VERSION DE L’ARTICLE DEPRECATED, RENDEZ VOUS A CE LIENS :
Snort est un IDS (intrusion detection system) sous GNU GPL, édité par Sourcefire.
Son but va être de sonder le réseau à la recherche d’actions malveillantes tels que le scan de port, le tentatives d’OS fingerprinting, etc, et de nous avertir.
Je vais vous expliquer comment installer Snort sur une machine CentOs 6 ( 64 bit ).
Tout dabord, il faut installer le repo EPEL :
# wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt# vi /etc/yum.repos.d/rpmforge.repo
[rpmforge]
name=RPMforge RPM repository for Red Hat Enterprise Linux
baseurl=http://ftp.riken.jp/Linux/dag/redhat/el6/en/$basearch/rpmforge/
gpgcheck=1
enabled=0
# yum -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel mysql* pcre-devel php-mysql
# cd /root
# wget http://www.snort.org/downloads/1406
# mv daq-0.6.2-1.src.rpm\?AWSAccessKeyId\=AKIAJJSHU7YNPLE5MKOQ\&Expires\=1331498335\&Signature\=feJnLudotPf4D9bI3OYrbODQKVM\= daq-0.6.2-1.src.rpm# rpm -Uvh daq-0.6.2-1.src.rpm
# cd rpmbuild/SPECS
# sed -i ‘s/\/lib\//\/lib64\//g’ daq.spec
# rpm -Uvh ../RPMS/x86_64/daq-0.6.2-1.src.rpm
# wget http://www.snort.org/downloads/1414
# mv snort-2.9.2.1-1.src.rpm\?AWSAccessKeyId\=AKIAJJSHU7YNPLE5MKOQ\&Expires\=1331498624\&Signature\=dpkmcpx3hWmfI9Hqvn8xPuOaIdY\= snort-2.9.2.1-1.src.rpm
# rpm -Uvh snort-2.9.2.1-1.src.rpm
# cd rpmbuild/SPECS
# vi snort.spec
SNORT_BASE_CONFIG=”–prefix=%{_prefix} \
–bindir=%{_sbindir} \
–sysconfdir=%{_sysconfdir}/snort \
–with-libpcap-includes=%{_includedir} \
–enable-decoder-preprocessor-rules –enable-targetbased \
–enable-zlib \
–enable-ipv6 \
–enable-normalizer \
# ln -s /usr/lib64/mysql /usr/lib/mysql
# rpmbuild -bb –with mysql snort.spec
# rpm -Uvh ../RPMS/x86_64/snort-2.9.2.1-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.2.1-1.x86_64.rpm
# mysql -u root -p> create database snort;> grant all privileges on snort.* to snort@localhost identified by ‘password’;> flush privileges;> exit# mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql
# wget http://labs.snort.org/snort/2912/snort.conf
# mv snort.conf /etc/snort/
#vi /etc/snort/snort.conf// modification ligne 39 :
ipvar HOME_NET 192.168.1.0/24// modifier la ligne dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/dynamicpreprocessor directory /usr/lib64/snort-2.9.2.1_dynamicpreprocessor///modifier la ligne /usr/local/lib/snort_dynamicengine/libsf_engine.sodynamicengine /usr/lib64/snort-2.9.2.1_dynamicengine/libsf_engine.so// commenter la ligne 177 :#dynamicdetection directory /usr/local/lib/snort_dynamicrules
// ligne 376, indiquez les paramètres de connexion à la DB.output database: log, mysql, user=snort password=password dbname=snort host=localhostpuis changer tous les $RULE_PATH en /etc/snort/rules
# vi /etc/sysconfig/snort
// commenter la ligne 69
# ALERTMODE=fast
# vi /etc/logrotate.d/snort
// Ligne 4 : changez comme suit :
/var/log/snort/alert /var/log/snort/*log {
# vi /etc/snort/rules/white_list.rules// esc :wq pour enregistrer
# vi /etc/snort/rules/black_list.rules // esc :wq pour enregistrer
Téléchargez, dans la section : registered user, les règles en version 2.9.2.1 ( version de notre Snort ).
# yum –enablerepo=epel -y install php-adodb php-pear-Image-Graph# yum install php-pear php-gd
# pear install Image_Color-1.0.4
# pear install Image_Canvas-0.3.3
# pear install Image_Graph-0.8.0# wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz
# mv base-1.4.5 /var/www/base
# chown -R apache. /var/www/base
# cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
# vi /var/www/base/base_conf.php
// ligne 50: chemin de BASE
$BASE_urlpath = ‘/base’;// ligne 80: Chemin de adodb
$DBlib_path = ‘/var/www/adodb/’;// ligne 102 : Paramètres de la DB Snort :
$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;// username :$alert_user = ‘snort’;
// DB password :
$alert_password = ‘password’;
# vi /etc/httpd/conf.d/base.confAlias /base /var/www/base
<Directory /var/www/base/>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.0/24
</Directory>
# /etc/rc.d/init.d/httpd restart
Cliquez sur Setup pages, puis ” Create Base AG ” et vous obtiendrez ceci :
Quick, simple, and to the point. I like it.
A couple of notes though:
1) We are removing Direct-to-db output in Snort 2.9.3, so you may want to revise your instructions to take advantage of this. Unified2 as output, with barnyard2 reading it and inserting into the db.
2) Compiling Snort is simply a matter of “./configure –enable-sourcefire”. I’ve ensured everything else is built in now.
Thank you Joel Esler !
I’ll make / update the article when the 2.9.3 come :p
Bonjour.j’ai déja essayer d’ installer snort-2.9.2.1 et snort-2.1.0.4 sous centos version
2.6.32-220.el6.x86_64
mais je trouve pas le fichier snort dans /etc/sysconfig/
qu’est ce que je peut faire
merci d’avance.
As tu essayé avec la méthode postée ?
As tu essayé un locate snort ?
( installer le package mlocate )
HI guys. How can i get second part of this installation ?
Bonjour,
Dans le cadre d’un travail d’ecole j’ai du installer snort sur un centos 7.2.
j’ai installé la version 2.9, et cela me semble correct.
on me demande maintenant de scruter le réseau en cherchant le mot clé “administrator”.
j’avoue ne pas savoir comment faire.
merci