Fedora 17 Snort - Basic Installation and Configuration

Here is a quick and dirty guide to get you up and running with Snort on Fedora 17 x64. I'm not going to explain what it is, or what it does, but to give you enough to get started.

The Setup

Start with a clean fedora 17 setup (or otherwise) and assuming default software packages, then download from snort.org the source code for daq and snort. Once they are downloaded extract them and install the following:

sudo yum install -y gcc libpcap libpcap-devel pcre pcre-devel libdnet libdnet-devel flex bison zlib zlib-devel tcpdump

If you want all of the daq packages (having snort used inline!) you must also install the following:

sudo yum install -y libnetfilter_queue*

Fedora 16 and 17 have started using firewalld... lets turn that new-fangled junk off and use iptables

sudo chkconfig firewalld off
sudo chkconfig iptables on
sudo firewalld stop
sudo iptables start

Compiling and Configuring Snort

Assuming you have downloaded the two snort tarballs and have them extracted, navigate into the daq directory and run the following commands:

./configure
make
sudo make install

The last bit of the output from the ./configure command should look like the following if you installed libnetfilter_queue:/p>

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

Then navigate into the snort source directory and run the following:

./configure --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased  --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 --enable-sourcefire
sudo make
sudo make install
sudo ldconfig

Now setup any directories, configs or logs that might be required by Snort:

mkdir -p /etc/snort
cp -R etc/* /etc/snort/
mkdir -p /etc/snort/rules
mkdir -p /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/local.rules
mkdir -p /etc/snort/rules
mkdir -p /etc/snort/so_rules
mkdir -p /etc/snort/preproc_rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

Edit the existing /etc/snort/snort.conf and change the following variables to look like:

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Now you need the free Snort rules available from sourcefire or emerging threats - for the purposes of this tutorial use Sourcefire. Note you have to signup for the registered user release. OR grab them here

Untar the rule snapshot and copy its contents to: /etc/snort/

mkdir sourcerules
mv <snortrules.tar.gz>
cd sourcerules
tar -xzvf <snortrules.tar.gz>
cp -R sourcerules/so_rules/ /etc/snort
cp -R sourcerules/preproc_rules/ /etc/snort
cp -R sourcerules/rules/ /etc/snort

Create the logging directory

sudo mkdir -p /var/log/snort

Finally execute snort using this command (note there are other ways, but this is a simple test)

snort -c /etc/snort/snort.conf -v -i <your interface>
OR /usr/local/bin/snort -c /etc/snort/snort.conf -v -i <your interface>

If you want to create some more custom rules; have a look at the general rule options section of the Snort manual or a more advanced tutorial here

AttachmentSize
Binary Data snortrules-snapshot-2923.tar.gz21.35 MB

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.