Setting up Snort on your Server. (I used CentOS 5.6)
Assuming that you just installed a basic install of CentOS Server we will have to add a few things to the server so that Snort will run correctly.
First thing you want to install is mysql server and some other packages needed for Snort.
yum install -y mysql-server mysql-bench mysql-devel php-mysql gcc pcre-devel php-gd gd glib2-devel gcc-c++ libcap-devel
Once that is done we will add the Atomic Rocket Turtle Repo so that we can use yum to install snort.
rpm –import
Now that the new repo is installed we can install Snort.
yum install -y snort snort-mysql
We will actually need to download the snort source as well because we will need one file from it. You can goto and just wget the latest.
We can now edit the snort.conf file located in the ‘/etc/snort’ directory.
This should be at the sart of the conf file and you will have to change this to your home net.
var HOME_NET []
You will and to change the External net the the entry below.
uncomment and fill in the output database info (be sure to remember it as you will need it when you set up the database.)
output database: log, mysql, user=snort password=RanDomPassWord dbname=snort host=localhost
We will create the DB now. You will want to make sure the server is running so use /etc/init.d/mysqld start
Login with ‘mysql -u root’, there should be no pass by default. Follow the commands below to get our snort DB created.
mysql> create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD(‘RanDomPassWord’);
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
now if you want to secure the root user as well while you are in here then you can also run the below command to do so.
SET PASSWORD FOR root@localhost=PASSWORD(‘rootmysqlpass’);
Download ADODB and BASE
Installing ADODB:
cd /var/www/
tar -xvzf /root/adodb-511.tgz
mv adodb5/ adodb
Installing and configureing BASE:
cd /var/www/html
tar -xvzf /root/base-1.4.5.tar.gz
mv base-1.4.5.tar.gz base/
Setting up Base is pretty simple and can be done in your browser. Goto the ip of your server and put /base at the end of it.
If everything is okay then we can proceed to the next screen. Press Continue.
Just enter your adodb path and press Continue.
You will need to enter in all your database info in here, it will not let you proceed if you don’t put in your valid info so just copy it from the snort.conf if needed. I didn’t setup archiving with this walk through so you can leave it unchecked and press continue.
This is so that everyone just can’t log into your snort setup so I would recommend using it. Fill in your info if needed and press continue.
This is the last step. Press the Create Base AG button under status and that should complete the Base setup and you should start picking up all the traffic on the server. If you want the graphing to work on base you will need to install a few things.
yum install php-pear
pear install Image_Canvas-alpha
pear install Image_Color
pear install Numbers_Roman
pear install Image_Graph-0.8.0
We will also have to add rules to snort otherwise you wont be picking up much. We used Bleeding Edge rules so I will write how to go about installing these rules.
Download the rules from here:
First we will install Oinkmaster. This is so that the rules will be updated automatically and since we installed the Atomic Rocket Turtle repo you can just use yum.
yum install oinkmaster
Once that is installed You will have to run it so use. -q -C Oinkmaster-bleedingsnort.conf -o ./rules
and add your rules to the snort .conf file I just added the bleeding.conf to the included rules and did my editing in that file but you can just add all the rules to the snort.conf file. The rules added are below.
include $RULE_PATH/bleeding-attack-response.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
If you dont want to have to worry about getting Snort starting when you reboot you should make it start on boot with the chkconfig command.
chkconfig snortd on
chkconfig mysqld on
Because of all the changes just do a restart on snort and httpd and you should be good to go with your newly set up IDS.
All that is left to do now is to set your server into promiscuous mode which allows the server to intercept and read each network packet that arrives in it’s entirety.
ifconfig eth0 promisc
  • Comment by
    6 Jul 2011

    Hi Ralph,

    The DB is configured close to the start. Below is how to configure the DB. First log into mysql and do the following

    mysql> create database snort;
    grant INSERT,SELECT on root.* to snort@localhost;
    SET PASSWORD FOR snort@localhost=PASSWORD(‘RanDomPassWord’);
    grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

    I updated the walkthrough and added the link to download the rules they are at

  • Comment by
    7 Jul 2011

    It looks like the site is down. You can just create the file yourself and paste this into it.

    Version: GnuPG v1.2.1 (GNU/Linux)


Sorry, comments are closed.