a complete centos 7
#sudo yum install gcc flex bison zlib libpcap pcre libdnet libdnet-devel tcpdump
#sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
Requires: libnghttp2.so.14()(64bit)
# yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/l/libnghttp2-1.21.1-1.el7.x86_64.rpm
# yum install https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm
Running transaction
Installing : 1:snort-2.9.9.0-1.x86_64 1/1
Verifying : 1:snort-2.9.9.0-1.x86_64 1/1
Installed:
snort.x86_64 1:2.9.9.0-1
Complete!
download libpcap and install
wget http://www.tcpdump.org/release/libpcap-1.8.1.tar.gz
tar -xzvf libpcap-1.8.1.tar.gz
ERROR! Libpcre header not found.
install pcre
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
tar -xzvf pcre-8.40.tar.gz
ERROR! zlib header not found, go get it from
#yum install zlib-devel -y
-------------------------------------------------------------------
again install daq and snort by download that source file
#wget daq
./configure
make && make install
#wget snort
./configure --enable-sourcefire
make
sudo make install
-----------------------------------------------
# ldconfig
# ls -s /usr/local/bin/snort /usr/sbin/snort
9976 /usr/local/bin/snort 0 /usr/sbin/snort
# sudo snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf
Commencing packet processing (pid=4329)
#sudo yum install gcc flex bison zlib libpcap pcre libdnet libdnet-devel tcpdump
#sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
Requires: libnghttp2.so.14()(64bit)
# yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/l/libnghttp2-1.21.1-1.el7.x86_64.rpm
# yum install https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm
Running transaction
Installing : 1:snort-2.9.9.0-1.x86_64 1/1
Verifying : 1:snort-2.9.9.0-1.x86_64 1/1
Installed:
snort.x86_64 1:2.9.9.0-1
Complete!
-------------------------------------------------------
ERROR! Libpcap library version >= 1.0.0 not found.download libpcap and install
wget http://www.tcpdump.org/release/libpcap-1.8.1.tar.gz
tar -xzvf libpcap-1.8.1.tar.gz
ERROR! Libpcre header not found.
install pcre
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
tar -xzvf pcre-8.40.tar.gz
ERROR! zlib header not found, go get it from
#yum install zlib-devel -y
-------------------------------------------------------------------
again install daq and snort by download that source file
#wget daq
./configure
make && make install
#wget snort
./configure --enable-sourcefire
make
sudo make install
-----------------------------------------------
# ldconfig
# ls -s /usr/local/bin/snort /usr/sbin/snort
9976 /usr/local/bin/snort 0 /usr/sbin/snort
----------------------------------------------
# mkdir /usr/local/lib/snort_dynamicrules
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
#sudo chmod -R 5775 /etc/snort
#sudo chmod -R 5775 /var/log/snort
#sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
#sudo chown -R snort:snort /etc/snort
#sudo chown -R snort:snort /var/log/snort
#sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
-----------------------------------------------
# sudo cp /root/snort_src/snort-2.9.9.0/etc/*.conf /etc/snort
# sudo cp /root/snort_src/snort-2.9.9.0/etc/*.map /etc/snort
----------------------------
need to download community rule
# tar -xzvf community-rules.tar
# cp community-rules/* /etc/snort/rules
# sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
# wget https://www.snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz?oinkcode=b868c74ad64579bbf2722f19ad2bad92b4493c14 -O ~/registered.tar.gz
# tar -xzvf snortrules-snapshot-2983.tar.gz -C /etc/snort/
-------------------------------------
# sudo vi /etc/snort/snort.conf //edit following
ipvar HOME_NET <server's public IP>/32
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128
include $RULE_PATH/local.rules
include $RULE_PATH/community.rules
------------------------------------------------
#sudo snort -T -c /etc/snort/snort.conf
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Snort successfully validated the configuration!
Snort exiting
-----------------------------
#vi /etc/snort/rules/local.rules // add the line
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
Run methods
#snort -c /etc/snort/snort.conf -i eth0 -A console
#snort -c /etc/snort/snort.conf -i eth0
#snort -c /etc/snort/snort.conf -i eth0 -A console
#snort -c /etc/snort/snort.conf -i eth0
#sudo snort -i ifcfg-ens33 -u snort -g snort -c /etc/snort/snort.conf
pcap DAQ configured to passive.
Acquiring network traffic from "ifcfg-ens33".
Reload thread starting...
Reload thread started, thread 0x7f761ac02700 (4519)
ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!
Fatal Error, Quitting..
# sudo snort -i eth0 -u snort -g snort -c /etc/snort/snort.conf
Commencing packet processing (pid=4329)
No comments:
Post a Comment