Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


snort_2.9.6.1_centos_6.5

Snort 2.9.6.1 on CentOS 6.5

Install prerequisites

  • EPEL repo
  • RPMForge repo
  • Download snort and daq RPM's from snort.org
  • Install RPM's
    yum install libdnet-1.11-1.2.el6.rf.x86_64    #rpmforge
    yum localinstall ./daq-2.0.2-1.centos6.x86_64.rpm
    yum localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm

Configure Snort

  • Edit /etc/sysconfig/snort
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chmod -R 700 /usr/local/lib/snort_dynamicrules

Copy any dynamic rulesets you have or are using to the above directory.

Test rule

Put as last line in snort.conf

alert icmp any any -> 1.2.3.4 any (msg: "Gateway ping"; sid:10000001;)

Find the alerts in the log

05/09-09:00:07.648953  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.654956  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.660981  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.666729  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4

You can even show contents of the packets with tcpdump

tcpdump -r snort.log.1399615922
snort_2.9.6.1_centos_6.5.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1