Saturday, October 1, 2011

Installing Snort 2.9.1 on 64-bit CentOS 6...

I just installed Snort 2.9.1 on CentOS 6, and since that wasn't straightforward process, I decided to document all the steps I did for a later reference. Also, maybe someone will find this useful so I placed it here.

The process of setting up Snort is divided into three phases, compilation, installation and configuration. Compilation phase is done entirely on auxiliary host, while installation and configuration phases are done on the target host, i.e. on the host where you wish to install snort.
Binary Snort packages from the download pages are all for 32 bit machines. Furthermore, SPEC file within provided SRPM has two bugs. The first one is that it wrongly links with libdnet.1 library that doesn't exist. I circumvented that problem as described below. The second problem is that not all pretprocessors are included into the final binary package. If you try to start snort and it fails with the following message in the log file:
FATAL ERROR: /etc/snort/snort.conf(463) Unknown preprocessor: "sip".
then this is manifestation of that problem. Apart from sip; imap, pop and reputation pretprocessors are also missing. I have fixed spec file, and made the new Snort SRPM package. If you trust me enough (but don't! :)), you can skip the compilation phase and obtain directly binary packages for daq and snort from my homepage. In that case, go to the installation phase and continue from there.

Compilation

As I said, the first problem with Snort is that on the download page there are no precompiled binaries for 64-bit versions of Linux distributions. Still there are SRPMS packages of Snort (extension src.rpm) and its prerequisite Daq so it isn't so bad. Download those packages, and rebuild them, first daq and then, after installing daq, snort itself. For rebuild process development environment is mandatory, i.e. compiler, development libraries, etc. Since probably you are going to run snort on firewall, or some machine close to firewall, it isn't good security practice to install development environment on target machine (i.e. firewall). So, find another machine with CentOS 6 and all the latest updates (or install one) and perform build process there. You'll need at minimum to have package rpm-build-4.8.0-16.el6.x86_64, afterwards, any missing package will be reported and you can install it using yum. So, install rpm-build package, and try to start build process (do this as ordinary user!):
rpmbuild --rebuild daq-0.6.1-1.src.rpm
If missing packages are reported then install them (as superuser) and try to start build process again. Note that libdnet you can find in EPEL repository. Repeat this until build process is successful. Binary package you'll find in the directory ~/rpmbuild/RPMS/x86_64/. Go there and install daq package:
yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm
Option nogpgcheck is necessary since we didn't sign binary package. Then, go back to directory where you downloaded daq and snort, and start snort build process:
rpmbuild --rebuild snort-2.9.1-1.src.rpm
This too can stop due to the missing packages, so install any required package and restart build process. Do this until build process is successful.
Now you have daq and snort packages ready in the build output directory ~/rpmbuild/RPMS/x86_64/. There are files daq-0.6.1-1.x86_64.rpm and snort-2.9.1-1.x86_64.rpm.

Installation

Transfer binary packages of snort and daq to the target machine and install them there:
yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm \
            snort-2.9.1-1.x86_64.rpm
It could happen also that you'll need additional packages, but any dependencies will be automatically retrieved and installed by yum. So, that's for the installation phase.

Build process, for whatever reason, wrongly got dependency on libdnet library, it looks for libdnet.1 instead of libdnet.so.1. To check if this is problem in your case, just try to start snort:
# /etc/init.d/snortd start
Starting snort: /usr/sbin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
                                                           [FAILED]
In case the output looks like that one, you have the problem with libdnet.1 too. To solve it, to the directory /usr/lib64 and run there the following command:
# ln -s libdnet.so.1 libdnet.1
This is actually a hack, since build process has a bug, but as I didn't want to look or modify build process, this was easier to do and I did it that way.

The error with library libdnet was caused by the manually installed libdnet in /usr/local/ which had name libdnet.1 for whatever reason and that was picked by configure script. In other words, if you compile snort manually you'll not have that problem, only if you used old binary that I provided (now that is fixed!).
You'll also need to obtain snort rules and that requires you to register on Snort Web page. After registering, and downloading rules, unpack the archive you obtained in some directory. In the following text I'm using package snortrules-snapshot-2910.tar.gz from the September 1st, 2011 (and which was obtained on October 1st, 2011).

What you'll get is the following structure:
$ ls -1
etc
preproc_rules
rules
so_rules
Move directories preproc_rules, rules and so_rules into /etc/snort directory. Also, move the content of etc directory to /etc/snort directory overwriting any files there.

In case you have SELinux enabled snort will be prevented from starting because of wrongly labeled preprocessor plugins. This manifests itself with the following line in the log files:
FATAL ERROR: Failed to load /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: failed to map segment from shared object: Permission denied
Of course, the exact paths will differ depending on your exact installation. Note that snort runs as unconfined process and until I find a way to confine it this can be solved by running the following command in the directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0 (note that this is the directory reported in the log file!):
# chcon system_u:object_r:lib_t:s0 *
Configuration

The final step is snort configuration prior to running it. Master configuration is stored in the /etc/snort/snort.conf file, so open it with your favorite text editor and modify the following lines:
  1. Line that reads ipvar HOME_NET any (cca. 45th line). Replace any with you network address. In my case that was 192.168.1.0/24.
  2. Line that starts with dynamicpreprocessor directory words (cca. 234th line). Parameter is directory and change this parameter to /usr/lib64/snort-2.9.1_dynamicpreprocessor/.
  3. Immediately following the previous line is the line that starts with dynamicengine. Change the parameter of that line with the value /usr/lib64/snort-2.9.1_dynamicengine/libsf_engine.so.
  4. And, immediately following the previous line is the line that starts with words dynamicdetection directory whose parameter should be /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0/.
  5. Also, you have to create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules. Alternatively, you can disable reputation pretprocessor (find line that begins with preprocessor reputation and comment out the whole block.
Additionally, open /etc/sysconfig/snort file and look if there is something you need to change. For example, in case you have multiple interfaces on which you would like to run snort, you'll have to configure them in that file.

Finally, start snort with the following command:
# /etc/init.d/snortd stop
and, if snort should be started during the boot process, also run the following command:
# chkconfig snortd on
And, that's it! :)

5 comments:

B-rad said...

You saved me a lot of time and hassle. Thanks for the write up!

Enok said...

Is there some way to fix the sip preprocessor problem without starting everything from scratch?

I'm getting that error as well and I'm so close to getting this working. I would appreciate yr help ALOT!

Stjepan Groš (sgros) said...

@Enok...

You could try to copy libsf_sip_preproc* files into /lib/snort_dynamicpreprocessor/ directory. But you need to obtain it from somewhere. It could work if you match versions and processor architectures.

But, in the end, I don't think it takes so much time to recompile snort. Especially if you take spec file I provided.

Enok said...

Thanks for the reply! I have taken a break from SNORT for the time being but I will do it from scratch at a later stage using your spec file, and will let you now how it goes. Thanks again for your help.

Brian Tobin said...

You have :
Finally, start snort with the following command:
# /etc/init.d/snortd stop

Should be:
Finally, start snort with the following command:
# /etc/init.d/snortd start

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive