1. Download the latest source from Snorts Web Site

2. Unzip and Untar the source file. This will unpack the tar file to a snort directory

   [root]# tar -zxvf snort.tar

3.Compile the source

    [root]# cd snort-
    [root]# ./configure
    [root]# make
    [root]# make install
    [root]# make clean

This will install snort /usr/local/bin/snort by default

4. Create the configuration directory and copy the configuration files over. This assumes you are in the snort directory
 
   [root]# mkdir /etc/snort
   [root]# cp -rf etc/* /etc/snort
   [root]# cp -rf rules/* /etc/snort

5. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful

   [root]# cd /etc/snort
   [root]# vi snort.conf

- Change your rule path RULE_PATH /etc/snort
var RULE_PATH /etc/snort

- Uncomment the following line ( this will cause snort to use much less resident memory )
config detection: search-method lowmem

- Make sure the flow preprocessor is NOT commented out
preprocessor flow: stats_interval 0 hash 2

- Uncomment the flow-portscan if you want to detect port scans (change server-watchnet for your network)
preprocessor flow-portscan:
server-watchnet [172.16.0.0/16]
unique-memcap 5000000 unique-rows 50000
tcp-penalties on
server-scanner-limit 30
alert-mode all
output-mode msg
server-learning-time 3600

- Comment out / Uncomment the rules files you want. This is my file
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

6. create a snort user to run the process. and create your log directory

    [root]# adduser snort
    [root]# mkdir /var/log/snort
    [root]# chown snort:snort /var/log/snort

7. Start up snort. I just create a script to start up snort with the following command.

    #!/bin/sh
    /usr/local/bin/snort -A fast -d -u snort -g snort -D -c /etc/snort/snort.conf

Your alerts will be logged to /var/log/snort/alert.

I have a snort log parser written in perl that will parse the snort alerts and show today's alerts in an easy to read format. Example log

04/06 08:06:57  TCP  24.163.219.104:80    ->   67.173.96.51:2763        ATTACK-RESPONSES 403 Forbidden           1201 
04/06 08:07:53  TCP  24.163.219.104:80    ->   211.40.66.207:2676      ATTACK-RESPONSES 403 Forbidden           1201 
04/06 08:13:51  TCP  24.163.219.104:80    ->   211.40.211.115:2604    ATTACK-RESPONSES 403 Forbidden           1201

download log parse script here

If you use shorewall firewall script you can download my program SnortShorewall to proactively prevent hackers from compromising your machine. SnortShorewall will run in the background and monitor your alerts from snort and black list the ip address that attempt to hack your system. Read more about SnortShorwall here 

Comments

Use SnortShorewall Written by Guest on 2005-08-25 05:15:19 If I want to use your SnortShorewall .  I should be install Snort, or not ?

Written by Guest on 2005-08-25 19:01:26 Yes

thanx Written by Guest on 2008-12-24 03:27:27

Installing Snort on Fedora 2.6 Written by Guest on 2010-03-05 18:20:00 ./configure  checking for a BSD-compatible install... /usr/bin/install -c  checking whether build environment is sane... yes  checking for gawk... gawk  checking whether make sets $(MAKE)... yes  checking whether to enable maintainer-specific portions of Makefiles... no  checking for gcc... no  checking for cc... no  checking for cc... no  checking for cl... no  configure: error: no acceptable C compiler found in $PATH  See `config.log' for more details.  [root@Omar-Fayyad snort-2.8.5.3]# make  make: *** No targets specified and no makefile found. Stop.      What could be the error ?    N.B: I am new to Linux.

snort installation on linux Written by Guest on 2010-06-23 23:01:47 This piece of code is not sufficient to install Snort on Linux

Written by Guest on 2010-07-14 03:51:06 thank u great help

Only registered users can write comments.
Please login or register.

Powered by AkoComment 1.0 beta 2!