SNORT(IDS/IPS) Configuration and Implemenation

0 comments 11/19/2009 10:48:00 PM Posted by Surendra Kumar Anne
Labels: , , ,

Lets start how to install SNORT which is An Intrusion detection system (IDS) and an Intrusion Prevention System (IPS). We tested installation of SNORT on RHEL5.
Step1 : Download following packages
libpcap-1.0.0.tar.gz
pcre-8.00.tar.gz
libnet-1.0.2a.tar.gz (This is optional package if you want SMB popup alerts on window’s machines.)
snort-2.8.5.1.tar.gz
acid-0.9.6b23.tar.gz
Note : Don’t try to install SNORT through rpm packages, try to install them from source packages because there will be so many dependencies. And install the above packages in the same order to resolve dependencies.
Step2 : Untar packages one by one.
#tar xvfz packagename.tar.gz
Step3 : Change the directory to libpcap-1.0.0 and Just run ./configure shell script, this will check system attributes and generate make file, which is used to install libpcap package as following.
#cd libpcap-1.0.0
#./configuration
#make
#make install
Note : If anything goes wrong please search that error message in google..
Step4 : After installing libpcap install pcre package for doing regular expression query in checking the packet capture to match multiple entries. First change the directory to pcre-8.00 then start executing following commands
#cd ../pcre-8.00
#./configure
#make
#make check
#make install
Step5 : Now install libnet package..
#cd ../libnet-1.0.2a
#./configure
#make
#make check
#make install
Step6 : Now install the important package in our game of implementing IDS/IDP ie our SNORT package. Just follow below commands to install SNORT. You have to be careful in this step because we can install SNORT in standalone system or a complete system with DB/web server/acid support. If you are planning to install SNORT in standalone just execute ./configure after changing to snort-2.8.5.1 directory. But here I am going to build a complete SNORT system will all the capabilities. Before that we should know what are the content of snort source directory. Please get some knowledge on it and read the required readme files in doc/ folder.
Note : Before installing SNORT do the following things (Before installation you can do this).
1. Make sure that you copy etc/ content in source directory to /etc directory
2. Create /var/log/ snort directory for snort logging activity (remember we have to mention this path in main configuration file, in our case it will be /etc/snort/etc/snort.conf.
3. Create /etc/snort/rules directory for creating rules files for snort.
#mkdir /etc/snort
# cp -ar ./etc /etc/snort/
#mkdir /var/log/snort
# mkdir /etc/snort/rules
Now start installing SNORT
# ./configure --with-mysql --with-snmp --enable-smbalerts --enable-flexresp
#make
#make check
#make install
Hmm..! good we are done with the installation of SNORT
So in the next post I will show you how to configure, integrate SNORT with Mysql and ACID.
Please Comment your thoughts regarding this post:-)

  • Like the post? Please Subscribe to free RSS feed to get updates

    • How To Uninstall A Source Package?

    0 comments 11/19/2009 07:28:00 AM Posted by Surendra Kumar Anne
    Labels: ,

    In Linux we can install packages in so many ways such as:
    #rpm –ivh packagename.ver.arch.rpm
    This is to install from rpm package manager

    #yum install packagename
    This is installing through yum which will use rpm package manager internally
    #apt-get install packagename
    This is for installing .deb packages

    #sh file.sh
    This is from a shell script.
    #./configure;make;make check;make install
    This is to install from source package.
    Etc. but when we want to uninstall above packages we will use package removing commands as below
    #rpm –e packagename
    For uninstalling an rpm package, which are installed through rpm/yum

    #yum remove packagename
    Uninstalling through yum... Etc...
    But what about uninstalling source package? How to uninstall a source package?
    This can be done in two ways
    Way1 : If we have still the source code with us in our system, then it’s very much easy to uninstall as shown below
    #cd sourcefolderpath
    #make uninstall
    This will completely install the package/software

    Way2 : If you don’t have source code with you. This is really hard way to do it, we have to go to so many locations/folders where that package created supported files. Some common locations for a package files is as follows
    /etc/packagename
    /var/log/packagename
    /usr/local/packagename
    /bin/
    /sbin/
    /usr/bin/
    /usr/sbin/
    /usr/share/doc/packagename

    Etc.. so we have to go to each folder and have to remove all the files whose name contains packagename.
    Note : If you install any package through source package, rpm –e or yum remove commands will not help us in removing the package installed through source package.
    Please comment your thoughts regarding this post:-)

  • Like the post? Please Subscribe to free RSS feed to get updates

    • Subscribe to: Posts (Atom)

    Archive

    Translate this page

     

    The Linux Juggernaut | Copyright 2006-2009 Surendra Kumar Anne | Surendra's Home Page | Give us feedback how we are doing, Click here