{{tag>[security snort centos7]}}
=====Snort on CentOS 7 - As IDS for RouterOS=====
====Create VM====
* 2 vCPU
* 2048GB memory
* 32GB storage
====Install daq and snort====
* Download snort and daq RPM's from [[https://www.snort.org/downloads]]
* Verify MD5 sum, for example:md5sum snort-2.9.7.2-1.centos7.x86_64.rpm
163d62f7dab09c241f6f6e61228a8299 snort-2.9.7.2-1.centos7.x86_64.rpm
* Install RPM's:yum install ./daq-2.0.4.RH7.x86_64.rpm
yum install snort-2.9.7.2-1.centos7.x86_64.rpm
====Install Pulled Pork (rule updater)====
* Install requirements:yum install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar perl-Sys-Syslog perl-LWP-Protocol-https
* Download tar.gz from [[https://code.google.com/p/pulledpork/]]
* Extract:tar zxvf pulledpork-0.7.0.tar.gz
* Install:cd pulledpork-0.7.0/
mkdir -p /opt/pulledpork/{bin,etc}
cp pulledpork.pl /opt/pulledpork/bin ; chmod 755 /opt/pulledpork/bin/pulledpork.pl
cp etc/* /opt/pulledpork/etc/
* Edit /opt/pulledpork/etc/pulledpork.conf, and add oinkcode.
* Verify: ./pulledpork.pl -vv -c /opt/pulledpork/etc/pulledpork.conf -T -l
* Add to cron-daily:/opt/pulledpork/bin/pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
====Install trafr====
* Make directory:mkdir /opt/trafr
cd /opt/trafr
* Download:wget http://www.mikrotik.com/download/trafr.tgz
tar zxvf trafr.tgz
* Install 32 bit libraries:yum install glibc-2.17-78.el7.i686
====Configure RouterOS====
* Enalble steaming:/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=
/tool sniffer start
====Test trafr====
* Test:./trafr -s | tcpdump -r - -n
./trafr -s | /sbin/snort -r -