Snort Install Guide for Red Hat Enterprise Linux 5

Snort Install Guide for Red Hat Enterprise Linux 5 to log to MySQL Database

Written by kammo on August 3rd, 2008 This guide is intended for users who are using Red Hat Enterprise Linux 5, but this should work fine, or be rather easy to follow and manipulate for users using earlier versions of RHEL, or other Red Hat based Distorbutions such as CentOS and Fedora.
Pre-requisites: You need to have a MySQL database setup for Snort to log to. See my guide, Create MySQL Database for Snort, on how to setup the MySQL Database.

First Login to the server and su to root:
sudo su –
Then create a source directory for Snort and switch to it:
mkdir /root/snort
cd /root/snort

Download Snort:
Be sure to check the latest version. As of this writing we will be using snort 2.8.2 which is the current.  You can get the latest version by going to http://www.snort.org/dl/ and checking there.

wget http://www.snort.org/dl/old/snort-2.8.2.tar.gz
Uncompress the file:
tar –zxvf snort-2.8.2.tar.gz
Install Dependencies:
yum install libpcap-devel libtool pcre-devel mysql mysql-devel gcc
Install snort:
cd /root/snort/snort-2.8.2
./configure --with-mysql --prefix=/usr
If you get any errors, you probably need to install other dependencies. Google them and try again.
After the ./configure completes successfully, do:
make all
make install
Create Snort user and group:
groupadd snort
useradd –g snort snort

Create Snort Directories:
mkdir –p /etc/snort/rules
mkdir /var/log/snort
Change ownership of log directory:
chown snort.snort /var/log/snort
Copy your rules to /etc/snort/rules. These rules can be downloaded from http://www.snort.org.
Copy the snort.conf file from here and paste it to /etc/snort/snort.conf
Configure MySql information in snort.conf:
vi /etc/snort/snort.conf

Search for log, mysql by typing this exactly:
?alert, mysql
Then press Enter.
This will take you to the line that you will configure MySql logging on.
Set the variables it asks for on that line.  If you don’t know what they are, you probably shouldn’t be doing this install to begin with…
At this point you should go in and setup your rules that you have at the bottom of the file. Just follow the format from the already configured rules.
Add script to /etc/init.d/ to start snort service:
vi /etc/int.d/snortd
press i to enable inserting text.
Copy the following text in gray:
#!/bin/sh
# Description: start up script for snort
# chkconfig: 2345 40 60
#
# Source function library.
. /etc/rc.d/init.d/functions
#
case "$1" in
#
'start')
echo "Starting up Snort..."
/usr/bin/snort -c /etc/snort/snort.conf -D -g snort -u snort -i eth0 -l /var/log/snort
echo "Done."
;;
#
'stop')
echo "Stopping Snort..."
killproc snort
echo "Done."
;;
#
'restart')
$0 stop
$0 start
;;
#
status)
status snort
;;
#
*)
echo "Usage: $0 {start|stop}"
exit 1
#
esac
exit 0
Go back to the ssh client and hold the shift key and press the Insert key (This will paste the script into the file. )
Press the Esc Key to leave insert mode.
Hold the Shift key and press z twice to save and exit the file.
Make the service script executable:
chmod +x /etc/rc.d/init.d/snortd
Start Snort Service at boot:
chkconfig snortd on
Start Snort:
service snortd start
Check that it’s runnig:
ps –ef | grep snort
or
service snortd status
If the only thing you see contains grep then snort is not running.
If this is the case, look at the messages log to see what held it up. Generally it’s a bad rule, which it will tell you what is bad about it.
tail –n100 /var/log/messages