http://it4training.

com

MODULE 3

Snort Installation

About This Module

This module covers the entire installation process including some of the additional components to better manage, store and receive alert feedback. To make this work properly, several additional supporting packages will be installed as well. This installation will be performed on a Linux platform since all ofthe tools required to do an installation are freely available.

Module Objectives:

o o o o

Build a secure OS foundation

Understand the basic installation process

o o

Installing from

combination of RPM packages and source code

Discuss RPM package update tools

Perform installation and initial configuration

Test the installation

27

http://it4training.com

Snort lnstallation

Building a Secure OS Foundation

Slide 34

\&*k
.W

*w

The platform on which your Snort installation resides is as critical as any component of the installation. It is good practice to have the operating system on which you will install Snort and its components prepared and in a secure state. While a precise step-by-step how-to tutorial on building a secure OS is beyond the scope of this class, we will present the fundamentals of building a secure OS. There are many techniques that can be employed and an equally large number of opinions on how to deploy a secure OS, so it is critical that you do some research to come up with a secure configuration that makes sense for the environment in which you will deploy your Snort sensors.

Major Issues to Consider

The list below contains some of the most prominent issues that should be addressed when

constructing a secure OS platform:

r r . . .

lJnnecessary services

Default accounts and settings

packages, for security issues

o Review installation, including OS and installed o Obtain and install latest security patches
If applicable, a local firewall
intend to use

Continuously monitor newsgroups and mailing lists for security information that might affect your installation
is a good idea to block access to ports other than those you

Check your organization's security policy for guidelines on password usage and account

privilege administration Class OS Installation

Slide 35

The OS platform that has been provided is based on CentOS. It was installed with a minimal set of applications. Basically, there is enough to boot the system and compile and install the software packages we will need to complete our Snort deployment. The local firewall has been enabled. It has been configured to only allow incoming connections on ports 22 (ssh),80 (http) and 443(ssl). Although, from a security perspective, it makes sense to disable access to port 80 once your installation is up and running. This leaves remote access to your sensor only available via secure, encrypted protocols.

Notes:

28

sllffiBt&"

http://it4training.com
Snort Installation

Pre- ins tall ation ltems

Slide 36

The Base OS
The base operating system was prepared to facilitate the installation of Snort and the tools you

will install along side Snort for alert analysis and storage. If you
from scratch, use the following guide lines:

are building an installation

Since the CentOS linux distribution is largely RPM based, you can take advantage of tools such as 'yum' to install andupdate packages as needed.

yum is a skaight forward, command line application for managing RPMs. Without any configuration of the tool, it is preconfigured to point to some default RPM repositories, so it can be used right away. You can configure yum to point to specific repositories, but that discussion goes beyond the scope of this class.
yum also has the ability to resolve and fetch package dependencies. This feature will save lot of time and effort over manual package management. To use yum, see the following examples:
a

yum

i-nsta1I <package name> - This syntax fetches the package and its

dependencies, if any exist, from the package repository. Note that only the base package name is necessary; yum will pull down the most up-to-date version.

yum update <package name> - This syntax

installed package.

can be used to update a previously

yum list installed <package name> - This command lets you see what packages are already installed on your system. It also accepts wild card characters whereas the previous two examples do not.
yum list avaif abl-e <package name> - This queries the yum repositories for packages available for download. It too accepts wildcards to facilitate you semches.
The base OS was initially configured with the following pre-installed:

o o o

The Apache web server

MySQL Server- MySQL Database Server

Development Tools - Compilers and other packages need for building Snort

Notes:

29

http://it4training.com

Snort lnstallation

Applications added after initial OS configuration:

o o

The MySQL database development libraries - The package listed below was installed with the following command: yum install <mysql package) . mysql-devel The PIIP scripting language - The packages listed below were installed with the following command: yum install <php package>

'php

. php-devel . phpJdap . php-mysql . php-pear

'php-gd

Note that these package installations, in some cases, may contain dependencies. The yum tool will attempt to resolve any dependencies and include them with the package installation or update.

Snort Pre-installation

Slide 37

The Snort installation will include components above and beyond the Snort core. For the purposes of this class, these components will be installed from source code rather than RPM. This gives you the greatest amount of control over the binary that is produced in terms of the features and functionality you want to compile into it.

Snort:

. . o o .

The Snort core. Currently, the lab is configured with version 2.9.1 snortrules-snapshot-2900.tar.gz daq-0.6.1 - The data aquisition module.

libpcap 1.1.1 - The packet capture libraries.

pcre 7.9 - Libraries to provide the Perl Compatible Regular Expression functionality in Snort.

a libdnet-l.11 - Libraries to provide the flex response capability in Snort. a Bamyard2-L.9 - This package will be installed and discussed in detail in a subsequent module. It is a Snort output processing package designed to off-load computationally expensive output processing from the Snort process.

Notes:

30

sxlffirEfi*

http://it4training.com
Snort lnstallation

Graphical Interface and Alert Analysis Tools

Slide 38

There are several open source interface options for managing alerts you can choose from. For class purposes, BASE is the interface that will be used. The items below represent the packages needed to run BASE in addition to other graphical tools presented in this module.

o . o

base-1.4.5 adodb - Database abstraction libraries for PIIP

Packages to support the charting capabilities of BASE:

o . o

Image_Canvas

Image_Color Image_Graph

Pre-installation

Slide 39

Prior to perfonning the Snort installation for this module you should familiarize yourself with the network environment.

o o o

Network settings and virtual network topology

The login credentials for all the devices

Veri& that all the devices and services you expect are up and running

Reviewthe diagram on the following page for details of the virtual network topology and the devices in your environment.

Notes:

31

http://it4training.com
Snort lnstallation

:J

Notes:

32

http://it4training.com
Snort lnstallation

About The Virtual Network

Slide 40

The virtual network for the class consists offive separate zones. The zones are described below in addition to the hosts located in each:

General Network Environment - This environment consists of the devices connected to VMNetl (192.168.133.0 /24)

o o I o o
o

Student Desktop - The student host os running a variety of tools

Rugila - Linux serverrunning SMTP & IMAP server

Attila - Linux host with

scanners atrd attack tools

o DW, - Tlris environment consists of the devices

connected to VMNet2 (192.168.10.0/24)

Bleda - Linux server running HTTP & FTP services

Lamp - Limx server with MySQL & HTTP services

Management Network - This environment consists of the devices connected to VMNet4 (192.168.111 .0124).This network segment is used for the management interfaces of your Snort sensor and DMZ hosts.

.
o

snortbox - Your Snort sensor. This host also has a second interface facing the General Network zone. This interface has no IP address and will be used as the sensing interface for your sensor.

Gateway Zone - This environment consists of the devices connected to VMNetS

(192.t68.222.0/24)

,t
o

the sfsnort.co,m domain. It has 4 interfaces and serves as the cental point ofingress and egress between the virtual network and the classroom network.

router - This device is running the DNS server for

Classroom Network - This environment consists of everything external to VMNetS

The entire infrastructure has been given the domain name sfsnort.com. Since there is a DNS server servic.ing the network, all of the hosts are reachable by name.

T\ehost student desktop can be used as your primary desktop. It contains tools to allow you to remotely shell into snorlbox for the installation labs. Altematively, you can work directly in the snortbox virtual machine which has a graphical environment installed so you can use the GUI tools that are available.

Notes:

33

http://it4training.com
Snort lnstallation

Initializing The Virtual Network Infrastructure Slide 41

The virtual machines in the training infrastructure as configured as members of a VMWare team. This will allow you to initialize the devices in tandem rather than as individual virtual machines. Use the following instructions to start the virfual infrastructure:

1. 2. 3.

Double click the VMWare application icon on your desktop. From the F'ile menu, select Open. In the Open dialog box, navigate to the desktop and open the folder called "3D_xxxx_Infrastructure". In that folder, double click the icon called

"3D_xxxx_Infrastructure.vmtm

".

a. 5.
6.

Right click on the 3D2500 virtual machine and select 55Remove from Team". Close the tab containing the 3D2500 VM.

Right click on the DC1000 virtual machine and select "Remove from Team". Close the
tab containing the DC1000 VM.

From the File menu, select Open. From the 663D_xxxx_infrastructure" folder open the sub-folder "Snortbox_4.0. Double click on "Snortbox_3.0.vmx"

z.

Click the green kiangular icon to start the virtual machines (besure to start the team and Snortbox). Allow at least three minutes for them to initialize. You will note that a tile bar displays in the VMWare application window where each tile represents one of the virtual machines in the infrastructure. One way to tell that the virtual hosts have initialized is to watch for the login prompt in the last tile.

Exploring The Virtual Infrastructure

The initialization process for the hosts in your virtual irfraskucture should now be complete. You should take some time to login to the various hosts and familiarize yourself with the environment. Also, use the diagram at the beginning of this module as a reference to get a feel for the zones in which the hosts reside. You should be able to plng the various hosts to test the connectivity between them with the exception of the DMZ hosts which will not be available until you get the IPS installed and operating properly. The login credentials for the virtual hosts are as follows:

. o

User: root
Password: password

Notes:

34

http://it4training.com
Snort lnstallation

The virtual infrastructure consists of a variety of hosts running the following operating
systems:

o
o

CentOS 5.5

c . c . o o

attilu snofibox

Ubuntu Server 10.04 LTS - Note that the initial login screens of the Ubuntu-based may not render properly. You can press the Bnter] key to obtain a login prompt when needed.

rugils touter
lamp
bleda

Other Items to Consider in The Virtual Environment

You must click in the virtual machine's window to control it. If at any time you need to release the mouse or release control of the virtual machine so you can use your host OS desktop, you can press [Ctrl ] + on your keyboard. When you want to control the OS in the virtual machine again, just click in the VMWare window as you did before or press + [g] .

[AIt]

[Ctrl]

At this point your virtual network environment is ready. In the remainder of this section, you

will perforrn the installation of Snort and its supporting applications.

Remember that you can use the snortbox console, or do every.thing from the student desktop system which has a browser and remote access tools, such as PuTTY so you can SSH into snorlbox to perform the installation.
Just open the classfiles folder on the slr dent deshtop system and double click the PuTTY icon. Enter snortbox's name or IP address in the Host Name field and click the Open button. When the terminal window opens, enter snortbox's login credentials and begin the installation process from there.

Notes:

35

http://it4training.com
Snort lnstallation

Snort Installation
Slide

42

The local

frewall is configured on snortbox to allow remote

access to the

following services:

o o o

Port22 - SSH
Port 80 - HTTP

Port443 - SSL

It is highly recommended that you disable external access to port 80 once the installation is up and running. This allows only secure access to the Snort host from remote locations.

Perform a Service Check

Before beginning the installation process, you should check to see that the services you expect are up and running. Use the following command to perform this check:

[rootGsnortbox -] # netstat

-Itn

The screen should return results similar to the following:

IrootGsnortbox -] * netstat -1tn Active Internet connections (on1y servers) Proto Recv-Q Send-Q l,ocal- Address tcp 0 0 0. 0. 0. 0: 3306 tcp 0 0 0.0.0.02841 LUP 0 0 0.0.0.0:11-1 tcp 0 0 127 .0.0.1:631 tcp 0 0 12'7.0.C.7:25 tcp 0 0 :::80 tcp 0 0 ::t22 tcp
n n ...1t?

Foreign Address

0.0.0.0:* 0.0.0.0:* 0.0.0.0:* 0.0.0.0:* n n n n.*

State
LISTEN LISTEN l,ISTEN LISTEN
T,ISTEN

:::* :::*

LISTEN LISTEN LISTEN

You are looking for the presence of the following ports:

o o o

22-SSH
80 - HTTP 3306 - MySQL

Notes:

36

mmurftre

http://it4training.com
Snort lnstallation

Install Snort and Its Components

In this portion of the lab, you will install several components required to run Snort, the Snort core and Snort rules. Then you will configure the MySQL database to receive Snort alerts.

1.

Install the PCRE libraries. This package is required so that Snort's Perl Compatible Regular Expression capability is enabled. With these libraries, you can use PCRE in the rules that you create and the rules that ship with the Snort distribution that rely on PCRE will work properly. From the

/usx / local directory

enter the following commands:

Iroot@snortbox loca]-l# tar zxvf src/pcre-?.9.tar.gz [root@snortbox locaf]# cd pcre-7.9 lrootGsnortbox pcre-7 . 9l # .,/configrure lrootGsnortbox pcre-7.91 # nake lrootGsnortbox pcre-'7 . 91# make insta].]. froot@snortbox pcre-7.9] # ca . . lrootGsnortbox l-ocal-l #

2.

Install libpcap. This is the package that allows the DAQ to read packets offthe network. From the /:usr /

local

directory enter the following commands:

1. 1.

Iroot0snortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox

locall # tar zxvf src,/Libpcap-1. locall# cet libpcap-1 .1.1 libpcap-1. 1. f l # . /configrure libpcap-1.1.11# nake libpcap-1.1.f1 + make install 1oca1l # cd ..
l-oca1l
#

tar.

gz

Notes:

37

http://it4training.com

Snort lnstallation

3.

Install libdnet. This package allows the DAQ to be used in the NFQ and IPQ mode as well as active
responses.

From the

/usr / local

directory enter the following commands:

IrootGsnortbox lrootGsnortbox [rootGsnortbox [rootGsnortbox lroot0snorlbox [root@snortbox lrootGsnortbox [rootGsnortbox lrootGsnortbox Iroot@snortbox

loca]-l # tar zxwf src/libdnet-I.11.tar.gz local-l# cd libdnet-l.11 libdnet-1. 11] g .r/confiEure libdnet-1. 11] # nake l-i-bdnet-1. 111 # make instal-]. libdnet-1.11]# cd ../].ib 1j-bl# In -s Iibdnet.1 libdnet.so.1 1ib] # Idconfig libl # cd . . loca]l #

4.

Install DAQ
The Data Aquisition library is the component that allows Snort to read packet data offthe

wire.

lrootGsnortbox lrootGsnortbox [root@snortbox [root@snortbox lrootGsnortbox Iroot@snortbox [root@snortbox Iroot@snortbox

locall # tar zxvf arc,/daq-O.5.1.tar.92 local] # cd daq-O. 6.1 daq-0. 6.f]+ ./configrrre daq-O. 5. 1] # make daq-O.6.f1# make instaLl daq-0. 6. 1] # Idconfig daq-0.6.1] # ca . .
1oca1]
#

Notes:

38

http://it4training.com
Snort lnstallation

5.

Install Snort.
From the

/usr / local

directory enter the following commands:

IrootGsnortbox 1oca1] # tar zxwf src/snort-2.9.1.tar.92 IrootGsnortbox 1oca1] # cd snort-2.9.1 lrootGsnortbox snort-2.9.L|# ./configure --enable-ipv6 --enal.le-gre --enabJ-e-mpIs --enab1e-targetbased --enable-decoder-preprocessor-ruIes - -enabJ-e -ppm - -enable-perfprof iling - -enabJ-e-zJ.ib - -enable-active-response - -enabl-e -no:mali zer - -enable-reload --enable-react --enable-flexresp3 lrootGsnortbox snort-2. 9.11# nake lrootGsnortbox snort-2.9.L)# nake install IrootGsnortbox snort-2. 9.7]#
Note that the configuration options used to build your Snort binary determine which features ofSnort you will enable. The options used in class axe the Sourcefire recomended compile options. In the example above, implementing the compile-time options do the

following:

o . . o o . o . o o o o o

IPv6 - gives snort the ability to decode IPv6 traffic GRE - allows Snort to read GRE data

MPLS - allows snort to read MPLS information

Targetbased - target-based support in the stream and frag preprocessors and rules Decoder-preprocessor-rules - allows you to apply rule action types to decoder and
preprocessor alerts

PPM - enables the packet and rule performance monitoring capability

Perfproliling - tums on Snort's performance profiling capability which lets you

statistics related to rule and preprocessor usage

see

Zlib - allows the HTTP_inspect preprocessor to uncompress compressed data(gzipl deflate)

Active.response - allows configuration and customization of responses in Snort Normalizer - when in inline mode allows Snort to normalize haffrc to minimize chances ofevasion.
Reload - allows configurations to be reloaded without stopping Snort React - allows the use of the

react

rule option

X'lexresp3 - enables flex-response or the ability to use Snort to reset connections

Notes:

39

http://it4training.com
Snort lnstallation

6.

Create a / eLc directory entry for Snort and for Snort rules. Then, copy the configuration files and unpack the rules distribution into it.

FromtheSnortinstallationdirectory

/usr/loeat./snort-2.9.1,dothefollowing:

lrootGsnortbox snort-2.9.1)# [root@snortbox snort-2.9.L)# I root G snortbox snort -2 . 9 . 7l # lrootGsnortbox snort-2.9.1]# 2910.tar .gz -C /etc/snort [rootGsnortbox snort-2.9.7)#

nkdir /eLc/ anorlu mkdir /war/Log/ sr:orimkdir / ast / Local/1ib/snort_dynamicrules tar zxw /wsr/Loca]-/etc/snortrules-snapshot-

tar z:xwf /rusr/Loc,aU src/opensource .gz -C /etc/snort lrootBsnortbox snort -2 . 9 . L1 # cp / etc./ snort-/ ei.c./ *. conf* / eLc./ srrorl. [root@snortbox snort-2.9.L)# cp /et.c:/snorL/etuc/*.map /etc/snort snortbox snort -2 .9 . L) # cp / etc/ snort/so_rules/precompiled/Centos-5I root 4 / L38 6 / 2 . 9 . t . / *,/usr/ Iocal,/ Iib,/ snort_dynamicrules [rootGsnortbox snort-2. 9. 7]# ln -s /usr/Loc,al/bLt/ snori' /lu,sr/ sbi-n/snort
G O

7.

Create a Snort user and user group.

From the directory you are currently in, issue the following commands:

[rootGsnortbox snort-2.9.7]# groupadd snort IrootGsnortbox snort-2.9.7]# useradd -g snort snort lrootGsnortbox snort-2.9.7)# chown snort:snort /war/Log/ srrort

Notes:

40

http://it4training.com
Snort !nstal.lation

8.
Ihe sfeps that follow will
assume that you are using the Vl editor. Howevef you can use any editor you are comfoftable with.
Note that in Vl, when you type the slash character as instructed, the information is displayed atthe bottom ofthe

Make some initial configuration settings to the

snort. conf file.

In order to get the Snort system running in a state rvhere it can be tested to ensure it's working properly, you must make some initial configuration settings in the snort . conf file. This file will be covered in much greater detail in the modules that follow.
Open the file

/ eLc / snort / snort

conf in the editor of your choice,

use the

and make the

changes outlined below. To open the

file in VI,

following command:

terminal window.
You may also jump to a line number in Vl by typing in a number and press,ng <shribg

[root@snortbox snort-2. 9.f] + vLm /etc,/snort/snort.conf

If you

Semch for the following string in the file: var RULE PATH are using tle VI editof you can type the slash character followed by the search string as shown below:

/RUI,E-PATH
Press Enter to execute the search. The cursor will land at first occrrrence of the string. The RULE_PATH vmiable can be found at approximately line 98. The value for this variable may aheady be set to the . . /rul-es relative directory.

To move to the next occuffence of a search tem, press f/,e lefter 1a', and to move to the previous occufience, you can press N',.

Change this to read as follows:

var

RULE_PATH

/etc,/snort/ru1es

In the VI editor, you can move the cursor to the line you wish to edit and press the letter 'i' to enter insert mode. Edit the line that follows as in the example below:

var var

SO_RULE_PATH
PRE

/etc/snort/so_ru1es
/
eluc /

Edit the line that follows as in the example below:

PROC_RULE_PAIE

snort/preproo_rules

a Press ESC to exit insert mode after you make your edits. a Comment out the lines that follow (aprroximately lines 479 tfuv 484) as in the example

below:

#preprocessor reputation: \ # memcap 500, \

# # # #

priority

white].ist $WHTTF_r.IST_PATH/white_1ist.ruLes, \ black1ist $BLACK_LIST_PATH/black_list.ru1es

will
cover later.

nested ip inner, \

white1ist, \

These lines control the reputation preprocessor which we

Notes:

41

http://it4training.com
Snort lnstallation

lf

pu are using the Vl editor; use the search procedure

Next, look for the three lines that include the following files (approximately line 587):

descibed inthe previous page with the slash character.

# include # include # incJ-ude

$PREPROC_RULE_PATII/preprocessor.
$PREPROC

rules
.

RtLE PAIH,/decoder.rules

$PREPRoc-Rt

L{parn/ sensitive-data

ruJ-es

Uncomment these lines by removing the # symbol at the beginning of each line. You can move the cursor to the beginning of the line and press the [Del] key. Write these changes to the file. In VI use the command : wq to write the changes and quit
the editor. Since the VI is not the most friendly application to use, one handy trick in case you mess things up is to exit without saving.

o I

First, make sure you are in command mode by pressing the Esc key (if you hear you were already in command mode).
Then, type the following command: : q!

a beep,

Start Snort

1.

Test Snort.

Run

test of your Snort installation to make sure it starts with no erors as follows:

[rootGsnortbox]# snort
onEoLe

-i ethl -c /etc/snort/snort.conf -A c

Upon entering this command, you will see a series of messages scroll offthe screen. Eventually it will stop with a screen similar to that which is depicted below.

Notes:

42

http://it4training.com
Snort lnstallation

Commencing

Object: pop3 Version 1.0 <Build 1> Rules Object: web-misc Versj-on 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: icmp Version 1.0 <Bui1d 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Bui1d 1> Rules Object: multimedia Version 1.0 <Buifd 1> Rules Object. p2p Version 1.0 <Build 1> Rules Object: netbios Version 1.0 <Build 1> Rules object: imap Version 1.0 <Bui1d 1> Rules Object: dos Version 1.0 <Bui1d 1> Rules Object: web-client Versj-on 1.0 <Buil-d 1> Rules Object: sql Version 1.0 <Buil-d 1> Rules Object: web-iis Version 1.0 <Bui1d 1> Version 1.0 <Build 1> Rules Object: specific-threats Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Bui1d 3> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Bui1d 4> Preproeessor Object: SE_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SE_REPUTATION (IPV6) Version 1.1 <Bui1d 1> Preprocessor Oblect: SF_SDF (IPV6) Version 1.1 <Bui1d 1> Preprocessor Object: SE_POP (IPV6) Version 1.0 <Bui1d 1> Preprocessor Object: SE_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SE_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SE_SSLPP (IPV6) Version 1.1 <Build 4> packet processing (pld=31187)
Rul-es

Notes:

43

http://it4training.com

Snort lnstallation

2.

To generate some alerts, logon to uttila.Yoa can access attila's console by SSH using pUTTY onthe student desktop. Once you have signed in, you can do the following to generate alerts.

Run an NMap scan. - From attila's command line, issue the following command:

IrootGattif a
Allow
a

- ] # nrnap

-sS -O

L92 .L6A. 133 . L ,60

,253

minute for this scan to process.

After performing these actions, the alerts should be generated inthe snortbax console window indication that you installation is functioning. The display will show alerts similar
to the following example.

08/24-10:01:37.615798 [**] [1:384:5] ICMP PING [**] [Classification: Misc activityl IPrioriLy: 3] {ICMP} 792.768.133.50 -> 792.168.133.1 08/24-10:01:37. 615987 [**] [1:408:5] ICMP Echo Reply [**] lClassification: Misc activityl fPriority: 3] {ICMP} 192.168.133.1 ->
L92.168.133.50

08/24-L0:01:37.615988 [**] [1:384:5] ICMP PfNG [**] [Classification: Misc activityl IPriority: 3] {ICMP} 192.768.133.50 -> 792.168.133.253 c On snortboxpress lCtrl] + c toregain control ofthe commandline.
Right now we have a functional install of Snort. In a future module we will have Snort log its information into a database via Barnvard2.

Notes:

44

HIlffirHff"

http://it4training.com
Snort lnstallation

Configure Snort to Start Automatically

Up to this point, all of the individual components of your installation should be up and running. The next step is to automate the process of starting Snort on system initialization.
Use this procedure to configure Snort to start automatically:

[rootGsnortbox ] # cA /rusr/1oca1/snort-2.9.l/rpm/snortd /etclinit. d [rootGsnortbox ] # cp /usr/1oca1/snorL-2.9. 1/rpm/snort. sysconfig / e|uc / sy s c.onf ig,/ snort lrootGsnortbox I # chrnod 155 /ebc/init.d/snortd lrootGsnortbox I #
The chckconfig portion of the snort.d file needs to be modified so that Snort starts after the network and Mysql. It can be found around line 6. Edit the file /el"c,/ i:nit. d/snortd andmodiff the following line.

# chkconfig: 2345 40 50
to

# ohkconfigz 2345 99

99

Then execute the following command:

[rootGsnortbox ] # chkconfig --add snortd

Notes:

45

http://it4training.com
Snort lnstallation

etc/ init . d called snortd is the startup script. However, it is controlled by a file called / eLc/ sysconf iglsnort. In its default state, this file contains some settings that may cause Snort to not start propedy.
The file you copied tnto /
Open the

/etuc,/

sysconfig,/snort

file in vi.

Make the following change to the Interface option in the General Configuration section near the top of the file (approximately line 15) :

fNTEREACE:eth1

Also, comment out the following lines (69, 75 and 81 approx.) these values need to be commented otherwise they will overide the output portion of the snort . conf :

. o .

ALERTMODE:fasL DUMP_APP:I
BINARY_1,OG:1

*Note: These settings if left enabled wil overide the output settings of the would be that no events uould be logged to the datiabase

"*

snort. conf

The result

Once this file is configured, Snort will start automatically on system restart. You can also stop and start Snort from the command line as follows:

/ et-c./ :-n:-L.
or

d/snortd { stop I start I restart

service Enortd {stopl startlrestart}

Lab Wrap-Up
At this point, the core components of the Snort installation
are complete.

Notes:

46

silffiunf*u

http://it4training.com
Snort lnstallation

Module Summary
SIide 43
This module stepped through the process of conskucting a Snort system with all of its supporting components. This included installation and conliguration of the following:

. r

The Snort core

Supporting libraries

While there are many components to this lab, the end result yielded a Snort system ready for
deployment.

Notes:

47

ffiffif,Hffrm