leave a Reply

Your email address will not be published. Required fields are marked *