Fedora 17 Snort - Basic Installation and Configuration
Here is a quick and dirty guide to get you up and running with Snort on Fedora 17 x64. I'm not going to explain what it is, or what it does, but to give you enough to get started.
The Setup
Start with a clean fedora 17 setup (or otherwise) and assuming default software packages, then download from snort.org the source code for daq and snort. Once they are downloaded extract them and install the following:
If you want all of the daq packages (having snort used inline!) you must also install the following:
Fedora 16 and 17 have started using firewalld... lets turn that new-fangled junk off and use iptables
sudo chkconfig iptables on
sudo firewalld stop
sudo iptables start
Compiling and Configuring Snort
Assuming you have downloaded the two snort tarballs and have them extracted, navigate into the daq directory and run the following commands:
make
sudo make install
The last bit of the output from the ./configure command should look like the following if you installed libnetfilter_queue:/p>
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Then navigate into the snort source directory and run the following:
sudo make
sudo make install
sudo ldconfig
Now setup any directories, configs or logs that might be required by Snort:
cp -R etc/* /etc/snort/
mkdir -p /etc/snort/rules
mkdir -p /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/local.rules
mkdir -p /etc/snort/rules
mkdir -p /etc/snort/so_rules
mkdir -p /etc/snort/preproc_rules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
Edit the existing /etc/snort/snort.conf and change the following variables to look like:
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Now you need the free Snort rules available from sourcefire or emerging threats - for the purposes of this tutorial use Sourcefire. Note you have to signup for the registered user release. OR grab them here
Untar the rule snapshot and copy its contents to: /etc/snort/
mv <snortrules.tar.gz>
cd sourcerules
tar -xzvf <snortrules.tar.gz>
cp -R sourcerules/so_rules/ /etc/snort
cp -R sourcerules/preproc_rules/ /etc/snort
cp -R sourcerules/rules/ /etc/snort
Create the logging directory
Finally execute snort using this command (note there are other ways, but this is a simple test)
OR /usr/local/bin/snort -c /etc/snort/snort.conf -v -i <your interface>
If you want to create some more custom rules; have a look at the general rule options section of the Snort manual or a more advanced tutorial here
Attachment | Size |
---|---|
snortrules-snapshot-2923.tar.gz | 21.35 MB |
Add new comment