By James Turnbull
Once you've confirmed that Snort can run on your customer's hardware, and ensured that the proper software for Snort has been installed on Red Hat Enterprise Linux 5 to support Snort, the next step is to download Snort, then configure, make and install the package with MySQL. This is necessary before you can configure Snort by setting up its network intrusion detection rules.
To compile Snort you will need to have the standard C development and build tools installed on your host. You can always remove these tools after compilation to ensure they can't be used inappropriately. Download the Snort source code package:
# wget http://www.snort.org/dl/current/snort-184.108.40.206.tar.gz
Unpack the package and change into the resulting directory:
# tar -xzf snort-220.127.116.11.tar.gz # cd snort-2.6.15
As mentioned, in a directory of the Snort package, called rpm, is a spec file and a script that should allow you to build your own RPMs if you wish. Let's create a Snort user and group:
# groupadd snort # useradd -g snort snort
Now we need to configure, make and install the package:
# ./configure --with-mysql --prefix-/usr # make all # make install
The --with-mysql configure option compiles in support for MySQL. The --prefix option specifies the installation location for Snort. We're using the /usr directory, rather than the default of the /usr/local directory.
We also need to add a database and tables to MySQL to hold our events and provide access to these for the Snort user we created. We do this by using the mysql command and a script included with the Snort package like so:
# mysql -p Enter password: mysql> create database snort; mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password'); mysql> exit
Change the password value to a suitable password for the Snort user.
Then, we use the script in the schemas directory of the Snort package to create the required tables:
# cd snort-18.104.22.168/schemas # mysql -p snort < create_mysql
Intrusion detection with Snort on Red Hat Enterprise Linux 5
Introduction to network intrusion detection and prevention using Snort
Snort hardware and network setup requirements
Snort's installation prerequisites
Compiling Snort and configuration with MySQL
Configuring Snort and setting up rules
Editing the snort.conf file
About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.