This document describes the process of setting up a Snort Intrusion Detection System (IDS) with Red Hat Enterprise Linux (RHEL) Server 6.5 on x86/64 hardware. This guide will also detail some of the most popular methods of event distribution (alerting), using Barnyard2 for processing events to send to a database (to utilize BASE or another SIEM / log management product like Splunk) or syslog.
The sensor configuration assumed for this guide consists of two network interfaces (this will not be an inline sensor (IPS)). One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.
- PowerEdge 2950
- 2x 5060 3.20 GHz Dual-Core CPUs / 8GB RAM
- 15k SAS RAID0 (take a chance!)
- RHEL 6.5 / x86_64
- Snort: 188.8.131.52
- Barnyard2: Latest git bits
This guide should also work (with some modifications) for Scientific Linux and CentOS derivative versions of RHEL.
II. Install and Setup the Operating Environment
Go through the installation procedure and set things up according to your network and needs. You may want to nudge up the size on the /var partition, depending on your estimated requirements.
When you are presented with the software sets screen, select "Basic Server" and then "Customize now" - click Next.
Next is the part where I either would have used Kickstart or just spend a while de-selecting/selecting packages I know I will or will not need. This is a fairly simple base installation, so we don't really need to add anything (unless you need the PostgreSQL database client). If you know you won't need something, it is best to not install it, however.
After rebooting, log in as root and enter the command ntsysv. This will start the services management application. Here you can select or de-select the services you want started at boot. Go through the list and edit as your environment requires. One obvious selection would be ntpd/ntpdate, and don't forget to edit the /etc/ntp.conf file if using custom NTP servers.
Any service changes will go into effect after rebooting (but don't do that yet).
As root, enter the command system-config-firewall-tui. This will start the Firewall Configuration tool. Unless you need to open something other than incoming SSH, there isn't much to do here. Any changes will go into effect immediately.
Note, I live like there is no tomorrow. Just turn off iptables in services (ntsysv) and enjoy the feeling.
I also disable SELinux, but if you are comfortable with the detailed configurations necessary for this feature, by all means, leave it on Enforcing and pay attention! To disable this feature, edit the /etc/selinux/config file so the SELINUX variable is "disabled" instead of "enforcing." A reboot is necessary for this change to take effect.
Register System with RHN, Update and Reboot
Now it's time to run rhn_register and take advantage of that online management and support you bought. Don't forget, Red Hat offers big discounts for educational customers - give them a call and see what they can do for you. As for the registration process here, just follow the prompts. Pretty straight forward.
Finally, you should run yum update. It is important to keep your system as up to date as possible. When this process is finished, reboot and continue on!
III. Install Dependencies
|# yum install gcc gcc-c++ flex bison pcre-devel zlib-devel libpcap-devel postgresql-devel automake libtool
# cd /usr/src
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf
# rm libdnet-1.12.tgz && cd libdnet-1.12
# ./configure &&
make && make install
|# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/daq-2.0.2.tar.gz
# tar zxvf daq-2.0.2.tar.gz
# rm daq-2.0.2.tar.gz && cd daq-2.0.2
# ./configure && make && make install
This is just an example of flag(s) to set for configure. You should only use what you need for your setup.
Note: If you're like me, you're probably going to throw the occasional >2GB PCAP file at Snort for analysis (outside of normal traffic monitoring, we're not mission critical here). Add --enable-large-pcap if you plan on doing that.
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-184.108.40.206.tar.gz
# tar zxvf snort-220.127.116.11.tar.gz
# rm snort-18.104.22.168.tar.gz && cd snort-22.214.171.124
# ./configure --enable-sourcefire
# make && make install
# cd /usr/src
# wget https://github.com/firnsy/barnyard2/archive/master.zip -O by2.zip
# unzip by2.zip
# rm by2.zip
# cd barnyard2-master
If using PostgreSQL:
# ./configure --with-postgresql
# make && make install
If *only* using Syslog:
# make && make install
We will be configuring this sensor to monitor traffic on a "stealth" interface. On my system, the second interface (the one wired to the tap, SPAN or hub) name is eth1. In the example below, you may need to change for your specific system. ifconfig -a will show you what you have.
Setup Stealth NIC
Then, for ensuring this occurs at boot, edit /etc/sysconfig/network-scripts/ifcfg-eth1 from ONBOOT="no" to ONBOOT="yes".
Get and Install Rules
NOTE: This is the manual way. If you want to make things a little easier, check out Pulled Pork.
|# mkdir /etc/snort
# mkdir /var/log/snort
Next, we need to download the latest rules/signatures. Do this often, and be careful once you start customizing or adding them. It can be very depressing to upgrade Snort or refresh the rules and find your work overwritten! Here, we will use the Sourcefire VRT rules.
There are two rulesets available: Subscribers and Registered Users. Details are on the VRT Rules download page. You will need to go fetch the rules package via a Web browser and move them to this sensor's /etc/snort directory. Also, for the precompiled .so rules, substitute i386 for x86-64 if you're on a 32-bit platform.
|# cd /etc/snort/
# tar zxvf snortrules-snapshot-2960.tar.gz
# rm snortrules-snapshot-2960.tar.gz
# mkdir /usr/local/lib/snort_dynamicrules
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/126.96.36.199/*.so /usr/local/lib/snort_dynamicrules/
# cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
Keep in mind, subscribers will get the most up to date version. Pitch the nickel, it's worth it.
Rather than go into intricate detail on this process, I shall refer you to the excellent information provided by the Snort team. The Snort Manual will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customize for now are:
|# vi /etc/snort/etc/snort.conf
- ipvar HOME_NET any
- example: ipvar HOME_NET [192.168.0.0/16]
- ipvar EXTERNAL_NET any
- example: ipvar EXTERNAL_NET !$HOME_NET
We also need to configure Section #6 in snort.conf titled:
This is where we configure the unified2 output plugin. This is the data that Barnyard2 will be using to export events to your database. All you have to do is uncomment and edit the output unified2 line to look like this:
# output unified2: filename /var/log/snort/merged.log, limit 128
Unless you want to use reputation filters, find this section and comment the whole block:
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
Towards the end of the snort.conf file (Step #7: Customize your rule set and Step #8: Customize your preprocessor and decoder alerts), is where you need to edit so Snort knows which rules to use. Go through the rules and add/delete the ones listed so that only the ones you need are active.
Finally, Step #9: Customize your Shared Object Snort Rules. Edit to taste.
That's it. Save it and continue.
VI. Configure Barnyard2
We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting PostgreSQL or to a remote syslog server.
Let's get to the barnyard2.conf file:
|# cp /usr/src/barnyard2-master/etc/barnyard2.conf /etc/snort/
# vi /etc/snort/barnyard2.conf
Uncomment/comment and/or edit the following lines. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your PostgreSQL server:
config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map
config logdir: /var/log/snort
config hostname: titan (this it the sensor's hostname)
config interface: eth0 (the management interface (NIC to database or syslog server))
config daemon (uncomment to run in background)
config show_year (uncomment to include year in timestamps)
config waldo_file: /var/log/snort/by2.waldo (uncomment, define waldo file location)
output database: log, postgresql, user=snort dbname=snort host=pg-server
output alert_syslog_full: sensor_name phobos-eth1, server 192.168.2.3, protocol udp, port 518, operation_mode default
Finally, we need to create the waldo file (we will be using this as a checkpoint file for continuous mode w/ bookmarking):
|# touch /var/log/snort/by2.waldo
Use the following commands to start everything (the -D puts Snort in daemon mode):
|# snort -c /etc/snort/etc/snort.conf -i eth1 -D
# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log
The -c option specifies the location of the barnyard2.conf file.The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.