Thursday 22 June 2017

Setting up snort, DAQ and PF_RING on CentOS 7

Let's firstly download and build the PF_RING kernel module:

yum -y install kernel-devel kernel-headers libtool automake autoconf flex bison gcc

cd /tmp
wget http://packages.ntop.org/rpm7/x64/PF_RING/pfring-6.7.0-1286.x86_64.rpm

Download and install DAQ from the snort site:

cd /tmp
wget https://www.snort.org/downloads/snort/daq-2.0.6-1.f21.x86_64.rpm
rpm -i daq*

and then build the DAQ module for PF_RING:

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/userland/snort/pfring-daq-module
autoreconf -ivf
./configure
make & make install

This should copy the library to: /usr/local/lib/daq/daq_pfring.so

Finally download and configure snort:

cd /tmp
wget https://www.snort.org/downloads/snort/snort-openappid-2.9.9.0-1.centos7.x86_64.rpm
yum install snort-openappid-2.9.9.0-1.centos7.x86_64.rpm

We can then run snort in either IDS mode:

snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i ethX -v -e -c /etc/snort/snort.conf

or IPS mode:

snort --daq-dir=/usr/local/lib/daq --daq pfring  -i ethX:ethY -e -Q -c /etc/snort/snort.conf

We can also update the SNORT definitions with:

cd /tmp
wget https://www.snort.org/downloads/registered/snortrules-snapshot-2990.tar.gz
tar zxvf snortrules*
cd snortrules*
cd etc
cp * /etc/snort
cd ../rules
cp * /etc/snort/rules
cd ..
cp -R preproc_rules /etc/snort
cp -R so_rules /etc/snort

After attempting to start snort again I received a number of complaints about bad folder paths - so I ended up creating several sym links to get it working correctly:

ln -s /usr/lib64/snort-2.9.9.0_dynamicengine/ /usr/local/lib/snort_dynamicengine
ln -s /usr/lib64/snort-2.9.9.0_dynamicpreprocessor/ /usr/local/lib/snort_dynamicpreprocessor
ln -s /etc/snort/so_rules/precompiled/Centos-5-4/x86-64/2.9.9.0/ /usr/local/lib/snort_dynamicrules

And also modifying some of the directory variables in snort.config like so_rules and rules.

And finally creating a few files:

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

systemd Service

Finally lets create our own service for snort:

sudo vi /lib/systemd/system/snort.service

and add the following (presuming you want IDS mode enabled):

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/snort --daq-dir=/usr/local/lib/daq --daq pfring --daq-mode passive -i ethX -e -c /etc/snort/snort.conf

[Install]
WantedBy=multi-user.target

Then enable and start it with:

sudo systemctl enable snort
sudo service snort start

and check the status with:

sudo service snort status

0 comments:

Post a Comment