How to compile and install SNORT 2 on RHEL 8 - nomorespice/rhel8-howto GitHub Wiki
Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats. This procedure will guide you through the installation process on a Red Hat Enterprise Linux 8 server.
This document assumes that:
- you installed the RHEL 8 x64 Operating System according to How to install RHEL 8 via kickstart
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms
dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel
mkdir /var/srccd /var/src
wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
tar zxvf daq-2.0.7.tar.gz
cd daq-2.0.7
autoreconf -f -i
./configure
make
make installcd /var/src
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make
make install/bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOTBe sure to verify the current version of Snort and modify this section accordingly.
cd /var/src
wget https://snort.org/downloads/snort/snort-2.9.18.tar.gz
tar -zxvf snort-2.9.18.tar.gz
cd snort-2.9.18
./configure --enable-sourcefire
make
make install/bin/rm /etc/fedora-releasegroupadd snort
useradd -g snort -s /sbin/nologin snort
passwd -l snortmkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/rules/iplists
mkdir /etc/snort/pulledpork
mkdir /var/log/snort
mkdir /var/log/snort/pcap
chown -R snort /var/log/snort
touch /etc/snort/rules/iplists/default.whitelist
touch /etc/snort/rules/iplists/default.blacklist
cp /var/src/snort*/etc/* /etc/snort
ln -s /usr/local/bin/snort /sbin/snortsemanage fcontext -a -t snort_exec_t "/usr/local/bin/snort"
semanage fcontext -a -t snort_var_run_t "/var/run/snort(/.*)?"
restorecon -R -v /usr/local/bin/
restorecon -R -v /var/run/snort/
/bin/cat << EOT >/var/src/my-snort.te
module my-snort 1.0;
require {
type snort_t;
class netlink_rdma_socket create;
class capability dac_override;
class packet_socket map;
class capability sys_admin;
}
#============= snort_t ==============
allow snort_t self:netlink_rdma_socket create;
allow snort_t self:packet_socket map;
allow snort_t self:capability sys_admin;
allow snort_t self:capability dac_override;
EOT
checkmodule -M -m -o /var/src/my-snort.mod /var/src/my-snort.te
semodule_package -o /var/src/my-snort.pp -m /var/src/my-snort.mod
semodule -i /var/src/my-snort.pp
/bin/rm /var/src/my-snort.te
/bin/rm /var/src/my-snort.mod
/bin/rm /var/src/my-snort.ppyum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch
wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl
chmod 755 /usr/local/bin/pulledpork.plBe sure to input your OINKCODE to download the registered version of the Snort rules
/bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|OINKCODE
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/etc/snort/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-8-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
snort_version=2.9.14.1
disablesid=/etc/snort/pulledpork/disablesid.conf
enablesid=/etc/snort/pulledpork/enablesid.conf
version=0.8.0
EOTAdd any rules you would like to be disabled to this file
/bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf
EOTAdd any rules you would like to be enabled to this file
/bin/cat << EOT >/etc/snort/pulledpork/enablesid.conf
EOT/usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.confAdd any Snort rules you want suppressed to this file
/bin/cat << EOT >>/etc/snort/threshold.conf
#suppress gen_id 119, sig_id 14
EOTAdd any custom Snort rules to this file
/bin/cat << EOT >/etc/snort/rules/local.rules
# ------------
# LOCAL RULES
# ------------
#
EOTModify this file with the networks you wish to monitor
/bin/cat << EOT >/etc/snort/filter.bpf
( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )
EOTModify this file with the networks you wish to monitor
/bin/cat << EOT >/etc/snort/ipvar.conf
ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60]
#
ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128]
#
ipvar HOME_NET [\$REAL_NET]
#
ipvar DARK_NET [!\$HOME_NET]
#
ipvar EXTERNAL_NET [!\$HOME_NET]
#
ipvar DNS_SERVERS \$HOME_NET
ipvar SMTP_SERVERS \$HOME_NET
ipvar HTTP_SERVERS \$HOME_NET
ipvar SQL_SERVERS \$HOME_NET
ipvar TELNET_SERVERS \$HOME_NET
ipvar SSH_SERVERS \$HOME_NET
ipvar FTP_SERVERS \$HOME_NET
ipvar SIP_SERVERS \$HOME_NET
#
ipvar DRK_IGNORE_SRC [10.1.1.1/32]
ipvar DRK_IGNORE_DST [192.168.0.1/32]
#
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
EOT/bin/sed -i "s/^ipvar/#ipvar/" /etc/snort/snort.conf
/bin/sed -i '/protecting/i include ipvar.conf' /etc/snort/snort.conf
/bin/sed -i "s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/" /etc/snort/snort.conf
/bin/sed -i "s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/" /etc/snort/snort.conf
/bin/sed -i "s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/" /etc/snort/snort.conf
/bin/sed -i "s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/" /etc/snort/snort.conf
/bin/sed -i "s/white_list.rules/default.whitelist/" /etc/snort/snort.conf
/bin/sed -i "s/black_list.rules/default.blacklist/" /etc/snort/snort.conf
/bin/sed -i "s/^dynamicdetection/#dynamicdetection/" /etc/snort/snort.conf
/bin/sed -i "s/^preprocessor normalize/#preprocessor normalize/" /etc/snort/snort.conf
/bin/sed -i "s/^# preprocessor sfportscan/preprocessor sfportscan/" /etc/snort/snort.conf
/bin/sed -i "s/memcap { 10000000/memcap { 20000000/" /etc/snort/snort.conf
/bin/sed -i "s/server_ports { 22/server_ports { 22 5224/" /etc/snort/snort.conf
/bin/sed -i "s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/" /etc/snort/snort.conf
/bin/sed -i '/^# syslog/a output alert_fast: \/var\/log\/snort\/alert' /etc/snort/snort.conf
/bin/sed -i '/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap' /etc/snort/snort.conf
/bin/sed -i "s/^include \$RULE_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf
/bin/sed -i '/site specific rules/a include $RULE_PATH\/snort.rules' /etc/snort/snort.confModify this file if you are listening on something other than interface eth0
/bin/cat << EOT >/usr/lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort --pid-path /var/log/snort --no-interface-pidfile --nolock-pidfile
ExecStop=/bin/kill -9 $MAINPID
PrivateTmp=true
PidFile=/var/log/snort/snort.pid
[Install]
WantedBy=multi-user.target
EOT
systemctl enable --now snort/bin/cat << EOT >/etc/logrotate.d/snort
/var/log/snort/alert
{
weekly
rotate 13
missingok
compress
sharedscripts
postrotate
/bin/systemctl restart snort 1>/dev/null || true
endscript
}
EOTmkdir /script
/bin/cat <<\EOT >/script/snort_update.sh
#!/bin/bash
#
# snort_update.sh
# Snort signature update script
#
# Command Variables
CONF=/etc/snort/pulledpork/pulledpork.conf
LOGDIR=/var/log/snort
PULL=/usr/local/bin/pulledpork.pl
SYSTEMCTL=/bin/systemctl
#
$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf
$SYSTEMCTL restart snort
#
# Cleanup
cd $LOGDIR
/bin/ls -t $LOGDIR | /bin/grep "alert\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
cd $LOGDIR/pcap
/bin/ls -t $LOGDIR/pcap | /bin/grep "snort\.pcap\." | /bin/tail -n +14 | /bin/xargs -d '\n' rm -- >/dev/null 2>&1
#
exit
EOT
chmod 700 /script/snort_update.shModify the time that the Snort rules update via PulledPork
crontab -l | { cat; echo "0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1"; } | crontab -