Home > HowTo, Linux > How to install snort on centos 5.5

How to install snort on centos 5.5

How to install snort on centos 5.5

This guide is a step by step on how to install from source snort-2.9.0.5 on CentOS 5.5 64bits it should work the same way for RedHat.
Also with the mysql option enabled.

The pre-requisites are:

  • libtool.x86_64
  • mysql-server
  • gcc
  • gcc-c++
  • mysql-devel

The requisites are:

  • libpcap >= 1.0
  • daq-0.5
  • libdnet-1.12
  • pcre-8.12

I recomend using the DAG repository:
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Then on  /etc/yum.repos.d/CentOS-Base.repo You should then have
[dag]
name=CentOS-$releasever – Contrib
mirrorlist=http://apt.sw.be/redhat/el4/en/$ARCH/dag
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=0
enabled=0

Then update:
# yum update

First off, you should take notice that the version of libpcap required by Snort,
The one in CentOS repositories is outdated they are only up to version 0.9.4.

Remove the current libpcap:
# yum remove libpcap libpcap-devel

Install some basic requisites:
# yum install gcc mysql-devel mysql-server libtool.x86_64
# yum -y install gcc-c++
# yum -y install libdnet.x86_64 libdnet-devel.x86_64

Create a directory and put all needed packages here:
# mkdir snort-install && cd snort-install

Download the files:
snort-2.9.1.tar.gz
# wget http://www.snort.org/downloads/1107
daq-0.5.tar.gz
# wget http://www.snort.org/downloads/860
libpcap-1.1.1
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
pcre-8.12
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.13.tar.gz

LIBPCAP:
# tar -zxvf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure –prefix=/usr
# make all &&  make install
# ldconfig
# ldconfig -p | grep libpcap

DAQ:
# tar -zxvf daq-0.5.tar.gz
# cd daq-0.5
# ./configure –with-libpcap-libraries=/usr/lib/

PCRE:
# tar -zxvf pcre-8.12.tar.gz
# cd pcre-8.12
# ./configure –enable-utf8
# make all && make install

SNORT:
# tar -zxvf snort-2.9.0.5.tar.gz
# cd snort-2.9.0.5
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –with-libpcap-libraries=/usr/lib –with-daq-libraries=/usr/local/lib/daq –enable-zlib –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling
#  make &&  make install

Consider Other Snort build options:
OPTIONS : –enable-ipv6 –enable-gre –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules –enable-ppm –enable-perfprofiling –enable-zlib

To make it work, you still need to download the rules package from the snort website, and copy to each correct folder
then setup the snort.conf file.

Hope this howto is usefull to someone.

Snort HowTo Confiure/Start: (this is not a step by step, these is just the main idea of it)

First we must have a network card that sees all these traffic.
I do this via a special VMWare Network Port, created with the security Promiscius Enabled
and assign that to the Snort Server. This way all traffic on that ESX server will be seen by that interface.
ESX setup:

Home>Inventory>Hosts and Clusters> Go into the ESX server, Configuration, Networking
Go into the propreties of vSwitch you want to sniff the traffic and create a new Port and set:
Genreal>Vlan ID: all (4095)
Security: Promiscous Mode [X] Accept
OK

Now assign that Port into the virtual snort server and configure the network card:

Then we must configure the interface, (on Debian, Ubuntu):
Setup the interface to promiscuos mode
/etc/sysconfig/network-scripts/ifcfg-eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Now you must setup the /etc/snort/snort.conf accorind to your setup
Then download the rules to right folders, and tune the sniffing using threashold.conf

I recomend running manual first to see any erros
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort

Then to finaly startup I use this bash:
#!/bin/bash -e
#Start Promiscuos Interface
ifup eth1
# Start snort
/usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -l /var/log/snort -D
# Start barnyard
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
-G /etc/snort/gen-msg.map
-S /etc/sid-msg.map
-d /var/log/snort
-f snort.u2
-w /var/log/snort/barnyard2.waldo
-D

References:
http://secnut.blogspot.com/2011/03/compiling-snort.html

Categories: HowTo, Linux Tags: , , , , , , , , , , , ,
  1. di
    June 25th, 2011 at 12:02 | #1

    Helped a lot, thank you!
    Seems, that I didn’t need to compile pcre separately on Centos 5.6 , just installed with yum.

  2. Ricardo
    July 7th, 2011 at 09:58 | #2

    Thanks Felipe, it’s a great tutorial. I’ve managed to install this snort version with your help after several fail attempts.

    Ricardo C.

  3. Brent
    July 19th, 2011 at 13:41 | #3

    Forgot your make, make install under daq piece. Nice howto thanks for this information.

  4. subh
    July 21st, 2011 at 19:23 | #4

    hi,
    i am getting this error plz help
    root@bt:~/matrix/neo/wireshark/snort/snort-2.9.0.5# /usr/local/bin/snort -g snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort
    /usr/local/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

    • August 1st, 2011 at 15:55 | #5

      Subh, it means you do not have the libnet 1.0 installed or acessible. check the instalation of it.

  5. Suresh Prajapati
    November 12th, 2011 at 03:50 | #6

    Hey ,

    Nice post ! ! !

    Thanx after a lot of googliing i am able to install snort.
    Keep posting .

    suresh prajapati

  6. December 29th, 2011 at 02:42 | #7

    libdnet only goes to v 1.11

  7. December 29th, 2011 at 03:10 | #8

    @Mixologic
    Nevermind. It moved to google code. silly.

  8. h02
    April 9th, 2012 at 18:22 | #9

    you forgot make all && make install in DAQ

  9. July 23rd, 2014 at 06:52 | #10

    please help me i want to implement snort on our company.

  1. No trackbacks yet.

VAMOVE *

*