How to install and configure Snort

Home > Search > How-to
  by

Install Snort.

[root@server1 ~]# yum install snort

 

Make a copy of the original configiuration file.

[root@server1 ~]# cp /etc/snort/snort.conf /etc/snort/snort.conf_og

 

Download the community rules file.

[root@server1 ~]# cd /etc/snort/rules
[root@server1 ~]# wget https://www.snort.org/rules/community

 


Section1: Change home network

Original
# Setup the network addresses you are protecting
ipvar HOME_NET any

Revised
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.1/24


Section1: Change external network

Original
# Set up the external network addresses. Leave as "any" in most situations
var EXTERNAL_NET any

Revised
# Set up the external network addresses. Leave as "any" in most situations
var EXTERNAL_NET !$HOME_NET


Section1: rules directory

Originalvar RULE_PATH rulesvar SO_RULE_PATH so_rulesvar PREPROC_RULE_PATH preproc_rulesRevisedvar RULE_PATH c:\\snort\ulesvar SO_RULE_PATH c:\\snort\ulesvar PREPROC_RULE_PATH c:\\snort\\preproc_rulesOriginalvar WHITE_LIST_PATH rulesvar BLACK_LIST_PATH rulesRevisedvar WHITE_LIST_PATH c:\\snort\ulesvar BLACK_LIST_PATH c:\\snort\ules


Section2: Log Directory

Original# config logdir:Revisedconfig logdir: c:\\Snort\\log


Section4: lib Directory

Original# path to dynamic preprocessor librariesdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessorRevised# path to dynamic preprocessor librariesdynamicpreprocessor directory C:\\Snort\\lib\\snort_dynamicpreprocessorOriginal# path to base preprocessor enginedynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.soRevised# path to base preprocessor enginedynamicengine c:\\Snort\\lib\\snort_dynamicengine\\sf_engine.dllOriginal# path to dynamic rules librariesdynamicdetection directory /usr/local/lib/snort_dynamicrulesRevised# path to dynamic rules libraries# dynamicdetection directory /usr/local/lib/snort_dynamicrulesNote: we only added a #.  Adding # comments out this function.



Section5: preprocessors

Original# Inline packet normalization. For more information, see README.normalize# Does nothing in IDS modepreprocessor normalize_ip4preprocessor normalize_tcp: ips ecn streampreprocessor normalize_icmp4preprocessor normalize_ip6preprocessor normalize_icmp6Revised# Inline packet normalization. For more information, see README.normalize# Does nothing in IDS mode# preprocessor normalize_ip4# preprocessor normalize_tcp: ips ecn stream# preprocessor normalize_icmp4# preprocessor normalize_ip6# preprocessor normalize_icmp6Original# Back Orifice detection.preprocessor boRevised# Back Orifice detection.# preprocessor boOriginal# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \\  memcap 500, \\  priority whitelist, \\  nested_ip inner, \\  whitelist $WHITE_LIST_PATH/white_list.rules, \\  blacklist $BLACK_LIST_PATH/black_list.rulesRevised# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \\  memcap 500, \\  priority whitelist, \\  nested_ip inner, \\  whitelist $WHITE_LIST_PATH\\white_list.rules, \\  blacklist $BLACK_LIST_PATH\\black_list.rules



Add alert

Original# pcap# output log_tcpdump: tcpdump.logRevised# pcap# output log_tcpdump: tcpdump.logoutput alert_fast: alerts.ids

 

Create a file alert.ids here: C:Snortlog. white_list / black_list files. Because the config file points to a white_list and black_list file, we need to put these files into the appropriate Snort directory. 

WhitelistOpen a notepad, and add this text in the notepad:# Put whitelist IP addresses here


Save this as a .rules file, to this directory: C:Snort ules

BlacklistOpen a notepad, and add this text in the notepad:# Put whitelist IP addresses here


Save this as a .rules file, to this directory: C:Snort rules

Test Run Snort
Open a command line prompt.

cd snortcd binsnort –i 1 –c c:Snortetcsnort.conf –A console –T


Tip: this might not always be 1 (snort –i 1 –c c:Snortetcsnort.conf –A console –T).  
Run this command to get the right number:

cd snortcd binsnort -W


Before the physical MAC address, under Index, is the correct number. Tip: The T here is for test.  (snort –I 1 –c c:Snortetcsnort.conf –A console –T).  

If all goes well, you should end with this statement: Snort successfully validated the configuration!



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments