CRC-Blogs

Snort Installation – CentOS 7

Snort Overview

Snort is a Network based Intrusion and Detection System (NIDS) used to detects and prevent intrusions over the network. Through protocol searching, content analysis and various preprocessors, snort detects thousands of worms and vulnerability attempts. Snort comes with an excellent feature including detection of various types of attacks, buffer overflow, stealth port scan, CGI Attacks etc.

Working of SNORT is based on a set of pre-defined signatures/rules. It whether allows or blocks the network traffic over the network interface card based on pre-defined rule set. In a signature based scheme of Snort, network packets headers and their payloads are matched against rules/strings to see if they contain a malicious content.

SNORT is a lightweight, open source, cross platform, and can be comfortably installed even on the smallest server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.

Preparing your server:

Setting up a basic configuration of Snort on Ubuntu is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your server for installing Snort itself. Install the required CentOS libraries with the following command.

# sudo yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdump

The latest Snort version at this time also requires libnghttp2 which can be downloaded from the Extra Packages for Enterprise Linux (EPEL) and installed using the commands underneath.

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y libnghttp2

With the prerequisites fulfilled, next up is how to install Snort on CentOS 7.

Installing SNORT on Ubuntu Server:

Installation of SNORT on Ubuntu Server includes the following tacks to be executed successfully.

  • Installation of Data Acquisition (DAQ)
  • Installation of SNORT

However, CentOS provides multiple mechanisms for installation of SNORT.

  1. Installation with Yum
  2. Installation with Source Code.

Installing with yum:

Snort provides convenient rpm packets for CentOS 7, which can be installed simply with the command line interface. For SNORT to work with network traffic over the NIC, it uses data acquisition (DAQ) module to read the network traffic from NIC.

 

RPM package for SNORT can be installed from the below commands. Please refer to official SNORT website https://www.snort.org for latest version of DAQ and SNORT package.

# sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
# sudo yum install https://www.snort.org/downloads/snort/snort-2.9.14.1-1.centos7.x86_64.rpm

After the successful execution of the above commands, the installation process for SNORT IDS is complete and you can proceed with the configuration of SNORT according to the requirement.

Installing from the source:

Installation of SNORT from the source code includes the successful installation of DAQ module and SNORT application itself separately.

Installation of DAQ:

SNORT uses DAQ module to process the network traffic received at NIC. DAQ collects the network traffic from the NIC and forward the traffic to SNORT for processing. Installation of DAQ includes the following steps:

Create the installation directory naming “snort” that includes all the required installation.

# cd ~/snort

Get the required installation media from official snort website https://www.snort.org

# wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Extract the downloaded media using the following command:

# tar -xvzf daq-2.0.6.tar.gz

Navigate to DAQ directory

# cd daq-2.0.6

Execute the following set of commands with root user privileges.

# sudo ./configure

# make

 # sudo make install

 

Installation of SNORT:

Once the installation of data acquisition module is complete, you can proceed with the installation of SNORT on Ubuntu server.

Navigate to the directory where you want to install the snort package.

# cd /snort

Get the required snort installation media from official snort website https://www.snort.org. Make sure to download the most updated package from official snort website.

# sudo wget https://www.snort.org/downloads/snort/snort-2.9.14.1.tar.gz

Extract SNORT package using command:

# tar -xvzf snort-2.9.14.1.tar.gz

Navigate to snort installation media:

# cd snort-2.9.8.3

Execute the following commands to complete the installation of SNORT:

# sudo ./configure --enable-sourcefire

# make

# sudo make install

Snort is now installed on your Ubuntu server. You can configure snort according to your environment and need. The configuration file resides inside the installation directory. In our case the configuration file path is /snort/ snort-2.9.14.1/etc/snort.conf.

You can verify your installation using the following snort version command:

# snort -V