Snort 2.9.1 CentOS 5.6

Installation Guide

Overview: Whatʼs Snort?" 4

Scope and Limitations" 4

Why CentOS instead of Fedora?" 4

Assumptions" 4

Why Snort in VM?" 4

VMWare Settings" 5

Set up CentOS Build" 5

Get libnet, libdnet, daq, Snort, BASE, adodb and Barnyard2" 7

Finish System Set-up and Compile Snort " 8

Set up Snort Environment " 9

Edit snort.conf" 10

Set up MySQL" 11

Gettinʼ GUI with it " 11

Barnyard Output (not as bad as it sounds)" 12

A Few More Steps in the Barnyard" 12

Starting Snort and Finishing Barnyard Config" 12

Test Snort " 13

Starting Snort Automatically" 13

Starting Barnyard2 Automatically" 14

Updating Rules Automatically" 15

Future Topics" 18

Overview: What’s Snort?

Snort is an open source Intrusion Detection/Prevention application (IPS) written in 1998 by Marty Roesch. It is the world’s most widely used IPS and has been downloaded over 4 million times. The 250,000+ active Snort users worldwide contribute new rules, plugins and complimentary applications to work with Snort.

Scope and Limitations

This paper covers Snort, not Linux system, web or database administration and is offered with no explicit or implied warranty. All code referenced in this paper is open source.

This paper is focused on the initial installation of Snort with some supporting applications. Tuning, rule writing, policy definition and other operational issues are outside this scope.

Why CentOS instead of Fedora?

Mostly due to the author’s lack of Linux skills and general laziness, Fedora 15 threw up some road blocks in the way it had been installed before. CentOS is a reasonable substitute for most of the Red Hat Linux flavors. If someone out there is really upset by this substitution, I would encourage that person to write a set up guide for Fedora.

Assumptions

This paper will cover the installation of Snort 2.9.1 on CentOS 5.6 with:

• MySQL 5.0.77• Libdnet • Libpcap 1.0.0-5• SnortReport 1.3.1• Barnyard2-1.9• Apache 2.2.11• Using VMWare

Why Snort in VM?

As a laptop user, I am mobile and often have to use public guest networks, such as those in hotels, coffee shops and others. One never knows when

such an environment can be hostile (just because I’m paranoid doesn’t mean that people aren’t trying to get me).

Also, using a web based GUI means that a web port has to be open, as well as MySQL. So I find that it’s helpful to have these on a virtual machine so that I don’t have these ports open on my laptop OS.

Last, snapshots are your friend. VMWare allows users to capture the virtual machine’s state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that....

All of this being said, the instructions in this paper should also work for native Fedora and Red Hat systems. It just won’t cover any of the machine specific details.

VMWare Settings

Within VMWare, the following settings are recommended:

• 1024 MB RAM• 20 GB Disk• Eth0 host only network• Eth1 bridged to host interface• No sound device, printer or accessories

Set up CentOS Build

First, download CentOS from http://centos.org; I used the DVD .iso, not the LiveCD. Once the operating system is installed from defaults, several packages will have to be installed to support the Snort installation and its supporting applications.

I created bubba as my non-root user but part of the administrator group. Bubba’s home directory is referred to throughout this paper, but if another user account is used, simply replace bubba with the appropriate user name.

A couple of differences I noticed with CentOS:

• eth1 did not come up on its own. I had to go into system > administration > network and configure it to connect at startup. I also changed eth0 to a static IP address at this time.

• sshd is up and running when the system boots for the first time; no need to install it and start the service.

Once these steps are complete, the supporting applications need to be installed. At this point, I like to ssh into the system so I can cut and paste. Please enter the following command:

yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison mysql mysql-devel mysql-bench mysql-server php-pear.noarch php-pear-DB.noarch php-pear-File.noarch kernel-devel libxml2-devel vim-enhanced.i386

Please note that if you are installing in 64 bit systems, change commands ending in .i386 to .x86_64, e.g. vim-enhanced.i386 vim-enhanced.x86_64.

After this step is complete, update the system by running the following:

yum -y update

Since you’ve updated your kernel, you will need to reboot the system.

Now it’s time to install VMWare tools. While not completely necessary, the enhanced display resolution alone is worth the effort. Make sure you reboot your machine after the update and before you start the VMWare Tools install in order to have all the paths set properly.

Install VMWare Tools from the perl script in the menu bar under Virtual Machine > Install VMWare Tools. Once the disk is mounted on your desktop, un-tar it and run the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ws55/doc/ws_newguest_tools_linux.html

If you would like to download libnet, Snort, BASE and adodb from a command line rather than manually from a browser, use wget.

Once these are done, run ntsysv from CLI. Select httpd and mysqld to autostart. At this point, it would be a good idea to start these services. You can do this by issuing the following command:

• service httpd start• service mysqld start

Get libnet, libdnet, daq, Snort, BASE, adodb and Barnyard2

Download libnet-1.0.2a.tar.gz from http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz.140191.0.0.html.

Be careful with this: there are other sources for libnet, even some with the same version, but saved as a .tgz file rather than a .tar.gz. The .tgz file will NOT work and neither will versions of libnet beyond 1.0.2a.

Download libdnet from http://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=.

Download libpcap from http://tcpdump.org. I used the 1.1.1 version.

Go to http://snort.org and download snort-2.9.1.tar.gz. If you have a subscriber account with snort.org, you can get the most up to date rules. While this is very important for production systems, registered user rules are 30 days old and are good enough for most testing and home users.

Get nbtscan from http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz.

Get JpGraph from this location: http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz

Download Snort Report from http://www.symmetrixtech.com/ids/snortreport-1.3.1.tar.gz

Barnyard2 is a separate process that allows snort to write to one or more output mechanisms. In our case, we will be using MySQL as a database to power SnortReport, but syslog, SGUIL and several others are also supported. You can get Barnyard2 at http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz

Finish System Set-up and Compile Snort

Now we will finish the system set up by installing libnet, libdnet, libpcap and daq. For more information on libnet, please see http://libnet.sourceforge.net/. Take the following steps:

• cd /usr/local• tar zxvf /home/bubba/Downloads/libnet-1.0.2a.tar.gz• cd Libnet-1.0.2a• ./configure && make && make install

The && in the last step is a shellcode convention which means that if statement A is true and completes successfully, then execute statement B. In short, it’s a shortcut to compile and install the libnet code extensions. If you’d like more information on configure, make and make install, please refer to http://www.codecoffee.com/tipsforlinux/articles/27.html.

Before compiling Snort, libdnet is also needed. While it can be installed from yum, there are a fair number of blog entires about users having problems compiling Snort when not installing it manually. Take the following steps:

• cd /usr/local• tar zxvf /home/bubba/libdnet-1.12.tgz• cd libdnet-1.12• ./configure && make && make install

The CentOS libpcap version is out of date and will not work with versions of Snort 2.9.x+.

• cd /usr/local• tar zxvf /home/bubba/libpcap-1.0.0.tar.gz• cd libpcap-1.0.0• ./configure && make && make install

I would also recommend copying the libpcap.a file from /usr/local/lib to /usr/lib. The daq installation process looks for it there, but the standard compile doesn’t put it there. You can use the following command:

cp /usr/local/lib/libpcap.a /usr/lib/

SnortReport requires nbtscan and nmap. nmap is already set up, but nbtscan needs to be installed. It is somewhat different from other source code in that make is required, but configure and make install are not.

• cd /usr/local• mkdir nbtscan• cd nbtscan• tar zxvf /home/bubba/nbtscan-1-3-1.tar.gz• make

New in Snort 2.9 are the Data Acquisition libraries, referred to as daq. Download from http://www.snort.org/snort-downloads and install these:

• cd /usr/local• tar zxvf /home/bubba/daq-0.6.1.tar.gz• cd daq-0.6.1• ./configure && make && make install

To install Snort, execute the following commands:

• cd /usr/local• tar zxvf /home/bubba/snort-2.9.1.tar.gz• cd snort-2.9.1• ./configure && make && make install

The compile options now built in, so Snort just got a little easier. You can see these options in snort.conf in the rules tarball. If you need more information, please see /usr/local/snort-2.9.1/doc/INSTALL.

Set up Snort Environment

There are a few steps that need to take place in order to have snort run properly, mostly setting up some directories, getting the snort rules, moving some files around and creating the snort user. Execute the following:

• mkdir /etc/snort• mkdir /var/log/snort• cd /etc/snort• tar zxvf /home/bubba/snortrules-snapshot-2910.tar.gz -C /etc/snort• cp etc/* /etc/snort• groupadd snort

• useradd -g snort snort• chown snort:snort /var/log/snort• touch /var/log/snort/alert• chown snort:snort /var/log/snort/alert• chmod 600 /var/log/snort/alert• mkdir /usr/local/lib/snort_dynamicrules• cp /etc/snort/so_rules/precompiled/Centos-5-4/i386/2.9.1.0/*.so /usr/local/

lib/snort_dynamicrules• cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

Edit snort.conf

The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features.

• vim /etc/snort/snort.conf• Find the variable RULE_PATH and change to /etc/snort/rules• Find the variable PREPROC_RULE_PATH and change to /etc/snort/

preproc_rules• Find the variable SO_RULE_PATH and change to /etc/snort/so_rules• Fine reputation and comment out all the lines of this preprocessor. If you

want to use it, you will need to create whitelist and blacklist rules. Details for this are laid out in the readme file.

• Find “unified2”. Uncomment the line, change merged.log to snort.log and make sure to delete the nostamp option. Failing to remove nostamp will cause problems with Barnyard2 parsing the log files. Also, unless you are planning on using mpls and vlan event types, remove those statements as well. When done, it should read:

output unified2: filename snort.log, limit 128

A brief note on the the mpls_event_types and vlan_event_types parameters: If you know you want to include these, you may want to use a patch to Barnyard2 provided by Niels Horn on http://blog.nielshorn.net/2010/10/barnyard2-solving-the-unknown-record-type-errors/.

Set up MySQL

MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the Snort Report monitoring tool.

One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area. The commands in this section are sufficient to install and run snort. The Snort Report tool provides some database maintenance tools; nothing additional is required to administer snort.

• mysql• SET PASSWORD FOR root@localhost=PASSWORD(‘password’);• create database snort;• grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;• SET PASSWORD FOR snort@localhost=PASSWORD(‘password’); • exit• cd /usr/local/snort-2.9.1/schemas• mysql -p < create_mysql snort

Now we will check to see that the Snort database has been correctly installed:

• mysql -p• SHOW DATABASES; There should be 4 rows• use snort;• SHOW TABLES; There should be 16 rows• exit;

Gettin’ GUI with it

In this step, we will set up the web environment. The steps involve un-tarring Snortreport into the web directory, followed by configuring the srconf.php file.

From the CLI as root:

• cd /var/www/html• tar zxvf /home/bubba/snortreport-1.3.1.tar.gz

• cd snortreport-1.3.1• vim srconf.php• Find $pass and change the password from YOURPASS to password• Find JPGRAPH_PATH and change the line to read define

("JPGRAPH_PATH", "../jpgraph/src/");• Find NMAP_PATH and change the line to read define("NMAP_PATH", "/

usr/bin/nmap -v");• Change the line immediately below to read define("NBTSCAN_PATH", "/

usr/local/nbtscan/nbtscan");• Save the file and exit.

Barnyard Output (not as bad as it sounds)

Barnyard was written to take over the various output processing tasks so that Snort could spend more resources on processing packets.

From usr/local:

• tar zxvf /home/bubba/barnyard2-1.9.tar.gz• cd barnyard2-1.9• ./configure --with-mysql &&make && make install• cp etc/barnyard2.conf /etc/snort

A Few More Steps in the Barnyard

• vim /etc/snort/barnyard2.conf• Look for config hostname• replace “thor” with “localhost”• look for config interface• Make sure its eth0• Look for output and comment out all output methods until you get to

database. • Edit the mysql line to read: output database: log, mysql, user=snort

password=password dbname=snort host=localhost

Starting Snort and Finishing Barnyard Config

In this section, we will start Snort and Barnyard.

• In the CLI, type “snort -c /etc/snort/snort.conf -i eth1• Open a second CLI.

• cp /dev/null /var/log/snort/barnyard.waldo• mkdir /var/log/barnyard2• Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /

var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test Snort

In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999.

• Open a third CLI• vim /etc/snort/rules/local.rules• Insert “alert tcp any any <> any 80 (msg: "Test web activity"; sid:

1000001;)”. Save and exit.• Restart Snort• Open a web browser• In the browser, go to any web page.• In the CLI, type [ctrl] + c• Go to http://localhost/snortreport-1.3.1/alerts.php and look at your events• If you see a number of events with SID 1000001, Snort works!• vim /etc/snort/rules/local.rules and disable the “Test web activity” rule.

Starting Snort Automatically

If you are creating a sensor that you would always like to be snorting, it’s best to make sure it starts upon reboot. In order to do so, please take the following steps:

• ln -s /usr/local/bin/snort /usr/sbin/snort• cp /usr/local/snort-2.9.1/rpm/snortd /etc/init.d• cp /usr/local/snort-2.9.1/rpm/snort.sysconfig /etc/sysconfig/snort• cd /etc/rc3.d• ln -s ../init.d/snortd S99snortd• cd ../rc0.d• ln -s ../init.d/snortd K99snortd• cd /etc/rc5.d• ln -s ../init.d/snortd S99snortd• cd ../rc6.d• ln -s ../init.d/snortd K99snortd

• chmod 755 /etc/init.d/snortd

Now we have to edit the /etc/sysconfig/snort file to start snort with the proper options, in our case using the eth1 interface and the /etc/snort/snort.conf file.

• vim /etc/sysconfig/snort• Find eth0 and change to eth1• Find and comment out ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1

• Save and close the file.

To test this, type the following:

/etc/init.d/snortd start

If snort starts OK, then you’ve done everything right.

Starting Barnyard2 Automatically

Just like starting Snort as a service on startup, here we will make sure Barnyard2 starts upon reboot. In order to do so, please take the following steps:

• vim /etc/snort/barnyard2.conf• Uncomment config daemon• Uncomment and set the path to your waldo file, /var/log/snort/barnyard2.waldo.

• vim /usr/local/barnyard2-1.9/rpm/barnyard2.config• Change the LOG_FILE to snort.log and change the CONF variable to /etc/snort/barnyard2.conf. Save the file and exit.

• ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2• cp /usr/local/barnyard2-1.9/rpm/barnyard2 /etc/init.d• vim /etc/init.d/barnyard2• Change the BARNYARD_OPTS line to read BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS". Save and close file.

• cp /usr/local/barnyard2-1.9/rpm/barnyard2.config /etc/sysconfig/barnyard2• chmod 755 /usr/local/bin/barnyard2• cd /etc/rc3.d

• ln -s ../init.d/barnyard2d S99barnyard2d• cd ../rc0.d• ln -s ../init.d/barnyard2d K99barnyard2d• cd /etc/rc5.d• ln -s ../init.d/barnyard2d S99barnyard2d• cd ../rc6.d• ln -s ../init.d/barnyard2d K99barnyard2d• chmod 755 /etc/init.d/barnyard2

To test, type /etc/init.d/barnyard2 start.

Updating Rules Automatically

The threat landscape in network security is always changing: new vulnerabilities and exploits are constantly being announced. Snort deals with this by updating the rules available, but doing this manually is a a task that not many administrators can manage. For this reason, methods of automatically updating rules have been scripted.

In a brief aside and a shameless commercial, we should discuss the difference between VRT subscription and registered user rules. VRT Subscription provides registered users of Snort.org with immediate access to the most up to date Sourcefire VRT Certified Rules available at subscription cost. These have been tested and verified by the Sourcefire VRT as effective in stopping the threats involved while also running efficiently on a Snort system. Registered user rules are also fully VRT certified and tested, but become available after 30 days for no cost. For home users and some organizations, this 30 day delay in protection against the latest threats is an acceptable security risk.

In addition to the certified rules available at Snort.org, a number of additional individuals and groups write rules for Snort. One of the most noteworthy is Emerging Threats, an open source project supported by some of the contributors to the snort mailing list. There are other sources of rules on the web; some are freely available, others are at a cost.

In the past, Snort.org and Sourcefire have recommended using Oinkmaster, but now Pulled_Pork is recommended. Pulled_Pork has a number of advantages over Oinkmaster, mostly surrounding its capability for handling shared object rules.

Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. For the most part, these rules are obfuscated because of contracts between Sourcefire and various software vendors providing advanced notice of vulnerabilities. In addition, the Sourcefire VRT provides SO rules for unannounced vulnerabilities it has discovered through research.

In order to update your rules automatically, you will need an oinkcode. You can get one on the snort.org website. Look on the bottom of the home page under Snort Links for the link “Get an Oinkcode”.

Just one note on oinkcodes: you will only be permitted to download snort rules once every 15 minutes. This means that if your download fails for any reason, you will have to wait 15 minutes before trying again. This is to prevent denial of service attacks or thoughtless users from making the downloads section of snort.org unavailable to other users.

In order to get Pulled_Pork running on the CentOS system we’ve built here, follow these steps:

• Download Pulled_Pork: wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz

• cd /usr/local• tar zxvf /home/bubba/pulledpork-0.6.1.tar.gz• cd pulledpork-0.6.1/etc• vim pulledpork.conf• Find oinkcode. Replace with your own oinkcode. • Find and uncomment the line that reads ips_policy=security.• Find and change the rule_path to /etc/snort/rules/snort.rules• Find and change local_rules path to /etc/snort/rules/local.rules• Find and change sid_msg path to /etc/snort/sid-msg.map.• Find and change config_path to /etc/snort/snort.conf• Find and change sostub_path to /etc/snort/rules/so_rules.rules• Find and change the distro to Centos-5-4• Find pid_path. Change the statement to read “pid_path=/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid”.

• Save and exit• cp pulledpork.conf /etc/snort/

Now we’ll have to install CPAN, the Comprehensive Perl Archive Network. It can be done from the CLI, but it’s much easier from the GUI by going to System > Adminstration > Add/Remove Software. Search for CPAN and select the following:• perl-CPAN• perl-App-cpanminus• perl-parse-CPAN-meta• perl-pip• perl-CPANPLUS

Once installed, we will need some additional modules. To get these, issue the following commands:

• cpan. This will cause an install script to run with several questions and default answers suggested. Accept the defaults and don’t be concerned with what appears to be several error messages.

• Install Test::More• Install Crypt::SSLeay• Install LWP::Simple• exit

Now test the application by running:

• /usr/local/pulledpork-0.4.2/pulledpork.pl -c /etc/snort/pulledpork.conf

If you get a message saying “Fly Piggy Fly!”, Pulled_Pork works.

Your Pig is ready to Snort!

Future Topics

Some topics for the next revision are:

• More on using Pulled_Pork to maintain disabled rules. • Rulebase Tuning - I presented this topic on the Snort Webcast series. For

more info, please see http://www.snort.org/community/snort-webcast-series/

• 64 Bit Systems• Inline configuration

I’m open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. If you don’t already have a subscription to snort users, please go to https://lists.sourceforge.net/lists/listinfo/snort-users.

Also, if you do email the snort users list, make sure to include your snort.conf and barnyard2.conf files as well as the command string you use to start Snort with your inquiry. In many cases, people WAY smarter than me that monitor the list can answer questions right away with this information.

Nick Moore, September 2011