Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


snort_on_centos7

Snort on CentOS 7 - As IDS for RouterOS

Create VM

  • 2 vCPU
  • 2048GB memory
  • 32GB storage

Install daq and snort

  • Download snort and daq RPM's from https://www.snort.org/downloads
  • Verify MD5 sum, for example:
    md5sum snort-2.9.7.2-1.centos7.x86_64.rpm
    163d62f7dab09c241f6f6e61228a8299  snort-2.9.7.2-1.centos7.x86_64.rpm
  • Install RPM's:
    yum install ./daq-2.0.4.RH7.x86_64.rpm
    yum install snort-2.9.7.2-1.centos7.x86_64.rpm

Install Pulled Pork (rule updater)

  • Install requirements:
    yum install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar perl-Sys-Syslog perl-LWP-Protocol-https
  • Extract:
    tar zxvf pulledpork-0.7.0.tar.gz
  • Install:
    cd pulledpork-0.7.0/
    mkdir -p /opt/pulledpork/{bin,etc}
    cp pulledpork.pl /opt/pulledpork/bin ; chmod 755 /opt/pulledpork/bin/pulledpork.pl
    cp etc/* /opt/pulledpork/etc/
  • Edit /opt/pulledpork/etc/pulledpork.conf, and add oinkcode.
  • Verify:
     ./pulledpork.pl -vv -c /opt/pulledpork/etc/pulledpork.conf -T -l
  • Add to cron-daily:
    /opt/pulledpork/bin/pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf

Install trafr

  • Make directory:
    mkdir /opt/trafr
    cd /opt/trafr
  • Download:
    wget http://www.mikrotik.com/download/trafr.tgz
    tar zxvf trafr.tgz
  • Install 32 bit libraries:
    yum install glibc-2.17-78.el7.i686

Configure RouterOS

  • Enalble steaming:
    /tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=<ip_of_the_server>
    /tool sniffer start

Test trafr

  • Test:
    ./trafr -s | tcpdump -r - -n
    ./trafr -s | /sbin/snort -r -
snort_on_centos7.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1