Thursday 22 June 2017

Setting up snort, DAQ and PF_RING on CentOS 7

Let's firstly download and build the PF_RING kernel module:

yum -y install kernel-devel kernel-headers libtool automake autoconf flex bison gcc

cd /tmp

Download and install DAQ from the snort site:

cd /tmp
rpm -i daq*

and then build the DAQ module for PF_RING:

git clone
cd PF_RING/userland/snort/pfring-daq-module
autoreconf -ivf
make & make install

This should copy the library to: /usr/local/lib/daq/

Finally download and configure snort:

cd /tmp
yum install snort-openappid-

We can then run snort in either IDS mode:

snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i ethX -v -e -c /etc/snort/snort.conf

or IPS mode:

snort --daq-dir=/usr/local/lib/daq --daq pfring  -i ethX:ethY -e -Q -c /etc/snort/snort.conf

We can also update the SNORT definitions with:

cd /tmp
tar zxvf snortrules*
cd snortrules*
cd etc
cp * /etc/snort
cd ../rules
cp * /etc/snort/rules
cd ..
cp -R preproc_rules /etc/snort
cp -R so_rules /etc/snort

After attempting to start snort again I received a number of complaints about bad folder paths - so I ended up creating several sym links to get it working correctly:

ln -s /usr/lib64/snort- /usr/local/lib/snort_dynamicengine
ln -s /usr/lib64/snort- /usr/local/lib/snort_dynamicpreprocessor
ln -s /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/ /usr/local/lib/snort_dynamicrules

And also modifying some of the directory variables in snort.config like so_rules and rules.

And finally creating a few files:

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

systemd Service

Finally lets create our own service for snort:

sudo vi /lib/systemd/system/snort.service

and add the following (presuming you want IDS mode enabled):

Description=Snort NIDS Daemon

ExecStart=/usr/sbin/snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i ethX -e -c /etc/snort/snort.conf


Then enable and start it with:

sudo systemctl enable snort
sudo service snort start

and check the status with:

sudo service snort status


Post a Comment