Snort [Intusion Detection/Prevention System] Installation & Setup In OpenSUSE 13.2

In this post I will be going over the steps required to setup snort on an openSUSE 13.2 server. I found that there was very little documentation for opensuse except this very useful pdf. I decided to make a post going over the steps mentioned in this documents so that I have it for my own reference and so that it may help people that stumble across this post on a search engine.

1. Setup

You will need to install all the required development packages so that we can compile snort and daq.

Install Base Development pattern (this will pull in make, gcc, and more):

zypper install -t pattern devel_basis

Install libpcap:

zypper in libpcap-devel

Install libdnet:

zypper in libdnet-devel

2. Download and untar:

Visit https://snort.org/#get-started to find the links to the source files for snort and daq. Once you have them, follow the steps below:

mkdir snort-files
cd snort-files
wget https://snort.org/downloads/snort/daq-[version].tar.gz
wget https://snort.org/downloads/snort/snort-[version].tar.gz
tar zxf daq-[version].tar.gz
tar zxf snort-[version].tar.gz

We will now build daq, note that you need to have installed libpcap-devel in step 1 as daq cannot build without it. Another thing to note is that when running make we can use the -j flag to “set the number of jobs (commands) to run simultaneously”. This means that we can drastically increase our compile speed by simply setting this number higher than 1.

It is recommended that you set this to n+1 where n is the number of CPU cores in your system. Beware that if you set this too high, you will become bottle necked and actually experience speeds slower than a lower amount, say “-j 25 versus -j 2”. This is mostly due to the fact that while the CPU is a bottle neck in compiling, it is not the only bottle neck and thus you will be throttled by your disk I/O speeds. In the commands below, I have left it as “x” so you will have to replace it for your system:

cd daq-[version]
./configure; make -j x ; su -c "make install -j x"
ldconfig -v /usr/local/lib
ldconfig -v /usr/local/lib64
cd ../snort-[version]/
./configure --enable-sourcefire; make -j x; su -c "make install -j x"
ldconfig -v /usr/local/lib
ldconfig -v /usr/local/lib64

Now we just need to copy all the snort configuration files into our systems /etc/ directory.

cp -R /path/to/snort-files/snort-[version]/etc/ /etc/snort/
cd /etc/snort

3. Getting Snort Rules

Now we will need to download the latest snort rules from the snort website. Visit https://snort.org/ and create an account (its free), then once you have confirmed your email, log in, click your email on the top right and then select “Oinkcode” in the menu.
snortoinkcode

Now you just need to supply your oinkcode when attempting to download the rules. Note that when supplying the version, if for example you used snort version 2.9.7.6 then it will be set as 2976 for the rules URL.

wget https://snort.org/rules/snortrules-snapshot-[version].tar.gz?oinkcode=[oinkcode] -O snortrules.tar.gz
tar zxf snortrules.tar.gz
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

Once that is done, we want to make sure that snort will only run as a non privileged user who is unable to login to a shell. We can do this with the following commands:

useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS
groupadd snort
cd /etc/snort && chown -R snort:snort *

 

On 32-bit installs, the library files are installed in /usr/local/lib, therefore you must remember to use lib and not lib64 when dealing with libraries in the config files, or else you will get errors regarding missing libs!

4. Finishing The File Configuration

In the next steps we will be changing the file permissions so that only snort and root can access these files. Please note that if you are on a 32 bit system you will need to replace lib64 with lib.

mkdir /var/log/snort; chmod 700 /var/log/snort; chown snort:snort /var/log/snort
chown -R snort:snort /usr/local/lib64/snort*
mkdir /usr/local/lib64/snort_dynamicrules
chown -R snort:snort /usr/local/lib64/snort_*
chown -R snort:snort /usr/local/lib64/pkgconfig
chmod -R 700 /usr/local/lib64/snort*
chmod -R 700 /usr/local/lib64/pkgconfig
chown -R snort:snort /usr/local/bin/daq-modules-config
chown -R snort:snort /usr/local/bin/u2*
chmod 700 /usr/local/bin/u2*
chown -R snort:snort /etc/snort
chmod -R 700 /etc/snort

If you are on a 64 bit system, open /etc/snort/snort.conf and change “lib” to “lib64” in the following lines:

...
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
...
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
...
dynamicdetection directory /usr/local/lib/snort_dynamicrules

Now that we have finished configuring snort, its time to test it! Run the following command to run snort in testing mode, it will tell you if all the configuration is correct:

/usr/local/bin/snort -T -i [INTERFACE] -u snort -g snort -c /etc/snort/snort.conf

You should see the following output:

...
Snort successfully validated the configuration!
Snort exiting

If you have issues with trying to figure out how to solve an error about “Could not stat dynamic module path..” try using the locate command to determine where the library is located, it may be that you just need to change lib to lib64 in the /etc/snort/snort.conf file or vice versa.

With that we have confirmed that snort is able to run without issues.

Advertisements
This entry was posted in Linux, openSUSE, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s