How to Install / Configure SNORT IDS on CentOS 6.x / 7.x

Security is a big issue for all networks in today’s enterprise environments. Many methods have developed to secure the network infrastructures and communication over the internet. Among them Snort is a leading open source network intrusion detection and prevention system and a valuable security framework. Its a packet sniffer that monitors network traffic in real time and scrutinize each packet in depth to find any dangerous payload or suspicious anomalies. Using Snort intrusion detection mechanism, we can collect and use information from known types of attacks and find out if some trying to attack our network or particular host. So the information gathered in this way can be well used to harden our networks to prevent from hackers and intruders that can also be useful for legal purposes.

This article describes the configuration, compilation and installation of SNORT 2.9.7.x and DAQ-2.0.x using the CentOS 7.0 Operating systems and other components.

Prepare the OS

We are going to setup SNORT IDS under the following Operating Systems and its components

  • Virtualization Environment: VMware Workstation
  • HOST Operating System: Microsoft Windows 7
  • GUEST Operating System: CentOS 7.0 (64-bit version)
  • System Resources: CPU 2.0 GHz RAM 4 GB

In CentOS 7 Virtual Machine, we configured its network settings with Static IP, Gateway and DNS entry to make sure that its connected with the internet through its Ethernet interface that will be used as a port to monitor traffic.

Installing Prerequisites

Following packages are mandatory to setup SNORT, so make sure to install these before start compiling SNORT or DAQ. Almost all these libraries can be installed by using yum command.

[[email protected] ~]# rpm -qa | grep gcc

[[email protected] ~]# rpm -qa | grep flex

[[email protected] ~]# rpm -qa | grep bison

[[email protected] ~]# rpm -qa | grep zlib

[[email protected] ~]# rpm -qa | grep libpcap

[[email protected] ~]# rpm -qa | grep tcpdump

[[email protected] ~]# rpm -qa | grep libdnet-devel

Installing Data Acquisition (DAQ 2.0.5)

We can obtain SNORT and DAQ latest installation packages from its official website and copy its RPM package download link available for CentOS.

[[email protected] ~]# yum install

Data Acquisition

Installing SNORT 2.9.7

Similarly we will install Snort by using below command with yum repository.

[[email protected] ~]# yum install

Installing snort

Installing SNORT Rules:

In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.

Signup with Snort

Let's sign in with the World most powerful detection software and to download its rules that are most important to be aware from the latest threats.

Snort Signin

Downloading Snort Rules

After sign in to Snort, now we will be able to download its rules that we need to install and work for Snort.

Snort Rules

Updating Snort Rule using Pulled Pork

Pulled Pork for Snort rule management is designed to make Snort rules fly! With the intent of handling all rules. Its code pulls the rules that we need to handle our Snort rules.

Downloading PulledPork

Pulled Pork apackage is available on the Git hub, by using the following command we will get its package on the snort server with git clone command.

[[email protected] ~]# git clone

PulledPork Clone

Setup Pulled Pork

[[email protected] pulledpork]# cp /usr/local/bin
[[email protected] pulledpork]# chmod +x /usr/local/bin/
[[email protected] pulledpork]# cp etc/*.conf /etc/snort

Now we will configure PulledPork and place the Oinkcode in its configuration file, we will place it in its configuration file after getting it from our registered user.


Creating files that PulledPork requires as.

[[email protected] ~]# mkdir /etc/snort/rules/iplists
[[email protected] ~]# touch /etc/snort/rules/iplists/default.blacklist

Testing PullPork

Let's start a test to confirm that pulledpork is functional.

[[email protected] ~]# /usr/local/bin/ -V
PulledPork v0.7.0 - Swine Flu !

Once the PulledPork works with its successful test results, we now moves forward to configure it with Snort by updating few configurations parameters.

Configure Snort

We want to enable the dynamic rules, so for this purpose we make sure the second line in /etc/snort/snort.conf is not commented.

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/lib64/snort-

# path to base preprocessor engine
dynamicengine /usr/lib64/snort-

# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules

Now execute the following 3 commands to add the include rules as follow.

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf

Starting Pulled Pork

Now running the following command we will run pulledpork and update your rules as belwo.

[[email protected] ~]# -c /etc/snort/pulledpork/pulledpork.conf

Rule Stats...
Enabled Rules:----365
Dropped Rules:----0
Disabled Rules:---45
Total Rules:------410
No IP Blacklist Changes

Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

We always have to restart snort service after updating your rules. So make sure that you didn't get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

[[email protected] ~]# service snort restart
Updating Snort Rules using Pulled Pork


Congratulations, if you have outputs similar to the above after restating PulledPork and restarting snort service then you have successfully Configured PulledPork with Snort.

Kashif Siddique 3:00 am

About Kashif Siddique

Linux Systems and Security Engineer in Information and Communication Technology. Results-driven ICT Professional and Open Source Geek with technical specialties in the area of Open Source Operating systems and Applications.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.


Your email address will not be published. Required fields are marked *

All comments are subject to moderation.


  1. Hi, I have problem with unified2 output,

    I have set on snort.conf
    output unified2: filename merged.log, limit 128
    and uncomment ALERTMODE & BINARY_LOG on /etc/sysconfig/snort
    but the unified output is still not in unified format and the filename still snort.logxxxxxx on /var/log.snort

    Please help me

    Kind Regards

    1. Hello Juju19,

      You can process your unified output files by downloading Barnyard Output Plugin from its available source and then install it to create the human-readable log files.

      It better if you choose syslog output type that allows you to manage your logging on the host instead of the application.

      For the detailed help on Output Plug-ins follow the below link that is worth to read.,_Alerts,_and_Output_Plug-ins

  2. Hi Kashif,

    I'm having issues verifying PulledPork. I installed on CentOS 7.1.1503 Minimal (guessing this might be where I went wrong :).)

    [[email protected] ~]# /usr/local/bin/ -V
    Can't locate LWP/ in @INC (@INC contains: /usr/local/lib64/perl5 /usr /local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr /lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/ line 25.
    BEGIN failed--compilation aborted at /usr/local/bin/ line 25.

    Here's what I have installed for Perl (most are from installing vim).

    [[email protected] ~]# rpm -qa | grep perl

    Any ideas? Thanks!

    1. So I figured this out.... it's lengthy.

      You'll need to install cpan. (yum install cpan)
      You'll also need to install openssl-devel for Crypt::SSLeay (yum install cpan).

      From there... use cpan to install each of the Perl modules you'll need. I suggest hopping in to see the dependencies. As of v0.7.2:

      use File::Copy;
      use LWP::UserAgent;
      use HTTP::Request::Common;
      use HTTP::Status qw (is_success);
      use Crypt::SSLeay;
      use Sys::Syslog;
      use Digest::MD5;
      use File::Path;
      use File::Find;
      use Getopt::Long qw(:config no_ignore_case bundling);
      use Archive::Tar;
      use POSIX qw(:errno_h);
      use Cwd;
      use Carp;
      use Data::Dumper;

      to install go into the cpan shell by just typing "cpan". Then use the command:

      install LWP::Simple
      install Crypt::SSLeay
      install Sys::Syslog

      These are just examples. It's likely you'll need to install several of those in the list.

      After all of that.... Success!

      [[email protected] pulledpork]# /usr/local/bin/ -V
      PulledPork v0.7.2 - E.Coli in your water bottle!

      Good luck! Hope this helps someone.

  3. Hey Chaps

    I saw line 28 giving me grief on my run through I went through the cpan install of the modules and still got the error

    Can't locate Crypt/ in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/ line 28.
    BEGIN failed--compilation aborted at /usr/local/bin/ line 28.

    I ran the following on top of the cpan install for Crypt::SSLeay

    yum install perl-Crypt-SSLeay

    Pulled pork fired up without issue :)

    Hope that helps anybody that gets the same error

  4. [[email protected] ~]# yum install
    Loaded plugins: fastestmirror
    Cannot open: Skipping.
    Error: Nothing to do
    [[email protected] ~]# yum install
    Loaded plugins: fastestmirror
    Cannot open: Skipping.
    Error: Nothing to do

    Why I am seeing this message while installing snort for my Centos 7.