Before I start I must provide thanks to my TA Josh, who took the time to put together the bash script that I am basing this installation off of.
There are two main ways you can download and install snort. You can either download and compile from source, or you can download and install from an rpm. In my case I am using a VM running Fedora 14 with SELinux enabled and I chose the option of downloading and install from the rpm since it takes out some of the configuration that you need to do. As a result I will not talk about configuration and compiling from source. To start off there are some packages that you need to make sure you have.
file-devel file-libs php-pecl-Fileinfo python-magic libpcap libpcap-devel libtermcap-devel wget make cmake gcc gcc-c++ bison bison-devel openssl openssl-devel zlib zlib-devel flex flex-devel python-devel swig GeoIP-devel sendmail
You may not need absolutely all of these packages, but this will certainly get you everything you need.
Next, we need to obtain the .rpm file for installation. You can do this through wget or go to snort.org and download from there. Either way should work fine just make sure you choose the correct version. You will also need to download the daq .rpm as well.
wget http://www.snort.org/downloads/1410 -O snort-2.9.2.1-1.F15.i386.rpm wget http://www.snort.org/downloads/1404 -O daq-0.6.2-1.i386.rpm
These are the only two rpms you need. You need to install them using the following command on Fedora. I am sure the process is similar for apt-get or any other package manager you use:
yum -y --nogpgcheck install daq-0.6.2-1.i386.rpm yum -y --nogpgcheck install daq-0.6.2-1.i386.rpm yum-complete-transaction -y yum -y --nogpgcheck install snort-2.9.2.1-1.F15.i386.rpm
When I did this the first time I tried to install daq I actually got an error, I don't know why that is if anyone would like to elaborate feel free. However, I just went ahead and tried the installation again and it worked, the error appears to be well known and accepted. Installing snort only took one iteration. At this point you have a working snort installation. All you have left to do is install the rules/signatures. Your snort installation is located at /etc/snort and the alert file is located at /var/log/alert. You must download the rules separately from the snort.org website. You must register as a user and there is a paid version and a free version. Once downloaded you can untar the file.
After untarring the file you need to copy the contents of the new folders to /etc/snort/. Command for this is:
sudo cp rules /etc/snort sudo cp etc /etc/snort sudo cp -R preproc_rules /etc/snort cp -R /usr/lib/snort-2.9.2.1_dynamicengine/* /usr/local/lib/snort_dynamicengine/ cp -R /usr/lib/snort-2.9.2.1_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/ cp so_rules/precompiled/FC-12/i386/2.9.1.2/*.so /usr/local/lib/snort_dynamicrules/
At this point you have installed the current snort rules/signatures and have a working version of snort. It is recommended that you create a new snort user and change the owner of /var/log/snort/ to this new user and change the owner of /var/log/snort/alert to this new user as well. Also
chmod 600is a good setting for read, write, execute permissions on the alert file. Snort can now be started by running the command snort. It must be run as sudo and you can look at the documentation or man page to see how to specify your own .conf file or load your own signatures. Out.
No comments:
Post a Comment