In this tutorial we’ll learn how to install Snort on CentOS 7. We will also install and configure its prerequisites. Snort is a popular choice for running a network intrusion detection method or NIDS. It monitors the bundle data sent and received through a specific network interface. NIDS can capture risks targeting your system vulnerabilities employing signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can determine the most recent strikes, malware infections, compromised systems, and community policy violations.
I recommend to use a minimal CentOS server setup as a basis for the tutorial, that can be a virtual or a root server image with an CentOS 7 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.
Install Snort on CentOS 7
Step 1. First, ensure your system is fully up-to-date by running the following:
yum -y update
Step 2. Installing Snort.
Snort provides convenient rpm packets for CentOS 7, which can be installed simply with the commands below. Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries:
yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.f21.x86_64.rpm yum install https://www.snort.org/downloads/snort/snort-2.9.11-1.f25.x86_64.rpm
Step 3. Configuring Snort.
In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription to this link. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.
To manage Snort rules pulledpork package is available on Git hub, which can be downloaded with following command:
git clone https://github.com/shirkdog/pulledpork.git
Setup Pulled Pork:
cd pulledpork/ cp pulledpork.pl /usr/local/bin chmod +x /usr/local/bin/pulledpork.pl
Copy contents of etc directory from pulledpork to system default snort /etc/snort:
cp -v etc/*.conf /etc/snort
Creating files that PulledPork requires as:
mkdir /etc/snort/rules/iplists touch /etc/snort/rules/iplists/default.blacklist
Let’s start a test to confirm that pulledpork is functional:
### /usr/local/bin/pulledpork.pl -V PulledPork v0.7.0 - Swine Flu !
Configure Dynamic Rules for Snort:
### nano /etc/snort/snort.conf
# path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/lib64/snort-220.127.116.11_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/lib64/snort-18.104.22.168_dynamicengine/libsf_engine.so # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules
Now execute the following 3 commands to add the include rules as follow:
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf
Restart Snort service:
systemctl restart snortd
Congratulation’s! You have successfully install and configure Snort server on your CentOS 7 server. Thanks for using this tutorial for installing Snort network monitoring on CentOS 7 system.