How to Install / Configure SNORT IDS on CentOS 6.x / 7.x

Security is a big issue for all networks in today’s enterprise environments. Many methods have developed to secure the network infrastructures and communication over the internet. Among them Snort is a leading open source network intrusion detection and prevention system and a valuable security framework. Its a packet sniffer that monitors network traffic in real time and scrutinize each packet in depth to find any dangerous payload or suspicious anomalies. Using Snort intrusion detection mechanism, we can collect and use information from known types of attacks and find out if some trying to attack our network or particular host. So the information gathered in this way can be well used to harden our networks to prevent from hackers and intruders that can also be useful for legal purposes.

This article describes the configuration, compilation and installation of SNORT 2.9.7.x and DAQ-2.0.x using the CentOS 7.0 Operating systems and other components.

Prepare the OS

We are going to setup SNORT IDS under the following Operating Systems and its components

  • Virtualization Environment: VMware Workstation
  • HOST Operating System: Microsoft Windows 7
  • GUEST Operating System: CentOS 7.0 (64-bit version)
  • System Resources: CPU 2.0 GHz RAM 4 GB

In CentOS 7 Virtual Machine, we configured its network settings with Static IP, Gateway and DNS entry to make sure that its connected with the internet through its Ethernet interface that will be used as a port to monitor traffic.

Installing Prerequisites

Following packages are mandatory to setup SNORT, so make sure to install these before start compiling SNORT or DAQ. Almost all these libraries can be installed by using yum command.

[root@centos-007 ~]# rpm -qa | grep gcc

[root@centos-007 ~]# rpm -qa | grep flex

[root@centos-007 ~]# rpm -qa | grep bison

[root@centos-007 ~]# rpm -qa | grep zlib

[root@centos-007 ~]# rpm -qa | grep libpcap

[root@centos-007 ~]# rpm -qa | grep tcpdump

[root@centos-007 ~]# rpm -qa | grep libdnet-devel

Installing Data Acquisition (DAQ 2.0.5)

We can obtain SNORT and DAQ latest installation packages from its official website and copy its RPM package download link available for CentOS.

[root@centos-007 ~]# yum install

Data Acquisition

Installing SNORT 2.9.7

Similarly we will install Snort by using below command with yum repository.

[root@centos-007 ~]# yum install

Installing snort

Installing SNORT Rules:

In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.

Signup with Snort

Let's sign in with the World most powerful detection software and to download its rules that are most important to be aware from the latest threats.

Snort Signin

Downloading Snort Rules

After sign in to Snort, now we will be able to download its rules that we need to install and work for Snort.

Snort Rules

Updating Snort Rule using Pulled Pork

Pulled Pork for Snort rule management is designed to make Snort rules fly! With the intent of handling all rules. Its code pulls the rules that we need to handle our Snort rules.

Downloading PulledPork

Pulled Pork apackage is available on the Git hub, by using the following command we will get its package on the snort server with git clone command.

[root@centos-007 ~]# git clone

PulledPork Clone

Setup Pulled Pork

[root@centos-007 pulledpork]# cp /usr/local/bin
[root@centos-007 pulledpork]# chmod +x /usr/local/bin/
[root@centos-007 pulledpork]# cp etc/*.conf /etc/snort

Now we will configure PulledPork and place the Oinkcode in its configuration file, we will place it in its configuration file after getting it from our registered user.


Creating files that PulledPork requires as.

[root@centos-007 ~]# mkdir /etc/snort/rules/iplists
[root@centos-007 ~]# touch /etc/snort/rules/iplists/default.blacklist

Testing PullPork

Let's start a test to confirm that pulledpork is functional.

[root@centos-007 ~]# /usr/local/bin/ -V
PulledPork v0.7.0 - Swine Flu !

Once the PulledPork works with its successful test results, we now moves forward to configure it with Snort by updating few configurations parameters.

Configure Snort

We want to enable the dynamic rules, so for this purpose we make sure the second line in /etc/snort/snort.conf is not commented.

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-

# path to base preprocessor engine
dynamicengine /usr/lib64/snort-

# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules

Now execute the following 3 commands to add the include rules as follow.

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf

Starting Pulled Pork

Now running the following command we will run pulledpork and update your rules as belwo.

[root@centos-007 ~]# -c /etc/snort/pulledpork/pulledpork.conf

Rule Stats...
Enabled Rules:----365
Dropped Rules:----0
Disabled Rules:---45
Total Rules:------410
No IP Blacklist Changes

Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

We always have to restart snort service after updating your rules. So make sure that you didn't get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

[root@centos-007 ~]# service snort restart
Updating Snort Rules using Pulled Pork


Congratulations, if you have outputs similar to the above after restating PulledPork and restarting snort service then you have successfully Configured PulledPork with Snort.


Share This :

Free Linux Ebook to Download

Comments (6)

Trackback URL | Comments RSS Feed

  1. Juju19 says:

    Hi, I have problem with unified2 output,

    I have set on snort.conf
    output unified2: filename merged.log, limit 128
    and uncomment ALERTMODE & BINARY_LOG on /etc/sysconfig/snort
    but the unified output is still not in unified format and the filename still snort.logxxxxxx on /var/log.snort

    Please help me

    Kind Regards

  2. md says:

    Hi Kashif,

    I'm having issues verifying PulledPork. I installed on CentOS 7.1.1503 Minimal (guessing this might be where I went wrong :).)

    [root@localhost ~]# /usr/local/bin/ -V
    Can't locate LWP/ in @INC (@INC contains: /usr/local/lib64/perl5 /usr /local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr /lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/ line 25.
    BEGIN failed--compilation aborted at /usr/local/bin/ line 25.

    Here's what I have installed for Perl (most are from installing vim).

    [root@localhost ~]# rpm -qa | grep perl

    Any ideas? Thanks!

    • md says:

      So I figured this out.... it's lengthy.

      You'll need to install cpan. (yum install cpan)
      You'll also need to install openssl-devel for Crypt::SSLeay (yum install cpan).

      From there... use cpan to install each of the Perl modules you'll need. I suggest hopping in to see the dependencies. As of v0.7.2:

      use File::Copy;
      use LWP::UserAgent;
      use HTTP::Request::Common;
      use HTTP::Status qw (is_success);
      use Crypt::SSLeay;
      use Sys::Syslog;
      use Digest::MD5;
      use File::Path;
      use File::Find;
      use Getopt::Long qw(:config no_ignore_case bundling);
      use Archive::Tar;
      use POSIX qw(:errno_h);
      use Cwd;
      use Carp;
      use Data::Dumper;

      to install go into the cpan shell by just typing "cpan". Then use the command:

      install LWP::Simple
      install Crypt::SSLeay
      install Sys::Syslog

      These are just examples. It's likely you'll need to install several of those in the list.

      After all of that.... Success!

      [root@localhost pulledpork]# /usr/local/bin/ -V
      PulledPork v0.7.2 - E.Coli in your water bottle!

      Good luck! Hope this helps someone.

  3. Kashif Siddique says:

    Hi MD,

    Great to know you have solved your issue and thank you for sharing your experience with Snort.

  4. J78920 says:

    Hey Chaps

    I saw line 28 giving me grief on my run through I went through the cpan install of the modules and still got the error

    Can't locate Crypt/ in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/ line 28.
    BEGIN failed--compilation aborted at /usr/local/bin/ line 28.

    I ran the following on top of the cpan install for Crypt::SSLeay

    yum install perl-Crypt-SSLeay

    Pulled pork fired up without issue :)

    Hope that helps anybody that gets the same error

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.