How to Install Snort on CentOS 7

r00t October 30, 2017

Install Snort on CentOS 7

In this tutorial we’ll learn how to install Snort on CentOS 7. We will also install and configure its prerequisites. Snort is a popular choice for running a network intrusion detection method or NIDS. It monitors the bundle data sent and received through a specific network interface. NIDS can capture risks targeting your system vulnerabilities employing signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can determine the most recent strikes, malware infections, compromised systems, and community policy violations.

I recommend to use a minimal CentOS server setup as a basis for the tutorial, that can be a virtual or a root server image with an CentOS 7 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.

Install Snort on CentOS 7

Step 1. First, ensure your system is fully up-to-date by running the following:

yum -y update

Step 2. Installing Snort.

Snort provides convenient rpm packets for CentOS 7, which can be installed simply with the commands below. Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries:

yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.f21.x86_64.rpm
yum install https://www.snort.org/downloads/snort/snort-2.9.11-1.f25.x86_64.rpm

Step 3. Configuring Snort.

In order to install Snort rules we must be the registered user to download the set of rule or have paid subscription to this link. Installing some update snort rules is a necessary to make sure that snort is able to detect the latest threats.

Install Snort on CentOS 7

To manage Snort rules pulledpork package is available on Git hub, which can be downloaded with following command:

git clone https://github.com/shirkdog/pulledpork.git

Setup Pulled Pork:

cd pulledpork/
cp pulledpork.pl /usr/local/bin
chmod +x /usr/local/bin/pulledpork.pl

Copy contents of etc directory from pulledpork to system default snort /etc/snort:

cp -v etc/*.conf /etc/snort

Creating files that PulledPork requires as:

mkdir /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/default.blacklist

Let’s start a test to confirm that pulledpork is functional:

### /usr/local/bin/pulledpork.pl -V
PulledPork v0.7.0 - Swine Flu !

Configure Dynamic Rules for Snort:

### nano /etc/snort/snort.conf
# path to dynamic preprocessor libraries
 dynamicpreprocessor directory /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/

# path to base preprocessor engine
 dynamicengine /usr/lib64/snort-2.9.7.3_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
 dynamicdetection directory /usr/local/lib/snort_dynamicrules

Now execute the following 3 commands to add the include rules as follow:

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /etc/snort/snort.conf

Restart Snort service:

systemctl restart snortd

Congratulation’s! You have successfully install and configure Snort server on your CentOS 7 server. Thanks for using this tutorial for installing Snort network monitoring on CentOS 7 system.

The Tags:

Leave a Comment

Comments are closed.