Installing Snort 1.6.3 on SuSE 6.x-7.x
Written By: DrSuSE
Home Page: http://www.snort.org
Description:
Snort is a lightweight network intrusion detection system, capable of
performing real-time traffic analysis and packet logging on IP
networks. It can perform protocol analysis, content searching/matching
and can be used to detect a variety of attacks and probes, such as
buffer overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more. Snort uses a flexible rules
language to describe traffic that it should collect or pass, as well as a
detection engine that utilizes a modular plugin architecture. Snort
has a real-time alerting capability as well, incorporating alerting
mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup
messages to Windows clients using Samba's smbclient.
Requirements:
You MUST have libpcap and tcpdump installed. SuSE Linux
includes both but if you want to get the latest or for some reason dont
have them, they can be found at:
libpcap
tcpdump
1. Login as root
2. Get Snort
1.6.3 source and save it to your /tmp directory.
3. CD to your /tmp directory and untar the snort file by using the
command:
tar -xvzf snort-1.6.3.tar.gz
4. CD to /tmp/snort-1.6.3
5. Run configure by typing:
./configure
6. Run make by typing:
make
7. Run make install by typing:
make install
8. Create a snort directory in /etc:
mkdir /etc/snort
9. Create a snort log directory:
mkdir /var/log/snort
10. Now, we need to move the Snort rule files. From the /tmp/snort-1.6.3
directory type:
mv *lib /etc/snort
11. Let's edit the /etc/snort/snort-lib file using your favorite
editor. Dr SuSE likes vi
12. The first thing we need to do is find and edit the HOME_NET
variable. Change it to reflect your network range. Mine is
192.0.0.1/24
13. Move on down until you get to the line for the DNS_SERVER and change
that variable to reflect your DNS or ISP's DNS server.
14. Ok, now move down until you find a line that reads "preprocessor
portscan: $HOME_NET 4 3 portscan.log" and change it so that portscan.log
points to /var/log/snort. The line should look like this:
preprocessor portscan: $HOME_NET 4 3
/var/log/snort/portscan.log
15. Alright, now then if you look further down you will see a series of
lines that begin with "include something-lib" Change each line so that
it reflects the full path like this:
include /etc/snort/webcgi-lib
16. Ok, save the file.
Guess what? Snort is now usable but were gonna get it to start up
each time you boot your machine.
1. Get the snort-init script which was written by Matthias Eckermann of
SuSE Linux Solutions AG. You can get it from the following places.
2. Move snort-init to /etc/rc.d/init.d as snort:
mv ./snort-init
/etc/rc.d/init.d/snort
3. cd to /etc/rc.d/init.d so we can make some sym links. Run the two
following commands:
ln -s ../snort /sbin/init.d/rc2.d/S26snort
ln -s ../snort /sbin/init.d/rc2.d/K26snort
4. Make /etc/rc.d/init.d/snort executable. From the /etc/rc.d/init.d
directory type:
chmod +x ./snort
5. Edit the file rc.config in the /etc directory and add this line to the
end of it:
START_SNORT="yes"
6. Ok, that's it for the rc.config file, save it and let's get to snortin
some packets.
You can either shutdown -hr now or you
can telinit s then telinit 2.
Well, if everything went well, your box should be snortin packets and
logging alerts.
You can check to make sure Snort is running by using this command:
ps -ax | grep snort
Installing SnortSnarf on SuSE 6.x-7.x
1. Get the latest SnortSnarf version from Silicon Defense. and
place it into your /tmp directory.
2. cd to the /tmp directory and extract the file using the following
command:
tar -xvzf
./SnortSnarf-100400.1.tar.gz
3. cd to /tmp/SnortSnarf-100400.1/include
4. Copy the contents of the include directory to
/usr/lib/perl5/site_perl
cp ./*
/usr/lib/perl5/site_perl/5.005/
5. cd to /tmp/SnortSnarf-100400.1/cgi
6. Copy the contents of the cgi directory to /usr/local/httpd/cgi-bin
cp ./* /usr/local/httpd/cgi-bin/
7. Now go back to the directory /tmp/SnortSnarf-100400.1 and copy the
file snortsnarf.pl a directory or your choice. I just made one called
/snarf and put it there.
8. Go to the directory where you placed snortsnarf.pl and let's run the
following command:
./snortsnarf.pl -rulesdir /etc/snort -rulesfile
/etc/snort/snort-lib -d /usr/local/httpd/htdocs/snort
/var/log/snort/snort.alert /var/log/snort/portscan.log
TIP: That's a long command, you might want to script it.
If everything went according to plan you should be able to view your
SnortSnarf result page at http://localhost/snort
Want to see what it all looks like? Check out my SnortSnarf page HERE
Conclusion:
I hope you enjoy Snort and SnortSnarf and I hope this NHF has been of
some help to you. I encourage you to learn more about Snort and
SnortSnarf as there are many features that have not been covered in this
NHF.
Soon you will be well on your way to writing your own Snort rules and
some of you may have the opportunity to install and administer your own
Snort box at work. Snort is an excellant tool for learning about network
attacks and TCP/IP and it's been a very enjoyable application to work
with. I'm sure you will enjoy it as much as I do. If you run into
problems, you can get help by using the Snort User Forum at
www.snort.org. As always I welcome your email and if I have the time I am
always willing to help.
Links of Interest:
Official Snort site
arachNIDS
SnortSnarf
Special Thanks:
Marty Roesch: The man responsible for giving us Snort.
Matthias Eckermann: Matthias wrote the Snort init
script. Matthias, hook me up with a job at SUSE.
The Snort Team: You know who you are.....so do the FEDS ;)
Stuart, James and Joe: Silicon Defense crew who wrote
SnortSnarf.
Max Vision: Masta of the uber 31337 arachNIDS database.
Sensei: It's www.linuxnewbie.ORG not .com
Would you like to have your article published online? Send them in to newfiles@linuxnewbie.org
|
