Thursday, March 13, 2014

Installing Snort 2.9.6.0 on CentOS 6.5 64-bit

Some time ago I wrote a post about installing Snort 2.9.1 on CentOS 6. In the mean time I decided it's time to upgrade so the idea of this post is to document what changed with respect to that older post. In short, binary packages for CentOS 6 are now provided on the Snort's download page. So, you only need to download them and install (or install using URL). Yet, there is a problem with a libdnet dependency (I don't know which one was used during compilation, but it certainly wasn't the one in EPEL).

Compiling and installing

In case you want to rebuild them, the process is now almost without any problems. In the following text I'll assume that you started with a minimal CentOS installation with the following packages installed (and their dependencies, of course): gcc, make, bison, flex, autoconf, automake, rpmbuild.

First, download daq source rpm file. Before rebuilding it, you should install pcap-devel. This is actually something rpmbuild tool will warn you that you have to install. When you installed it, rebuild daq:
rpmbuild --rebuild daq
then, install it:
yum localinstall ~/rpmbuild/RPMS/x86_64/daq-2.0.2-1.x86_64.rpm
Next, for snort you'll need libdnet library which is in EPEL. So, first install EPEL:
yum install http://mirrors.neterra.net/epel/6/i386/epel-release-6-8.noarch.rpm
Then, install necessary packages:
yum install libdnet-devel zlib-devel
Those two aren't listed as dependencies in Snort's SRPM file, so you'll get some cryptic error message. Now, download Snort's srpm file and rebuild it using:
rpmbuild --rebuild snort-2.9.6.0-1.src.rpm
Now, install it using:
yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpm
That's all there is for installation.

Configuring and running

I'll assume that you are installing a fresh instance, i.e. no previous configuration. In case there is previous installation be careful not to overwrite existing configuration. To configure snort you'll have to download snortrules archive. Then, unpack it:
mkdir ~/snort
tar xzf snortrules-snapshot-2960.tar.gz -C ~/snort
chown root.root ~/snort
Next you have to move files in their place. First, move basic configuration file:
mv -f snort/etc/* /etc/snort/
Note that I'm using force option of move command to overwrite existing files. Next, move rules to their place:
mv -i snort/rules snort/preproc_rules snort/so_rules /etc/snort/
Now, if you are using SELinux you should change context of the files you moved to /etc/snort directory. Do it using the following commands:
chcon -R system_u:object_r:snort_etc_t:s0 /etc/snort
chcon -R system_u:object_r:lib_t:s0 /etc/snort/so_rules/precompiled/RHEL-6-0/
You should now modify configuration file. Here is a diff of the changes I made:
--- snort.conf.orig 2014-03-13 11:25:53.889609831 +0100
+++ snort.conf 2014-03-13 11:37:32.419292894 +0100
@@ -42,16 +42,16 @@
 ###################################################

 # Setup the network addresses you are protecting
-ipvar HOME_NET any
+ipvar HOME_NET 192.168.1.0/24

 # Set up the external network addresses. Leave as "any" in most situations
 ipvar EXTERNAL_NET any

 # List of DNS servers on your network
-ipvar DNS_SERVERS $HOME_NET
+ipvar DNS_SERVERS 192.168.1.8,192.168.1.9

 # List of SMTP servers on your network
-ipvar SMTP_SERVERS $HOME_NET
+ipvar SMTP_SERVERS 192.168.1.20

 # List of web servers on your network
 ipvar HTTP_SERVERS $HOME_NET
@@ -101,13 +101,13 @@
 # Path to your rules files (this can be a relative path)
 # Note for Windows users:  You are advised to make this an absolute path,
 # such as:  c:\snort\rules
-var RULE_PATH ../rules
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH rules
+var SO_RULE_PATH so_rules
+var PREPROC_RULE_PATH preproc_rules

 # If you are using reputation preprocessor set these
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH rules
+var BLACK_LIST_PATH rules

 ###################################################
 # Step #2: Configure the decoder.  For more information, see README.decode
@@ -240,13 +240,13 @@
 ###################################################

 # path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/lib64/snort-2.9.6.0_dynamicpreprocessor/

 # path to base preprocessor engine
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+dynamicengine /usr/lib64/snort-2.9.6.0_dynamicengine/libsf_engine.so.0

 # path to dynamic rules libraries
-dynamicdetection directory /usr/local/lib/snort_dynamicrules
+dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0/

 ###################################################
 # Step #5: Configure preprocessors
And you can download the complete snort.conf file that worked for me. Be careful, you need to change IP addresses in the configuration file to match your environment.

Finally, create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules.

Now, you should be able to start Snort, i.e.
# /etc/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 1904 lives...
Daemon parent exiting (0)                         [  OK  ]

8 comments:

Robert Sly said...

I am still getting this error, after I install epel-release-6-8.noarch.rpm, then do, rpmbuild --rebuild snort-2.9.6.0-1.src.rpm

Any idea on how I can get past this?

Error: Package: 1:snort-2.9.6.0-1.x86_64 (/snort-2.9.6.0-1.x86_64)
Requires: libdnet.1()(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest


also, you have a typo, the install should be:
yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpm
not,

yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.src.rpm

Stjepan Groš (sgros) said...

That's strange, as if you are trying to install RPM package from the Snort's download page, not the one you compiled?

Maybe you compiled it on one machine, and then you are trying to install it on another on which you didn't configure EPEL repository?

And thanks for the typo, I corrected it.

Robert Sly said...

I am making the RPM from source as you have defined above.

I can compile and install snort-2.9.4.6 from source just fine. after testing if that worked, I did:"make uninstall" from the snort-2.9.4.6 source directory.

the problem is when I rebuild snort-2.9.6.0-1.src.rpm and try to install the new RPM, is when I keep getting the error:
Error: Package: 1:snort-2.9.6.0-1.x86_64 (/snort-2.9.6.0-1.x86_64)
Requires: libdnet.1()(64bit)

I am on a clean+updated OS build of CentOS 6.5

Stjepan Groš (sgros) said...

That's strange. Have you managed to solve that? Have you checked that you have libdnet installed on the system? It might be installed, but not recorded in RPM database.

Check snort binary if it depends on libdnet using ldd (either unpack rpm using rpm2cpio or stop build process before packaging using -bb option to rpmbuild).

Also, you can try with rpm tool using option --nodeps. And then see if it works.

If you want, I can put my RPM package on the Internet so that you can try to install it?

Henkie Prabancono said...

hello guys,

maybe you should try to downgrade libnet to version 1.11.

you could download libnet package from this url: http://pkgs.org/centos-6/repoforge-x86_64/libdnet-1.11-1.2.el6.rf.x86_64.rpm.html

i still can not explain this, but it works for me. my snort is running well.

here's the details of my env:
- CentOS release 6.5 (Final)
- kernel 2.6.32-431.el6.x86_64
- snort-2.9.6.0-1.x86_64
- libdnet-1.11-1.2.el6.rf.x86_64
- daq-2.0.2-1.x86_64

hope this helpful.

Alexander Stiehl said...

I found a workaround.

If you have @epel AND @rpmforge in your repository
you can do yum downgrade libdnet.

It will remove the @epel 1.2 version and install the @rpmforge 1.1 version.

Installation with the Centos6 64bit prebuilt rpm works after that.

Khoa A. Luong said...

Hi, I have a trouble with the installation. I have this error while run rpmbuild --rebuild snort-2.9.6.0-1.src.rpm

checking for pcre_compile in -lpcre... no

ERROR! Libpcre library not found.
Get it from http://www.pcre.org

error: Bad exit status from /var/tmp/rpm-tmp.jzQ6zv (%build)

Do you have any idea? I installed the pcre packet from that website but the problem still the same.

Thank you

Stjepan Groš (sgros) said...

When installing something avoid "manual installation" and try to use yum/rpm as much as possible. In this particular case, try:

yum install pcre-devel

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)