Problem solve Get help with specific problems with your technologies, process and projects.

How to run IDS Snort on Red Hat Enterprise Linux 5

Learn how to create an intrusion detection system and intrusion prevention system for your clients using the open source IDS sensor called Snort.

VARs use a combination of intrusion detection systems (IDS) and intrusion prevention systems (IPS) to analyze network traffic to detect and then prevent attacks and viruses, thus providing network security for their customers. The open source IDS Snort continues to be a popular choice for VARs working with SMBs because it is free, works with popular hardware and has an easily configurable rules engine. From hardware and network configuration to setting up rules, this guide discusses the easy steps VARs should take to deploy Snort on a customer network running Red Hat Enterprise Linux 5.

Intrusion detection and intrusion prevention systems (IDS and IPS, respectively) provide the ability to inspect and analyze network traffic and either generate alerts or drop traffic in the event that an attack or a malicious event is detected. They are two of a number of controls, such as firewalls, designed to protect your network from a variety of attacks. Both IDS and IPS are commonly deployed in organization's perimeters to protect externally-facing assets, like Internet-facing Web services. They can also be deployed internally to ward off attacks or virus outbreaks. For example, an IPS sensor that can be configured to stop the spread of a virus or worm may be located in-line on an internal network choke point.

More intrusion detection help for resellers using Snort
Snort IDS installation basics and tips for security resellers

Detect events without Snort IDS rules

Snort IDS upgrade and tips on the Snort.conf file

We're going to demonstrate how to quickly install and run the open source IDS sensor Snort on Red Hat Enterprise Linux 5 (RHEL 5). The instructions below will also generally work for RHEL 4, CentOS 4 and 5, as well as Fedora Core 5 and 6.

For many environments, especially in the small-medium business market but also in many larger corporate and government clients, Snort remains the ubiquitous IDS tool. It is fast and easy to set up and runs on most commercially available hardware, including platforms from IBM, HP, Sun and commodity PC hardware. It is a signature-based, (which Snort calls "rules") IDS engine that is easy to deploy and easy to tune. Rules are open and can be readily edited, and writing and adding your own rules requires only a little learning. Snort is also capable of outputting data in a variety of formats: binary (called "Unified"), syslog, to a file and to a SQL database (one of Oracle, PostgreSQL, MySQL or Microsoft SQL Server). Many users commonly output data to a SQL database.

Intrusion detection with Snort on Red Hat Enterprise Linux 5

  Introduction to network intrusion detection and prevention using Snort
  Snort hardware and network setup requirements
  Snort's installation prerequisites
  Compiling Snort and configuration with MySQL
  Configuring Snort and setting up rules
  Editing the snort.conf file

About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of
Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.