Ravi Saive: A Technology Blog For Newbies

Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998 and developed by Sourcefire. Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS. Snort has ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule-set defined by the user. The program will then perform a specific action based on what has been identified.

Snort Requirement

1. Libpcap : In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic.

2. PCRE : Perl Compatible Regular Expressions (PCRE) is a regular expression C library inspired by Perl’s external interface, written by Philip Hazel.

3. Libdnet : Libdnet is a generic networking API that provides access to several protocols.

4. Barnyard2 : Barnyard is an output system for Snort. Snort creates a special binary output format called ``unified.’’ Barnyard2 reads this file, and then resends the data to a database back-end.

5. DAQ : DAQ is the Data-Acquisition API that is necessary to use Snort version 2.9.0 and above.

Installing Required Packages

1. First we install required packages for Snort with Yum utility.

# yum install pcre pcre-devel libdnet libdnet-devel

2. We use Snort with MySQL, so install required packages.

# yum install php php-common php-gd gd php-cli php-mysql mysql mysql-devel mysql-bench mysql-server glib2-devel

3. Download and install Libpcap.

# wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
# tar -xvf libpcap-1.0.0.tar.gz
# cd libpcap-1.0.0
# .configure
# make
# make install

4. Next download and install Barnyard2 module for Snort with Wget.

# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar -xzf barnyard2-1.9.tar.gz
# cd barnyard2-1.9
# ./configure --with-mysql
# make
# make install

5. Download and install DAG package from here.

# tar -xvf daq-0.6.2.tar.gz
# cd daq-0.6.2
# ./configure
# make
# make install

Important : Make sure you have installed libpcap = 1.0.0 as mentioned above otherwise installation fails.

Download & Install Snort

1. Download latest version of Snort.

# wget http://www6.atomicorp.com/channels/source/atomic-release/atomic-release-1.0-14.el5.art.noarch.rpm
# rpm -Uvh atomic-release-1.0-14.el5.art.noarch.rpm
# yum install snort

Snort Database Settings

1. Create database and grant permissions.

# mysql -u root -p
# create database snort;
# GRANT INSERT, SELECT on snort.* to snort@localhost IDENTIFIED BY 'password';
# flush privileges;
# quit;

2. Import SQL file into the database.

# mysql -D snort -u root -p < /usr/share/doc/snort-2.8.4.1/create_mysql

3. Set MySQL settings in snort.conf file, search for database and make changes as below example.

output database: log, mysql, user=snort password=password dbname=snort host=localhost

4. Run snort.

# snort -c /etc/snort/snort.conf

Install Snort With BASE & Adodb Support

If you like to install snort with BASE and Adodb with MySQL support then follow Intrusion Prevention With Snort And BASE.