snort_2.9.6.1_centos_6.5
This is an old revision of the document!
Table of Contents
Install prerequisites
- EPEL repo
- RPMForge repo
- Download snort and daq RPM's from snort.org
- Install RPM's
yum install libdnet-1.11-1.2.el6.rf.x86_64 #rpmforge yum localinstall ./daq-2.0.2-1.centos6.x86_64.rpm yum localinstall ./snort-2.9.6.1-1.centos6.x86_64.rpm
Configure Snort
- Edit /etc/sysconfig/snort
mkdir -p /usr/local/lib/snort_dynamicrules chown -R snort:snort /usr/local/lib/snort_dynamicrules chmod -R 700 /usr/local/lib/snort_dynamicrules
Copy any dynamic rulesets you have or are using to the above directory.
Test rule
Put as last line in snort.conf
alert icmp any any -> 1.2.3.4 any (msg: "Gateway ping"; sid:10000001;)
Find the alerts in the log
05/09-09:00:07.648953 [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.654956 [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.660981 [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
05/09-09:00:07.666729 [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
You can even show contents of the packets with tcpdump
tcpdump -r snort.log.1399615922
snort_2.9.6.1_centos_6.5.1401972761.txt.gz · Last modified: 2014/06/05 12:52 by admin