Post by ZF on Jan 17, 2015 0:22:41 GMT -5
Installed on Centos 7
yum install wget net-tools mysql-devel php php-devel php-gd php-ldap php-mysql php-pear gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump
wget www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget www.snort.org/downloads/snort/snort-2.9.8.2.tar.gz
yum install daq...
yum install httpd
chkconfig --levels 235 httpd on
service httpd restart
yum -y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb.service
mysql_secure_installation
set mysql root account password (s7)
yum install snort
Use smbclient to download snortrules using Windows (need to login with oinkcode)
mkdir /usr/loca/lib/snort_dynamicrules
tar -xvzf /usr/local/src/snortrules-snapshot-*.tar.gz -C /etc/snort
mv /etc/snort/etc/* /etc/snort
cp /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/2.9.7.0/* /usr/local/lib/snort_dynamicrules
ln -s /usr/lib64/snort-2.9.7.0_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/lib64/snort-2.9.7.0_dynamicengine /usr/local/lib/snort_dynamicengine
edit /etc/snort/snort.conf and make the following changes:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PRE PROC_RULE_PATH /etc/snort/preproc_rules
Comment out all settings for Reputation Preprocessor
Uncomment $PREPROC_RULE_PATH
Test snort with the following:
snort -T -c /etc/snort/snort.conf
snort -i <ethernetcard> -c /etc/snort/snort.conf -A console
Use another machine to scan snort-ids, it should trigger.
Or add a line to /etc/snort/rules/local.rules to trigger on ping
Ensure that yum has copied snort startup script "snortd" to /etc/init.d and its configuration file snort.sysconfig to /etc/sysconfig/snort
Edit /etc/init.d/snortd and change the line
chkconfig: 2345 40 60
chkconfig: 2345 99 99
This will ensure that snort starts AFTER network and mysql.
chkconfig --add snortd
To change the interface snort is listening to, change
/etc/sysconfig/snort
INTERFACE=<NIC>
To set up remote logging, you can either install syslog-ng or use syslog
To use syslog, edit snort.conf to use syslog
To use syslog-ng, install syslog-ng following other guide
Then add the following lines to syslog-ng.conf
source s_file {file("/var/log/snort/alert");};
destination d_network {udp("192.168.229.128" port(514)); };
log { source(s_file); destination(d_network); };
check if log is going out by typing:
watch -n1 syslog-ng-ctl stat
yum install wget net-tools mysql-devel php php-devel php-gd php-ldap php-mysql php-pear gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel tcpdump
wget www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget www.snort.org/downloads/snort/snort-2.9.8.2.tar.gz
yum install daq...
yum install httpd
chkconfig --levels 235 httpd on
service httpd restart
yum -y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb.service
mysql_secure_installation
set mysql root account password (s7)
yum install snort
Use smbclient to download snortrules using Windows (need to login with oinkcode)
mkdir /usr/loca/lib/snort_dynamicrules
tar -xvzf /usr/local/src/snortrules-snapshot-*.tar.gz -C /etc/snort
mv /etc/snort/etc/* /etc/snort
cp /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/2.9.7.0/* /usr/local/lib/snort_dynamicrules
ln -s /usr/lib64/snort-2.9.7.0_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/lib64/snort-2.9.7.0_dynamicengine /usr/local/lib/snort_dynamicengine
edit /etc/snort/snort.conf and make the following changes:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PRE PROC_RULE_PATH /etc/snort/preproc_rules
Comment out all settings for Reputation Preprocessor
Uncomment $PREPROC_RULE_PATH
Test snort with the following:
snort -T -c /etc/snort/snort.conf
snort -i <ethernetcard> -c /etc/snort/snort.conf -A console
Use another machine to scan snort-ids, it should trigger.
Or add a line to /etc/snort/rules/local.rules to trigger on ping
Ensure that yum has copied snort startup script "snortd" to /etc/init.d and its configuration file snort.sysconfig to /etc/sysconfig/snort
Edit /etc/init.d/snortd and change the line
chkconfig: 2345 40 60
chkconfig: 2345 99 99
This will ensure that snort starts AFTER network and mysql.
chkconfig --add snortd
To change the interface snort is listening to, change
/etc/sysconfig/snort
INTERFACE=<NIC>
To set up remote logging, you can either install syslog-ng or use syslog
To use syslog, edit snort.conf to use syslog
To use syslog-ng, install syslog-ng following other guide
Then add the following lines to syslog-ng.conf
source s_file {file("/var/log/snort/alert");};
destination d_network {udp("192.168.229.128" port(514)); };
log { source(s_file); destination(d_network); };
check if log is going out by typing:
watch -n1 syslog-ng-ctl stat