Setting Up Snort Intrusion Detection System on CentOS
Preface
As a sophomore student tasked with a school experiment, I gathered some related resources and attempted to build a local deployment.
Acknowledgment: This article draws heavily from the work of an expert (Written by QQ: 872035516). I have made modifications based on my local experimentation while referencing much of their content. Here is the CSDN link to the downloadable attachments:
https://download.csdn.net/download/liyangtao123456/10013031?utm_medium=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-1.dl_default&depth_1-utm_source=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-1.dl_default&dest=https%3A%2F%2Fdownload.csdn.net%2Fdownload%2Fliyangtao123456%2F10013031&spm=1003.2020.3001.6616.1
Regarding command errors: If you encounter syntax errors, check whether any symbols in this document are Chinese characters. This has caused issues for me numerous times during replication. Some commands might still need adjustments, so youâll need to modify and resolve them on your own. For other errors, use a search engine to find solutions.
I. Preparation Phase
Install CentOS-6.6-x86_64-DVD1.iso (Using CentOS 7 leads to errors in later âbaseâ configurations)
Set the network configuration to bridged mode.
1. Install wget for local deployment
#yum install wget -y
2. Replace CentOS Repository
As of 2020, CentOS 6 has stopped receiving updates, which renders the original repository unusable.
Replace it with the Aliyun (Alibaba Cloud) repository, as it offers faster speeds for updates and downloads.
1. Disable fastestmirror:
vi /etc/yum/pluginconf.d/fastestmirror.conf # Modify parameter to enable=0
2. Backup and rename the original repo:
#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
3. Replace repository:
#wget -O /etc/yum.repos.d/CentOS-Base.repo https://static.lty.fun/%E5%85%B6%E4%BB%96%E8%B5%84%E6%BA%90/SourcesList/Centos-6-Vault-Aliyun.repo
#yum clean all
#yum makecache
3. Update the System
#yum -y update
4. Install EPEL Repository
#yum install -y epel-release
5. Download and Prepare Files
https://download.csdn.net/download/liyangtao123456/10013031?utm_medium=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-1.dl_default&depth_1-utm_source=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-1.dl_default&dest=https%3A%2F%2Fdownload.csdn.net%2Fdownload%2Fliyangtao123456%2F10013031&spm=1003.2020.3001.6616.1
Once downloaded, place the files in the /root directory. During the subsequent steps, some files will need to be moved to /var/www/html. Familiarity with Linux commands is necessary for performing copying operations.
II. Install and Configure LAMP
1. Install LAMP components:
#yum install -y httpd mysql-server php php-mysql php-mbstring php-mcrypt mysql-devel php-gd
2. Install PHP plugins: #yum install -y mcrypt libmcrypt libmcrypt-devel
3. Install PEAR plugins: #yum install -y php-pear
#pear upgrade pear
#pear channel-update pear.php.net
#pear install mail
#pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
#pear install mail_mime
4. Install ADODB: #tar zxvf adodb519.tar.gz -C /var/www/html
#mv /var/www/html/adodb5 /var/www/html/adodb
5. Install BASE: #tar zxvf base-1.4.5.tar.gz -C /var/www/html
#mv /var/www/html/base-1.4.5 /var/www/html/base
6. Modify php.ini: #vi /etc/php.ini
error_reporting = E_ALL & ~E_NOTICE
7. Set permissions for the html directory: #chown -R apache:apache /var/www/html
8. Set permissions for ADODB:
#chmod 755 /var/www/html/adodb
9. Configure MySQL:
Extract barnyard2 (use the files inside to create MySQL tables):
#tar zxvf barnyard2-1.9.tar.gz
Start MySQL:
#service mysqld start
Set root password to 123456:
#mysqladmin -u root -p password 123456
Log in as root:
#mysql -uroot -p
Create a database named âsnortâ:
> create database snort;
Create a user âsnortâ with password â123456â and grant permissions to the âsnortâ database:
> grant create,select,update,insert,delete on snort.* to snort@localhost identified by â123456â;
Exit MySQL:
> exit
Create database tables:
#mysql -usnort -p -Dsnort < /root/barnyard2-1.9/schemas/create_mysql.sql
Continue by configuring the BASE and other settings as described. All terminal commands remain as in the original, but with proper system-level optimizations for advanced usage. For browser-based actions (e.g., setting paths, configuring databases), replace original text with exact translations or USA-specific conventions where applicable.
#./configure && make && make install
6. Configure Snort
Create the required files and directories:
#mkdir /etc/snort
#mkdir /var/log/snort
#mkdir /usr/local/lib/snort_dynamicrules
#mkdir /etc/snort/rules
#touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
#cp /root/snort-2.9.7.0/etc/gen-msg.map threshold.conf classification.config reference.config unicode.map snort.conf /etc/snort/
Edit the configuration file:
#vi /etc/snort/snort.conf
Modify the following path variables:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Set the logging directory:
config logdir: /var/log/snort
Configure the output plugin:
output unified2: filename snort.log, limit 128
7. Configure Default Rules
#tar zxvf snortrules-snapshot-2970.tar.gz -C /etc/snort/
#cp /etc/snort/etc/sid-msg.map /etc/snort/
8. Test Snort
#snort -T -i eth0 -c /etc/snort/snort.conf
Explanation of parameters:
-T Specifies the mode: test
-i Specifies the network interface
-c Specifies the configuration file
If you see the word âsuccess,â it means the configuration is correct.
Press Ctrl+C to terminate the test.
9. Install Barnyard2
#cd /root/barnyard2-1.9
#./configure âwith-mysql âwith-mysql-libraries=/usr/lib64/mysql/
#make && make install
10. Configure Barnyard2
Create the required files and directories:
#mkdir /var/log/barnyard2
#touch /var/log/snort/barnyard2.waldo
#cp /root/barnyard2-1.9/etc/barnyard2.conf /etc/snort
Modify the configuration file:
#vi /etc/snort/barnyard2.conf
Set the following parameters:
config logdir: /var/log/barnyard2
config hostname: localhost
config interface: eth0
config waldo_file: /var/log/snort/barnyard.waldo
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost
11. Test Barnyard2
#barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
Explanation of parameters:
-c Specifies the configuration file
-d Specifies the log directory
-f Specifies the log file
-w Specifies the waldo file
If you see the message âWaiting for new spool file,â it means Barnyard2 is configured successfully.
Press Ctrl+C to terminate the test.