Bootstrap FreeKB - Snort - Install and configure Snort
Snort - Install and configure Snort

Updated:   |  Snort articles

Install Snort.

[root@server1 ~]# yum install snort

 

Make a copy of the original configiuration file.

[root@server1 ~]# cp /etc/snort/snort.conf /etc/snort/snort.conf_og

 

Download the community rules file.

[root@server1 ~]# cd /etc/snort/rules
[root@server1 ~]# wget https://www.snort.org/rules/community

 


Section1: Change home network

Original
# Setup the network addresses you are protecting
ipvar HOME_NET any

Revised
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.1/24


Section1: Change external network

Original
# Set up the external network addresses. Leave as "any" in most situations
var EXTERNAL_NET any

Revised
# Set up the external network addresses. Leave as "any" in most situations
var EXTERNAL_NET !$HOME_NET


Section1: rules directory

Originalvar RULE_PATH rulesvar SO_RULE_PATH so_rulesvar PREPROC_RULE_PATH preproc_rulesRevisedvar RULE_PATH c:\\snort\ulesvar SO_RULE_PATH c:\\snort\ulesvar PREPROC_RULE_PATH c:\\snort\\preproc_rulesOriginalvar WHITE_LIST_PATH rulesvar BLACK_LIST_PATH rulesRevisedvar WHITE_LIST_PATH c:\\snort\ulesvar BLACK_LIST_PATH c:\\snort\ules


Section2: Log Directory

Original# config logdir:Revisedconfig logdir: c:\\Snort\\log


Section4: lib Directory

Original# path to dynamic preprocessor librariesdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessorRevised# path to dynamic preprocessor librariesdynamicpreprocessor directory C:\\Snort\\lib\\snort_dynamicpreprocessorOriginal# path to base preprocessor enginedynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.soRevised# path to base preprocessor enginedynamicengine c:\\Snort\\lib\\snort_dynamicengine\\sf_engine.dllOriginal# path to dynamic rules librariesdynamicdetection directory /usr/local/lib/snort_dynamicrulesRevised# path to dynamic rules libraries# dynamicdetection directory /usr/local/lib/snort_dynamicrulesNote: we only added a #.  Adding # comments out this function.



Section5: preprocessors

Original# Inline packet normalization. For more information, see README.normalize# Does nothing in IDS modepreprocessor normalize_ip4preprocessor normalize_tcp: ips ecn streampreprocessor normalize_icmp4preprocessor normalize_ip6preprocessor normalize_icmp6Revised# Inline packet normalization. For more information, see README.normalize# Does nothing in IDS mode# preprocessor normalize_ip4# preprocessor normalize_tcp: ips ecn stream# preprocessor normalize_icmp4# preprocessor normalize_ip6# preprocessor normalize_icmp6Original# Back Orifice detection.preprocessor boRevised# Back Orifice detection.# preprocessor boOriginal# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \\  memcap 500, \\  priority whitelist, \\  nested_ip inner, \\  whitelist $WHITE_LIST_PATH/white_list.rules, \\  blacklist $BLACK_LIST_PATH/black_list.rulesRevised# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \\  memcap 500, \\  priority whitelist, \\  nested_ip inner, \\  whitelist $WHITE_LIST_PATH\\white_list.rules, \\  blacklist $BLACK_LIST_PATH\\black_list.rules



Add alert

Original# pcap# output log_tcpdump: tcpdump.logRevised# pcap# output log_tcpdump: tcpdump.logoutput alert_fast: alerts.ids

 

Create a file alert.ids here: C:Snortlog. white_list / black_list files. Because the config file points to a white_list and black_list file, we need to put these files into the appropriate Snort directory. 

WhitelistOpen a notepad, and add this text in the notepad:# Put whitelist IP addresses here


Save this as a .rules file, to this directory: C:Snort ules

BlacklistOpen a notepad, and add this text in the notepad:# Put whitelist IP addresses here


Save this as a .rules file, to this directory: C:Snort rules

Test Run Snort
Open a command line prompt.

cd snortcd binsnort –i 1 –c c:Snortetcsnort.conf –A console –T


Tip: this might not always be 1 (snort –i 1 –c c:Snortetcsnort.conf –A console –T).  
Run this command to get the right number:

cd snortcd binsnort -W


Before the physical MAC address, under Index, is the correct number. Tip: The T here is for test.  (snort –I 1 –c c:Snortetcsnort.conf –A console –T).  

If all goes well, you should end with this statement: Snort successfully validated the configuration!




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter bb6e53 in the box below so that we can be sure you are a human.