Snort is a powerful network intrusion detection system with three main functions. However, on a CentOS system, we primarily use its intrusion detection function to collect alert logs for future analysis, enhancing CentOS network security.
If you install it directly on a CentOS host, it is not that cumbersome. Download the required dependency packages and the Snort installation package, then make&&make install; next, modify the configuration file, ensuring mutual access between the virtual machine, the outside network, and the host; the third step is to write one or two alert rules by yourself, and then perform a test: ping this virtual machine from another host. If logs are displayed on the terminal, it indicates no issues.
1. Wget Source Installation, Configuration, and Usage Method
There are three ways to install Snort:
- Yum source method
- Wget + download link method
- Another is the Docker pre-packaged Snort
I’ve tried all three methods. The feasible ones are the latter two. However, most people prefer installing from source code, which facilitates learning and researching the code later, as well as debugging Snort and writing Snort rules, and testing Snort functionality. Below, the installation processes for these two methods will be introduced one by one.
1.1 Wget + Download Link Method
First, introduce the wget + download link method. Manually downloading requires typing many lines of commands.
Code language: shellCopy
sudo yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdumpSetting up Snort from the source code on CentOS involves several steps: downloading the code, configuring it, compiling the code, installing it in the appropriate directory, and finally configuring detection rules.
Before you start, besides the prerequisites already installed, you also need the following development packages.
Code language: shellCopy
sudo yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel openssl-devel libnghttp2-devel luajit-develOnce prepared, create a temporary download folder in your home directory, then change to that folder using the following command.
Code language: shellCopy
mkdir ~/snort_src && cd ~/snort_srcUse the wget command below to download the latest DAQ source package from the Snort website. If a newer source is available, replace the version number in the command.
Code language: shellCopy
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gzExtract the DAQ source package. At this point, directly installing DAQ will result in errors, as various dependency packages are missing, so first, install dependency packages. Thus, first install libpcap using the following command.
Code language: shellCopy
wget http://www.tcpdump.org/release/libpcap-1.7.4.tar.gzThen extract the libpcap compressed package. After that, go into the libpcap directory, and compile and run libpcap:
Code language: shellCopy
tar -xzvf libpcap-1.7.4.tar.gz cd libpcap-1.7.4 ./configure && make && sudo make installThen return to DAQ installation.
Code language: shellCopy
cd ../daq-2.0.7./configure && sudo make && sudo make install2. Docker Installation
1.2 Docker-Snort Installation
Installing Snort via Docker is much simpler. First, input the Docker command on the CentOS system, and it prompts that the command is not found.
Then install Docker. It’s done in one line: yum install docker
After installation, execute docker pull linton/docker-snort
and it is installed.
Be sure to start the Docker service before starting Snort.
Code language: shellCopy
systemctl start dockerThen start Snort Docker:
Code language: shellCopy
docker -it --rm --net-host linton/docker-snort /bin/bashWhen starting Snort, pre-configure Snort alert rules. The Snort configuration file is located at /etc/snort/rules/local.rules, where you can place the rules you want to verify to provide rules for the intrusion detection system.
3. Adding Rules
For testing Snort’s intrusion detection capabilities, add the following rule to /etc/snort/rules/local.rules:
Code language: shellCopy
alert icmp any any -> any any (msg:"Pinging...";sid:1000004;)Run Snort and output alerts to the screen:
Code language: shellCopy
$ snort -i eth0 -c /etc/snort/etc/snort.conf -A consoleRun Snort and output alerts to a UNIX socket:
Code language: shellCopy
$ snort -i eth0 -A unsock -l /tmp -c /etc/snort/etc/snort.confPing in the container then the alert message will show on the console:
Ping in the container then the alert message will show on the console
Code language: shellCopy
ping 8.8.8.8After adding the above rule, the alert log format output by Snort is:
06/28-22:38:51.673951 ** ICMP ** {ICMP} 192.168.56.1 -> 192.168.56.103
4. Boot Startup
The premise is that Docker services and containers have already been configured to start automatically with the server boot.
Container boot auto-start: –restart=always: Add this option when creating the container to achieve container boot startup.
Existing container