{{tag>[security snort centos7]}}

=====Snort on CentOS 7 - As IDS for RouterOS=====

====Create VM====
  * 2 vCPU
  * 2048GB memory
  * 32GB storage
====Install daq and snort====
  * Download snort and daq RPM's from [[https://www.snort.org/downloads]]
  * Verify MD5 sum, for example:<code>md5sum snort-2.9.7.2-1.centos7.x86_64.rpm
163d62f7dab09c241f6f6e61228a8299  snort-2.9.7.2-1.centos7.x86_64.rpm</code>
  * Install RPM's:<code>yum install ./daq-2.0.4.RH7.x86_64.rpm
yum install snort-2.9.7.2-1.centos7.x86_64.rpm</code>

====Install Pulled Pork (rule updater)====
  * Install requirements:<code>yum install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar perl-Sys-Syslog perl-LWP-Protocol-https</code>
  * Download tar.gz from [[https://code.google.com/p/pulledpork/]]
  * Extract:<code>tar zxvf pulledpork-0.7.0.tar.gz</code>
  * Install:<code>cd pulledpork-0.7.0/
mkdir -p /opt/pulledpork/{bin,etc}
cp pulledpork.pl /opt/pulledpork/bin ; chmod 755 /opt/pulledpork/bin/pulledpork.pl
cp etc/* /opt/pulledpork/etc/</code>
  * Edit /opt/pulledpork/etc/pulledpork.conf, and add oinkcode.
  * Verify:<code> ./pulledpork.pl -vv -c /opt/pulledpork/etc/pulledpork.conf -T -l</code>
  * Add to cron-daily:<code>/opt/pulledpork/bin/pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf</code>

====Install trafr====
  * Make directory:<code>mkdir /opt/trafr
cd /opt/trafr</code>
  * Download:<code>wget http://www.mikrotik.com/download/trafr.tgz
tar zxvf trafr.tgz</code>
  * Install 32 bit libraries:<code>yum install glibc-2.17-78.el7.i686</code>

====Configure RouterOS====
  * Enalble steaming:<code>/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=<ip_of_the_server>
/tool sniffer start</code>
====Test trafr====
    * Test:<code>./trafr -s | tcpdump -r - -n
./trafr -s | /sbin/snort -r -</code>