Introduction
The purpose of this document is to provide a simple installation guide to get the Snort Report up and running with Snort intrusion prevention and detection system on Fedora 20 Linux System.
1. Setup Network Address and then restart Network
# nano /etc/sysconfig/network-scripts/ifcfg-ens33 (default /etc/sysconfig/network-scripts/ifcfg-p2p1)
# nano /etc/sysconfig/network
# nano /etc/resolv.conf
# /etc/rc.d/init.d/network restart
Check network configuration
# ifconfig
2. Install Webmin
# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.690-1.noarch.rpm# rpm -U webmin-1.690-1.noarch.rpm
# /etc/rc.d/init.d/webmin start / restart / stop / status
Access Webmin through Firefox: http://localhost.localdomain:10000/
3. Install Apache and PHP by yum
# yuminstall httpd php php-common
# yum install php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-mongo php-sqlite php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml
# service httpd start (or # systemctl start httpd.service)
# systemctl enable httpd.service
3.1 Release Firewall for Apache and test
# firewall-cmd –permanent –zone=public –add-service=http
# systemctl restart firewalld.service
# ps –ef |grep httpd
Tailor make web page or copy page to www directory /var/www/html, for example, info.php as below:
<?php
phpinfo();
?>
4. Install mysql
Download source from http://dev.mysql.com/downloads/repo/yum/# yum install mysql mysql-server mysql-devel
# chgrp -R mysql /var/lib/mysql
# chmod -R 770 /var/lib/mysql
# service mysqld start
# systemctl enable mariadb.service # auto-start
Setup root password by webmin.
5. Install snort
5.1) Install Prerequisite package
# yum install gcc
# yum install flex
# yum install bison
# yum install zlib zlib-devel
# yum install libpcap libpcap-devel
# yum install pcre pcre-devel
# yum install libdnet libdnet-devel
# yum install tcpdump
# yum install wireshark
5.2) Download snort rules
Download https://www.snort.org/rules/community# tar -xvfz community.tar.gz -C /etc/snort/rules
# yum install nmap
# yum install nbtscan
# vi srconf.php
5.3) Download snort program and Install
Download https://www.snort.org/downloads/snort/daq-2.0.2-1.f19.x86_64.rpm
Download https://www.snort.org/downloads/snort/snort-2.9.6.1-1.f19.x86_64.rpm# mv daq-2.0.2.tar.gz /usr/local/src
# mv snort-2.9.6.1.tar.gz /usr/local/src
# cd /usr/local/src
# tar -zxvf daq-2.0.2.tar.gz
# tar -zxvf snort-2.9.6.1.tar.gz
# cd daq-2.0.2
# ./configure
# make
# make install
# cd snort-2.9.6.1
# ./configure -enable -sourcefire
# make
# make install
# cd /etc
# mkdir -p snort
# cd snort
# ls /usr/local/src/
# cp /usr/local/src/snort-2.9.6.1/etc/* .
# tar -zvxf <path to>snortrules-snapshot-<nnnn>.tar.gz
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# cd /usr/local/lib
# mkdir snort_dynamicrules
# useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS
# groupadd –g 40000 snort
# cd /etc/snort
# chown -R snort:snort *
# nano /etc/snort/snort.conf
# cp snort-fedora17-18.sh /etc/init.d/snort
# chmod +x /etc/init.d/snort
# chown root:root /etc/init.d/snort
# chmod 755 /etc/init.d/snort
# cd /usr/sbin
# ln –s /usr/local/bin/snort snort
# chmod 700 snort
# nano /etc/sysconfig/snort
# cd /etc/sysconfig
# chown snort:snort snort
# chmod 700 snort
# cd /var/log
# mkdir snort
# chmod 700 snort
# chown snort:snort snort
# cd /usr/local/lib
# chown -R snort:snort snort*
# chown -R snort:snort snort_dynamic*
# chown -R snort:snort pkgconfig
# chmod -R 700 snort*
# chmod -R 700 pkgconfig
# cd /usr/local/bin
# chown -R snort:snort daq-modules-config
# chown -R snort:snort u2*
# chmod -R 700 daq-modules-config
# chmod 700 u2*
# cd /etc
# chown -R snort:snort snort
# chmod -R 700 snort
# cd /usr/local/bin
5.4) Manual startup and Auto startup
# ./snort -T -i ens33 -u snort -g snort -c /etc/snort/snort.conf
OR # ./snort -A fast -b -d -i ens33 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
# ./etc/init.d/snort start # auto start
[root@localhost init.d]# ./snort start
5.5) Check Result
# cd /var/log/snort/
# tail –f alert
6. Install Barnyard2
6.1) Prerequisite
# yum install libtool
6.2) Download and Install barnyard2
Download https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz# mv v2-1.13.tar.gz barnyard2-2-1.13.tar.gz
# tar zxvf barnyard2-2-1.13.tar.gz
# cd barnyard2-2-1.13
# ./autogen.sh
# ./configure
# make
# make install
Create a sample rules file (i.e. etc/barnyard2.conf)
# ./configure –with-mysql –with-mysql-libraries=/usr/lib/x86_64-linux-gnu
# make
# make install
# cp etc/barnyard2.conf /usr/local/snort/etc
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# chown snort.snort /var/log/snort/barnyard2.waldo
6.3) Create the MySQL database and the database schema
# echo “create database snort;” | mysql -u root -p mysql -u root -p -D snort < ./schemas/create_mysql
# echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOURPASSWORD'” | mysql -u root -p# vi /usr/local/snort/etc/barnyard2.conf
Change the following lines like this:
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: ens33
output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort host=localhost
6.4) Run the following script
/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D
7. Install ACID report for snort
Download from http://www.symmetrixtech.com/download.html# tar zxvf snortreport-1.3.4.tar.gz -C /var/www/html
Edit snortreport-1.3.4/
Download from http://jpgraph.net/download/download.php?p=5# tar xvzf jpgraph-3.5.0b1.tar.gz
Download http://kaz.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz# tar xzf adodb518a.tgz
/adodb518a.tgz
Download http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz# tar xvf /root/Downloads/acid-0.9.6b23.tar.gz
#vi /var/www/html/acid/acid_conf.php
$DBlib_path = “/var/www/html/adodb518a”;
$alert_dbname = “snort”;
$alert_host = “localhost”;
$alert_port = “”;
$alert_user = “snort”;
$alert_password = “PASSWORD”;
$archive_dbname = “snort”;
$archive_host = “localhost”;
$archive_port = “”;
$archive_user = “snort”;
$archive_password = “PASSWORD”;
$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1/src”;
Test Report with http://localhost/acid/ OR http://localhost/snortreport-1.3.4
Reference 1: http://www.symmetrixtech.com/articles/016-snortinstallguide2953.pdf
Reference 2: http://snort.org/