Wednesday, May 9, 2012

Installing SNORT as IPS, building from Source

Install below libraries from source in given order by running commands "configure", "make" and "make install".
    pcre-8.30.zip
    libdnet-1.12.tgz
    libnetfilter_queue-1.0.1.tar
    libnfnetlink-1.0.0.tar
    libpcap-1.2.1.tar.gz
    daq-0.6.2.tar.gz
    snort-2.9.2.2.tar.gz
    snortrules-snapshot-2922.tar.gz
At the point of writing this article above tar/zip files were the latest available.

By default most of the packages install at /usr/local so forcing them to install in /usr. For example if you install libpcap-1.2.1 by just running ./configure and check the running version, it may show u as libpcap-0.9.4. To overcome the issue we are building with below argument
./configure –enable-ipv6 –prefix=/usr

--enable-ipv6              will enable sniffing IPv6 packets

When DAQ (Data Aquisition) module is successfully configured we get below output
DAQ Output after ./configure –enable-ipv6 --prefix=/etc

Build AFPacket DAQ module.. : yes
Build Dump DAQ module........ : yes
Build IPFW DAQ module......... : yes
Build IPQ DAQ module............ : no
Build NFQ DAQ module........... : yes
Build PCAP DAQ module......... : yes

IPQ is obsoleted so didn't install it


Snort Configuration Command
./configure --libdir=/usr/lib --includedir=/usr/include --enable-ipv6 --enable-gre --enable-targetbased –enable-ipfw –enable-dynamicplugin --enable-decoder-preprocessor-rules --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-zlib

Fore developing preprocessor plugins you can add
--enable-debug
--enable-debug-msgs

Aditionally you might need dpx-1.4.tar.gz.

Errors seen while starting Snort:
For snort_dynamicrules not found error, create /usr/local/lib/snort_dynamicrules and copy .so files there,
For white_listing.rules, black_listing.rules files missing errors create those files and comment out reputation preprocessor from snort.conf.

#/home/praveen/snort-2.9.2.2#snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3
#/home/praveen/snort-2.9.2.2#

Starting snort with -Q option will make it run as IPS.


You can refer similar article from
http://techminded.net/blog/using-snort-as-service-ips.html

For Snort Preprocessors you can refer below link
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html

For sending Snort alerts to Syslog server
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

For detailed description of various concepts refer SnortTM Users Manual.
http://www.snort.org/assets/140/snort_manual_2_8_6.pdf