• Rank: 283
  
• Downloads: 9663
  
• File Check:AntiVir Viruses undetected
  
• original title: install-snort-centos-65
  
• Downloaded (total): 549 time
  

| 6 Replies MoreSecurity is a big issue for all networks in today�s enterprise environments. Many methods have cetnos to secure the network infrastructures and communication over the internet. Among them Snort is a leading open source network intrusion detection and prevention system and a valuable security framework. Its a packet sniffer that monitors network traffic in real time and scrutinize each packet in depth to find any dangerous payload or suspicious anomalies.

Using Snort intrusion detection mechanism, we can collect and use information from known types of attacks and find out if some trying to attack our network or particular host. So the information gathered in this way can be well used to harden our networks to prevent from hackers and intruders that can also be useful for legal purposes. This article describes the configuration, compilation and installation of SNORT 2.9.7.x and Snorf using the CentOS 7.0 Operating systems and other components.

Prepare the OSWe are going to setup SNORT IDS under the following Operating Systems and its components� Virtualization Environment: VMware Workstation� HOST Operating System: Microsoft Instal 7� GUEST Operating System: CentOS 7.0 (64-bit version)� System Resources: CPU 2.0 GHz RAM 4 GBIn CentOS 7 Virtual Machine, we configured its network settings with Static IP, Gateway and DNS entry to make sure that its connected with the internet cntos its Ethernet interface that will be used as a port to monitor traffic.

Installing PrerequisitesFollowing packages are mandatory to setup SNORT, so make sure lnstall install these before start compiling SNORT or DAQ. Almost all these libraries can be installed by using yum command.[root@centos-007 ~]# rpm -qa | grep gcclibgcc-4.8.2-16.2.el7_0.x86_64gcc-4.8.2-16.2.el7_0.x86_64[root@centos-007 ~]# rpm -qa | grep flexflex-2.5.37-3.el7.x86_64[root@centos-007 ~]# rpm -qa | grep bisonbison-2.7-4.el7.x86_64[root@centos-007 ~]# rpm -qa | grep zlibzlib-1.2.7-13.el7.x86_64zlib-devel-1.2.7-13.el7.x86_64[root@centos-007 ~]# rpm -qa | grep libpcaplibpcap-1.5.3-4.el7_1.2.x86_64libpcap-devel-1.5.3-4.el7_1.2.x86_64[root@centos-007 ~]# rpm -qa | grep tcpdumptcpdump-4.5.1-2.el7.x86_64[root@centos-007 ~]# rpm -qa | grep libdnet-devellibdnet-devel-1.12-13.1.el7.x86_64 Installing Data Acquisition (DAQ 2.0.5)We can obtain SNORT and DAQ latest installation packages from its official website and copy its RPM package download link available for CentOS.[root@centos-007 ~]# yum install https://snort.org/downloads/snort/daq-2.0.5-1.centos7.x86_64.rpmInstalling SNORT 2.9.7Similarly we will centtos Snort by using below command with yum repository.[root@centos-007 ~]# yum install https://snort.org/downloads/snort/snort-2.9.7.3-1.centos7.x86_64.rpmInstalling SNORT Rules:In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription.

Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.Signup with SnortLet's sign in with the World most powerful detection software and to download its rules that are most important to be aware from the latest threats.Downloading Snort RulesAfter sign in to Snort, now we will be able to download its rules that we need to install and work for Snort.Updating Snort Rule using Pulled PorkPulled Pork for Snort rule management is designed to make Snort rules fly!

With the intent of handling all rules. Its code pulls the rules that we need to handle our Snort rules.Downloading PulledPorkPulled Pork apackage is available on the Git hub, by using the following command we will get its package on the snort server install snort centos 6.5 git clone command.[root@centos-007 ~]# git clone https://github.com/shirkdog/pulledpork.gitSetup Pulled Pork[root@centos-007 pulledpork]# cp pulledpork.pl /usr/local/bin[root@centos-007 pulledpork]# chmod 65 /usr/local/bin/pulledpork.pl[root@centos-007 pulledpork]# cp etc/*.conf /etc/snortNow we will configure PulledPork and place the Oinkcode in its configuration file, we will place it in its configuration file after getting it from our registered user.Creating files that PulledPork requires as.[root@centos-007 ~]# mkdir /etc/snort/rules/iplists[root@centos-007 ~]# touch /etc/snort/rules/iplists/default.blacklistTesting PullPorkLet's start knstall test to confirm inwtall pulledpork is functional.[root@centos-007 ~]# /usr/local/bin/pulledpork.pl -VPulledPork v0.7.0 lnstall Swine Flu !Once the PulledPork works with its successful test results, we now moves forward to configure it with Snort by updating few configurations parameters.

Configure SnortWe want to enable onstall dynamic rules, so for this purpose we make snrt the second line in /etc/snort/snort.conf is not commented.# path to dynamic preprocessor librariesdynamicpreprocessor directory /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/# path to base preprocessor enginedynamicengine /usr/lib64/snort-2.9.7.3_dynamicengine/libsf_engine.so# path to dynamic rules librariesdySome time ago I wrote a post about installing Snort 2.9.1 on CentOS snorr.

In the mean time I decided it's time to upgrade so the idea of this post is to document what changed with respect to that older post. In short, binary packages for CentOS 6 are now provided on the Snort's download page. So, you only need to download them and install (or install using URL). Instxll, there is a problem with a libdnet dependency (I don't know which one was used during compilation, but it certainly wasn't the one in EPEL).Compiling and installingIn case you want to rebuild them, the process is now almost without any problems.

In the following text I'll assume that you started with a minimal CentOS installation with the following packages installed (and their dependencies, of course): gcc, make, bison, flex, autoconf, automake, rpmbuild.First, download daq source rpm file.

Before rebuilding it, you should install pcap-devel. This is actually something rpmbuild tool will warn you that you have to install.

When you installed it, rebuild daq:rpmbuild -rebuild daqthen, install instal, localinstall ~/rpmbuild/RPMS/x86_64/daq-2.0.2-1.x86_64.rpmNext, anort snort you'll need libdnet library which is in EPEL. So, first install EPEL:yum install https://mirrors.neterra.net/epel/6/i386/epel-release-6-8.noarch.rpmThen, install necessary packages:yum install libdnet-devel zlib-develThose two aren't listed as dependencies in Snort's SRPM file, so you'll get some cryptic error message.

Now, download Snort's srpm file and rebuild it using:rpmbuild -rebuild�snort-2.9.6.0-1.src.rpmNow, install it using:yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpmThat's all inztall is for installation.Configuring and runningI'll assume that you are installing a fresh instance, i.e.

no previous configuration. In case there is previous installation be careful not to overwrite existing configuration. To configure snort you'll have to download snortrules archive. Then, unpack it:mkdir ~/snorttar xzf snortrules-snapshot-2960.tar.gz -C ~/snortchown root.root ~/snortNext you have to move files in their place. First, move basic configuration file:mv -f snort/etc/* /etc/snort/Note that I'm using force option of move command to overwrite existing files. Next, move rules to their place:mv -i snort/rules snort/preproc_rules snort/so_rules /etc/snort/Now, if you are using SELinux centoos should change context of the files you moved to /etc/snort directory.

Do it using the following commands:chcon -R system_u:object_r:snort_etc_t:s0 /etc/snortchcon -R system_u:object_r:lib_t:s0 /etc/snort/so_rules/precompiled/RHEL-6-0/ You should now modify configuration file. Here is a diff of the changes I made:- snort.conf.orig 2014-03-13 11:25:53.889609831 +0100+++ snort.conf 2014-03-13 11:37:32.419292894 +0100@@ -42,16 +42,16 @@#################################################### Setup the network addresses you are protecting-ipvar HOME_NET any+ipvar HOME_NET 192.168.1.0/24# Set up the external network addresses.

Leave as "any" in most situationsipvar EXTERNAL_NET any# List of DNS snlrt on your network-ipvar DNS_SERVERS $HOME_NET+ipvar DNS_SERVERS 192.168.1.8,192.168.1.9# List of SMTP servers on your network-ipvar SMTP_SERVERS $HOME_NET+ipvar SMTP_SERVERS 192.168.1.20# List of web servers on your networkipvar Install snort centos 6.5 $HOME_NET@@ -101,13 +101,13 @@# Path to your rules files (this can be a relative path)# Note for Windows users: You are advised to make this an absolute cwntos such as: c:snort ules-var RULE_PATH ./rules-var SO_RULE_PATH ./so_rules-var PREPROC_RULE_PATH ./preproc_rules+var RULE_PATH rules+var SO_RULE_PATH so_rules+var PREPROC_RULE_PATH preproc_rules# If you are using reputation preprocessor set these-var WHITE_LIST_PATH ./rules-var BLACK_LIST_PATH ./rules+var WHITE_LIST_PATH rules+var BLACK_LIST_PATH rules#################################################### Step #2: Configure the decoder.

For more information, see README.decode@@ -240,13 +240,13 @@#################################################### path to snodt preprocessor libraries-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/+dynamicpreprocessor directory /usr/lib64/snort-2.9.6.0_dynamicpreprocessor/# path to base preprocessor engine-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so+dynamicengine /usr/lib64/snort-2.9.6.0_dynamicengine/libsf_engine.so.0# path to dynamic rules libraries-dynamicdetection directory /usr/local/lib/snort_dynamicrules+dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0/#################################################### Step #5: Configure cenntos you can download the complete snort.conf file that worked for me.

Be careful, you need to change IP addresses in the configuration file to match your environment.Finally, create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules.Now, you should be able to start Snort, i.e.# /etc/init.d/snortd startStartin� Features� Compare� AWS EC2� DigitalOcean� Dedicated server� Vultr� Pricing� Developers� Getting started� API documentation� Tutorials� Github� Help� Sign in�Sign up��English�Finnish Network IDS or NIDS performs as its name suggests, it monitors the package data sent and received through a specific network interface it was configured for.

It aims to catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies.

NIDS software when installed and configured properly can identify the latest attacks, malware infections, compromised systems, and network policy violations.Snort is one of the most commonly used for network based IDS.

Cejtos an open source system available for a multitude of platforms, light weight, and can be comfortably inatall even on the smallest of cloud sonrt instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand on. Preparing your serverSetting up a basic Snort configuration is fairly simple but takes a few steps to complete.

You�ll first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the require libraries with the following command sudo yum install gcc flex bison zlib libpcap pcre libdnet libdnet-devel tcpdumpWith the prerequisites fulfilled, next up is to install Snort.

On CentOS 7 you can use the package manage yum to install the latest version directly, which simplifies the setup process considerably, just check the section below for installing Snort with yum. Istall download and install the program manually from the source. Installing with yumSnort nsort convenient rpm packets for CentOS 7, smort can be installed simply with the commands below. Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries.

Check the latest version number from Snort website, if a newer version of DAQ or Snort is available simply replace the version number in the following commands with the latest option. sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm sudo yum install https://www.snort.org/downloads/snort/snort-2.9.8.0-1.centos7.x86_64.rpmAnd you are done with the installation, skip to the configuration to snoft.

Installing from the sourceSetting up Snort from the centoss code consists of a couple of steps: downloading the code, configuring it, compiling the code snott lastly installing it.

First up make a temporary download folder to your home directory inetall then move into it with the these commands mkdir ~/snort_srccd ~/snort_srcDownload the latest DAQ source package from the Snort website with the wget command below, replace the version number if there�s a newer source available wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gzThe download will only take a few seconds, when complete extract the source code and jump into the new directory with the following commands tar -xvzf daq-2.0.6.tar.gzcd daq-2.0.6Run the configuration script with defaults, then use make to compile the program and then finally install DAQ.

./configuremakesudo make installWith the DAQ installed you can get started with Snort, change back to the download folder cd ~/snort_srcThen download the Snort source code with wget, check the latest version number from Snort website and replace it in the following command if necessary.

wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gzOnce the download is complete, extract the source cfntos change into the new directory with these commands tar -xvzf snort-2.9.8.0.tar.gzcd snort-2.9.8.0Then configure the installation with sourcefire mode enabled, run make and make install.

./configure -enable-sourcefiremakesudo make installWith that done, continue below on how to setup the configuration files. Configuring Snort to run as NIDSNext you�ll need to cehtos Snort for your system, this includes editing some configuration files, downloading rules that Snort will follow and taking Snort for a test run.Start with updating the shared libraries using the command underneath. sudo ldconfigSnort gets installed to /usr/local/bin/snort directory, it�s good practice to short a symbolic link to /usr/sbin/snort.

If you installed Snort with yum you can skip this command. sudo ln -s /usr/local/bin/snort /usr/sbin/snortTo run Snort safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under. sudo groupadd snortsudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snortThen create the folder intall to house the snort configuration, just copy over the commands below. If you installed Snort using yum�you can skip creating the directories as they were already added upon install.

sudo mkdir /etc/snortsudo mkdir /etc/snort/rulessudo mkdir /usr/local/lib/snort_dynamicrulessudo mkdir /varSetup Snort inline insfall on Centos 6.5 demo attack 2015Tren clip minh co 1 rule ch?n ping nhung khi dung wireshark thi v?n th?y goi icmp xanh d?, test tren vmware b? l?i do, con may centoos thi ch?n hoan toan.File Setup Snort.txt https://adf.ly/1QugzZB?n nao mu?n s? d?ng giao di?n tren web thi cai them goi Base, con ko thi ph?i xem tren console terminal Part 1 � Installing Snort on CentOSPart 2 � Installing PulledPork and Barnyard2Part 3 � Installing SnorbySnort is a powerful intrusion prevention/detection system.

This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which inshall process Snort�s output, and the installation of a web front end gui called Snorby to instakl analyze those alerts.The configuration I have outlined will run Snort as an IDS thus only gathering information on traffic it can see.

Snort is open source and is a product of Sourcefire. For $2.7 Billion, Sourcefire was acquired by Cisco in 2013.We will be going over the installation of Snort version 2.9.6.2 on CentOS 6.5 Minimal.Prior to installing Snort it is important to have accurate time configured. Check the current date with the command: [root@snort-beta]# dateTue Jul 15 08:42:28 PDT Install ntpdate [root@snort-beta]# yum install -y ntpdate[root@snort-beta]# ntpdate 0.us.pool.ntp.org Install DependenciesWe�re going to install some dependencies which will be needed going forward.

Since we are also using CentOS minimal we will need to install a few applications. yum install -y wget gcc flex bison zlib zlib-devel libpcap instalk pcre pcre-devel tcpdump�mysql mysql-server mysql-devel git libtool curl manNow let�s create a temporary directory to store some files we will be downloading.

mkdir tmp && cd tmpNext we need to install more dependencies. wget https://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpmwget https://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpmUse the rpm inwtall to install the dependencies we just downloaded.

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpmrpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm Install SnortI�m downloading the rpm files from Snort.org yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpmyum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86_64.rpmI recommend signing up on Snort.org to get the registered rules.

You�ll receive something called an Oinkcode. Cdntos oinkcode acts as an api key for downloading rule packets from URLs provided by snort.Download and extract the Community Rules: wget https://www.snort.org/downloads/community/community-rules.tar.gztar -xvf community.tar.gz -C /etc/snort/rulesDownload the registered rules. Be aware of which file you need. It depends on which version of Snort you�re running. In this case, I am running 2.9.6.2 so I am looking for the snort rules which contain the numbers 2962: wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz?oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxtar -xvf snortrules-snapshot-2962.tar.gz -C /etc/snort/rulesPaste your oincode after the = sign.Modify the ownership of install snort centos 6.5 Snort directories.

cd installl -R snort:snort dnort Locate and Modify the snort.conf filecd /etc/snortvi snort.confThere are many changes to make here. You can download an example of my snort.conf file and modify it to your environment. Some of the values are as follows. Just search for them in your configuration file: var RULE_PATH /etc/snort/rulesipvar HOME_NET any #or set to a network such as 172.21.0.0/16ipvar EXTERNAL_NET !$HOME_NETvar SO_RULE_PATH /etc/snort/rules/so_rulesvar PREPROC_RULE_PATH /etc/snort/rules/preproc_rulesvar WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rulesModify the Output string under Step 6 of the snort.conf file: output unified2: filename snort.log, limit 128 Test SnortUse this command to run Snort in test mode.

It will tell you if there is anything wrong with running Snort. snort -T -i -u snort -g snort -c /etc/snort/snort.confIf you get this error:snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directoryType crntos the following commands: /sbin/ldconfigupdatedb-T is the self-test mode switch.-i tells Snort what interface to use to gather traffic. You need to specific the interface you�re using right after.-u sets the user that will run the process.-g sets the group that will run the process.-c sets the configuration file to use.

Modify /etc/sysconfig/snortModify the Snort sysconfig file instalo holds variables for the startup file:� Change the interface which Snort is using to the interface you will use on cebtos server to sniff traffic.� Comment out ALERTMODE and BINARY_LOG. If you don�t do insta,l your alerts will not write to the MySQL database in a later setup.Viewing LogsIf the self-test runs successfully you can run Snort without the -T switch and replace it with a -D, for daemon.

It will run Snort in the background. Once Snort is running and sniffing traffic, it should output to /var/log/snort.The snort.log file will be in Unified2 format which means you can�t open it in Wireshark. Anything Snort thinks is bad will trigger an alert. All nsort go into a file called alert within /var/log/snort/.For now, you hav� Other OS Configs� CentOS 7� CentOS 6� CentOS 5� Fedora 24� Fedora 23� Debian 8� Debian 7� Ubuntu 16.04 LTS� Ubuntu 14.04 LTS� Sbort Linux Enterprise 12� SUSE Linux Enterprise 11� Other Tips� Debian 6� Fedora 22� Fedora 21� Fedora 20� Fedora 19� Fedora 18� Fedora 17� Fedora 16� Fedora 15� Fedora 14� Fedora 13� Fedora 12� Fedora 11� Fedora 10� Ubuntu 15.04� Ubuntu 13.04� Ubuntu 12.04 LTS� Ubuntu 11.04� Ubuntu 10.04 LTS� Scientific Linux 6IntroductionsHistoriesCommands HelpLinks/Contact � Install / Initial Config� ( 1 ) Download Instalp 6� ( 2 ) Install CentOS� ( 3 ) Add a User� ( 4 ) FW dnort SELinux� ( 5 ) Configure Networking� ( 6 ) Configure Services� ( 7 ) Update System� ( 8 ) Add Repositories� ( 9 ) Configure Vim� (10) Configure Sudo� (11) Cron's Settings� NTP Server� (1) Configure NTP Server (NTPd)� (2) Configure NTP Server (Chrony)� (3) Configure NTP Client� SSH Server� ( 1 ) Password Authentication� ( 2 ) SSH Insall Transfer(CentOS)� ( 3 ) SSH File Transfer(Windows)� ( 4 ) SSH Keys Authentication� ( 5 ) SFTP only + Chroot� ( 6 ) SSH Port Forwarding� ( 7 ) SSH X11 Forwarding� ( 8 ) Use SSHPass� ( 9 ) Use SSH-Agent� (10) Use Parallel SSH� DNS / DHCP Server� DNS Server� (1) Install/Configure BIND� (2) Set Zones� (3) Start BIND� (4) chroot Environment� (5) Set CNAME� (6) Config as a Insgall Server� DHCP Server� (1) Configure DHCP Server� (2) Configure DHCP Client� Dnort Server� NFS� (1) Configure 65.

Server� (2) Configure NFS Client(CentOS)� (3) Configure NFS Client(Win Serv)� (4) Configure NFS Client(Win Client)� iSCSI� (1) Configure iSCSI Target� (2) Configure iSCSI Initiator(Cent)� (3) Configure iSCSI Initiator(Win)� GlusterFS� (1) Install GlusterFS� (2) Distributed Setting� (3) Replication Setting� (4) Striping Setting� (5) Distributed + Replication� (6) Distributed + Replication� (7) Clients' Settings� Ceph� (1) Configure Ceph Cluster� (2) Configure Ceph Client� DRBD� (1) Install DRBD� (2) Configure DRBD� Virtualization� KVM� ( 1 ) Install KVM� ( 2 ) Create Virtual Machine #1� ( 3 ) Create Virtual Machine #2� ( 4 ) Basic Operations� ( 5 ) Virt Tools� ( 6 ) Live Migration� ( 7 ) Storage Migration� ( 8 ) Configure SPICE Server� ( 9 ) Configure SPICE Client� (10) Nested KVM� Docker� ( 1 ) Install Docker� ( 2 ) Add Images� ( 3 ) Access to Containers� ( 4 ) Instapl Dockerfile#1� ( 5 ) Use Dockerfile#2� VMware Player� ( 1 ) Install VMware Install snort centos 6.5 ( 2 ) Create Virtual Machine� ( 3 ) KVM on VMware Player� Cloud Compute� OpenStack Icehouse� ( 1 centps Overview� ( 2 ) Pre-Requirements� ( 3 ) Conf Keystone#1� ( 4 ) Conf Keystone#2� ( 5 ) Conf Install snort centos 6.5 ( 6 ) Conf Nova� ( 7 ) Add Virt-images� ( 8 ) Configure Networking� ( 9 ) Boot Instances� (10) Configure Horizon� (11) Add Compute Nodes� (12) Conf Neutron#1(Control)� (13) Conf Neutron#2(Network)� (14) Conf Neutron#3(Compute)� (15) Neutron Networking#1(FLAT)� (16) Neutron Networking#2(VLAN)� (17) Conf Cinder#1(Control Node)� (18) Conf Cinder#2(Service Node)� (19) Use Virtual Storage(LVM)� (20) Use Virtual Storage(NFS)�� (21) Use Virtual Storage(GlusterFS)� (22) Use Virtual Storage(Multi)� (23) Conf Swift (Control Node)� (24) Conf Swift (Proxy Node)� (25) Conf Swift (Storage Node)� (26) Swift Insttall to Use� (27) Conf Heat#1� (28) Conf Heat#2� (29) Heat How to Use� (30) Configure Ceilometer#1� (31) Configure Ceilometer#2� (32) Configure Ceilometer#3� (33) Ceilometer How to Use� Eucalyptus� ( 1 snrt Install #1� ( 2 ) Install #2� ( 3 ) Add Components� ( xnort ) Change Admin Password� OpenStack Grizzly� OpenStack Havana� Directory Server� FreeIPA� (1) Configure IPA Server� (2) Add User Accounts� (3) Configure IPA Client� (4) Basic Centoss (5) Use Web UI� (6) Replication Settings� OpenLDAP� (1) Configure LDAP Server� (2) Add User Accounts� (3) Configure LDAP Client� (4) LDAP over TLS� (5) LDAP Replication� installl Multi-Master Replication� (7) imstall - Install� (8) phpLDAPadmin - Add a Group� (9) phpLDAPadmin - Add a User� NIS� (1) Configure NIS Server� (2) Configure NIS Client� (3) Configure NIS Slave� WEB Server� Apache httpd 2.2� ( 1 cents Install httpd� ( 2 ) Use Perl Script� ( 3 ) Use PHP Script� ( 4 ) Use Ruby Script� ( 5 ) Enable Userdir� ( 6 ) Configure SSL� ( 7 ) Virtual Hostings� ( 8 ) Basic Auth� ( 9 ) Basic Auth + PAM� (10) Basic Auth + LDAP� (11) Kerberos Auth� (12) FreeIPA Auth� inwtall Use WebDAV� (14) Enable APC� (15) FastCGI + PHP-FPM� (16) Use SpeedyCGI� (17) Enable mod_perl� (18) Enable mod_proxy#1� (19) Enable mod_proxy#2� (20) Limit with mod_bw�� (21) Log analyzer - Visitors� (22) Log analyzer - AWstats� (23) Log analyzer - Piwik� (24) WebMail - SquirrelMail� (25) WebMail - RoundCubeMail� (26) WebMail instalp RainLoop� (27) Blog System - WordPress� (28) Wiki System - MediaWiki� (29) Photo Gallery - Piwigo� Apache httpd 2.4� Nginx� ( 1 ) Install Nginx� ( 2 install Virtual Hostings� ( 3 ) Enable Centps ( 4 ) Enable SSL� ( 5 ) Nginx + PHP - PHP-FPM� ( 6 ) Nginx + Perl� ( 7 ) Basic Auth� Database� PostgreSQL� (1) Install PostgreSQL� (2) Install phpPgAdmin� MySQL 5.1� (1) Install MySQL 5.1In part 1 of this Snort series we discussed installing Snort on CentOS 6.5 minimal.

In part 2 we now move on to installing PulledPork and Barnyard2. PulledPork is not a meal you eat while you install Snort. PulledPork is designed to manage your rules.

I know it�s a weird name to use but this is what I found on the reasoning behind it:The name pulledpork was chosen because this code pulls the rules that you need! Yes, it is and can be that simple.Barnyard2 is a spooler for Snort�s unified2 output format.

Instalp of Barnyard2, the parsing of data can be handled by another process. Oink oink. let�s get started. Installing PulledPorkBefore you begin configuring PulledPork, I recommend you register on Snort.org because you will need the Oinkcode.

The Oinkcode will be placed in some snirt the URLs we will be configuring in PulledPork�s smort file. Install the Prerequisites cd ~/tmpyum -y install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar Download PulledPork from Google Code wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gztar -zxf pulledpork(tab)cd pulledpork-(version)cp pulledpork.pl /usr/sbin ; snkrt 755 /usr/sbin/pulledpork.plcp etc/* /etc/snort/In the above commands, you have downloaded PulledPork, extracted it and copied files to their proper directories.

Modify the PulledPork Configuration vi /etc/snort/pulledpork.confMy guidance is to read through the configuration files and uncomment the rules you want Snort to use. If you see a line which says that means dentos add the Oinkcode you received after registering on Snort�s website. You can view my example configuration file here.In this next step, we will be updating path locations within the pulledpork.conf file.

To locate the location of these files you can utilize mlocate. First update the internal database: updatedbHere�s an example of how to find the path to snort.conf: locate snort.confWithin the pulledpork.conf file, make the following changes:Modify the path to the snort binary: snort_path=/usr/sbin/snortPath for .rules file containing all of the snodt rules: rule_path=/etc/snort/rules/snort.rulesPath .rules will be written to: out_path=/etc/snort/rules/Path to local.rules: local_rules=/etc/snort/rules/local.rulesUpdate the path to sid-msg.map: sid_msg=/etc/snort/rules/community-rules/sid-msg.mapUpdate the path to your snort.conf file: /etc/snort/snort.confUpdate the Distro line: distro=Centos-5-4Update the path to your blacklist rules: black_list=/etc/snort/rules/blacklist.rulesComment out IPRVersion: #IPRVersion=/usr/local/etc/snort/rules/iplistsUpdate the path to snort_control: snort_control=/usr/bin/snort_controlUpdate the paths for rule modification files: enablesid=/etc/snort/enablesid.confdropsid=/etc/snort/dropsid.confdisablesid=/etc/snort/disablesid.confmodifysid=/etc/snort/modifysid.conf Verify PulledPork pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l-vv =�EXTRA Verbose mode, you know.

for in-depth troubleshooting and other such nonsense.-c sjort the pulledpork config file lives.-T =�Process crntos based rules files only, i.e. DO NOT process so_rules-l =�Log information to logger rather than stdout messages.

Add PulledPork to Crontab vi /etc/crontab0 0 * * * root /usr/sbin/pulledpork.pl -c /etc/snort/pulledpork.confInstall Barnyard2 cd ~/tmpmkdir /var/log/barnyard2mkdir /usr/local/src/firnsy-barnyard2 && cd /usr/local/src/firnsy-barnyard2wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gztar -zxvf v2-1.13.tar.gzcd barnyard2-2-1.13autoreconf -fvi -I ./m4./configure -with-mysql -with-mysql-libraries=/usr/lib64/mysql/makemake install Modify the barnyard2.conf file vi /usr/local/etc/barnyard2.confSet the output logging directory: config logdir: /var/log/snortSet the interface to be used: config interface: eth0Configure daemon mode: config daemonDefine the full waldo filepath: config waldo_file: /etc/snort/barnyard2-log.waldoVerify the input: input unified2Modify the output line: output alert_fullBecause the output of Snort is in unified2 format it won�t be easily snrot.

You could output to a tcpdump log file to view in Wireshark to tcpdump: output log_tcpdump: tcpdump.logSet the output database: log, mysql, user=snort password=snort dbname=snort host=localhostSave the file and quit. cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf Create the Barnyard2 Startup Script cd snrt rpm/barnyard2 /etc/init.d/chmod +x /etc/init.d/barnyard2 cp rpm/barnyard2.config /etc/sysconfig/barnyard2chkconfig -add barnyard2chkconfig barnyard2 onHere�s an example of my Barnyard2 startup script which Intall needed to make modifications for it to work properly.

Modify the /etc/sysconfig/barnyard2 file # Config file for /etc/init.d/barnyard2LOG_FILE="snort.log" # You probably don't want instsll change this, but in case you doSNORTDIR="/var/log/snort"INTERFACES="eth0" # Probably not this eitherCONF=/etc/snort/barnyard2.conf EXTRA_ARGS="" Set Up MySQL Server