Security is a big issue for all networks in today’s enterprise environments. Many methods have developed to secure the network infrastructures and communication over the internet. Among them Snort is a leading open source network intrusion detection and prevention system and a valuable security framework. Its a packet sniffer that monitors network traffic in real time and scrutinize each packet in depth to find any dangerous payload or suspicious anomalies. Using Snort intrusion detection mechanism, we can collect and use information from known types of attacks and find out if some trying to attack our network or particular host. So the information gathered in this way can be well used to harden our networks to prevent from hackers and intruders that can also be useful for legal purposes.
This article describes the configuration, compilation and installation of SNORT 2.9.7.x and DAQ-2.0.x using the CentOS 7.0 Operating systems and other components.
Prepare the OS
We are going to setup SNORT IDS under the following Operating Systems and its components
- Virtualization Environment: VMware Workstation
- HOST Operating System: Microsoft Windows 7
- GUEST Operating System: CentOS 7.0 (64-bit version)
- System Resources: CPU 2.0 GHz RAM 4 GB
In CentOS 7 Virtual Machine, we configured its network settings with Static IP, Gateway and DNS entry to make sure that its connected with the internet through its Ethernet interface that will be used as a port to monitor traffic.
Following packages are mandatory to setup SNORT, so make sure to install these before start compiling SNORT or DAQ. Almost all these libraries can be installed by using yum command.
[[email protected] ~]# rpm -qa | grep gcc
gcc-4.8.2-16.2.el7_0.x86_64 [[email protected] ~]# rpm -qa | grep flex
flex-2.5.37-3.el7.x86_64 [[email protected] ~]# rpm -qa | grep bison
bison-2.7-4.el7.x86_64 [[email protected] ~]# rpm -qa | grep zlib
zlib-devel-1.2.7-13.el7.x86_64 [[email protected] ~]# rpm -qa | grep libpcap
libpcap-devel-1.5.3-4.el7_1.2.x86_64 [[email protected] ~]# rpm -qa | grep tcpdump
tcpdump-4.5.1-2.el7.x86_64 [[email protected] ~]# rpm -qa | grep libdnet-devel
Installing Data Acquisition (DAQ 2.0.5)
We can obtain SNORT and DAQ latest installation packages from its official website and copy its RPM package download link available for CentOS.
[[email protected] ~]# yum install https://snort.org/downloads/snort/daq-2.0.5-1.centos7.x86_64.rpm
Installing SNORT 2.9.7
Similarly we will install Snort by using below command with yum repository.
[[email protected] ~]# yum install https://snort.org/downloads/snort/snort-126.96.36.199-1.centos7.x86_64.rpm
Installing SNORT Rules:
In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.
Signup with Snort
Let's sign in with the World most powerful detection software and to download its rules that are most important to be aware from the latest threats.
Downloading Snort Rules
After sign in to Snort, now we will be able to download its rules that we need to install and work for Snort.
Updating Snort Rule using Pulled Pork
Pulled Pork for Snort rule management is designed to make Snort rules fly! With the intent of handling all rules. Its code pulls the rules that we need to handle our Snort rules.
Pulled Pork apackage is available on the Git hub, by using the following command we will get its package on the snort server with git clone command.
[[email protected] ~]# git clone https://github.com/shirkdog/pulledpork.git
Setup Pulled Pork
[[email protected] pulledpork]# cp pulledpork.pl /usr/local/bin
[[email protected] pulledpork]# chmod +x /usr/local/bin/pulledpork.pl
[[email protected] pulledpork]# cp etc/*.conf /etc/snort
Now we will configure PulledPork and place the Oinkcode in its configuration file, we will place it in its configuration file after getting it from our registered user.
Creating files that PulledPork requires as.
[[email protected] ~]# mkdir /etc/snort/rules/iplists
[[email protected] ~]# touch /etc/snort/rules/iplists/default.blacklist
Let's start a test to confirm that pulledpork is functional.
[[email protected] ~]# /usr/local/bin/pulledpork.pl -V
PulledPork v0.7.0 - Swine Flu !
Once the PulledPork works with its successful test results, we now moves forward to configure it with Snort by updating few configurations parameters.
We want to enable the dynamic rules, so for this purpose we make sure the second line in /etc/snort/snort.conf is not commented.
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-188.8.131.52_dynamicpreprocessor/
# path to base preprocessor engine
# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules
Now execute the following 3 commands to add the include rules as follow.
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf
Starting Pulled Pork
Now running the following command we will run pulledpork and update your rules as belwo.
[[email protected] ~]# pulledpork.pl -c /etc/snort/pulledpork/pulledpork.conf
No IP Blacklist Changes
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
We always have to restart snort service after updating your rules. So make sure that you didn't get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.
[[email protected] ~]# service snort restart
Updating Snort Rules using Pulled Pork
Congratulations, if you have outputs similar to the above after restating PulledPork and restarting snort service then you have successfully Configured PulledPork with Snort.