Saturday, October 1, 2011

Installing Snort 2.9.1 on 64-bit CentOS 6...

I just installed Snort 2.9.1 on CentOS 6, and since that wasn't straightforward process, I decided to document all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps I did for a later reference. Also, maybe someone will find this useful so I placed it here.

The process of setting up Snort is divided into three phases, compilation, installation and configuration. Compilation phase is done entirely on auxiliary host, while installation and configuration phases are done on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target host, i.e. on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host where you wish to install snort.
Binary Snort packages from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download pages are all for 32 bit machines. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, SPEC file within provided SRPM has two bugs. The first one is that it wrongly links with libdnet.1 library that doesn't exist. I circumvented that problem as described below. The second problem is that not all pretprocessors are included into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final binary package. If you try to start snort and it fails with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following message in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log file:
FATAL ERROR: /etc/snort/snort.conf(463) Unknown preprocessor: "sip".
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n this is manifestation of that problem. Apart from sip; imap, pop and reputation pretprocessors are also missing. I have fixed spec file, and made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Snort SRPM package. If you trust me enough (but don't! :)), you can skip cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compilation phase and obtain directly binary packages for daq and snort from my homepage. In that case, go to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation phase and continue from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Compilation

As I said, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first problem with Snort is that on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download page cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no precompiled binaries for 64-bit versions of Linux distributions. Still cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are SRPMS packages of Snort (extension src.rpm) and its prerequisite Daq so it isn't so bad. Download those packages, and rebuild cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, first daq and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, after installing daq, snort itself. For rebuild process development environment is mandatory, i.e. compiler, development libraries, etc. Since probably you are going to run snort on firewall, or some machine close to firewall, it isn't good security practice to install development environment on target machine (i.e. firewall). So, find anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r machine with CentOS 6 and all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest updates (or install one) and perform build process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. You'll need at minimum to have package rpm-build-4.8.0-16.el6.x86_64, afterwards, any missing package will be reported and you can install it using yum. So, install rpm-build package, and try to start build process (do this as ordinary user!):
rpmbuild --rebuild daq-0.6.1-1.src.rpm
If missing packages are reported cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m (as superuser) and try to start build process again. Note that libdnet you can find in EPEL repository. Repeat this until build process is successful. Binary package you'll find in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory ~/rpmbuild/RPMS/x86_64/. Go cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and install daq package:
yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm
Option nogpgcheck is necessary since we didn't sign binary package. Then, go back to directory where you downloaded daq and snort, and start snort build process:
rpmbuild --rebuild snort-2.9.1-1.src.rpm
This too can stop due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 missing packages, so install any required package and restart build process. Do this until build process is successful.
Now you have daq and snort packages ready in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 build output directory ~/rpmbuild/RPMS/x86_64/. There are files daq-0.6.1-1.x86_64.rpm and snort-2.9.1-1.x86_64.rpm.

Installation

Transfer binary packages of snort and daq to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target machine and install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re:
yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm \
            snort-2.9.1-1.x86_64.rpm
It could happen also that you'll need additional packages, but any dependencies will be automatically retrieved and installed by yum. So, that's for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation phase.

Build process, for whatever reason, wrongly got dependency on libdnet library, it looks for libdnet.1 instead of libdnet.so.1. To check if this is problem in your case, just try to start snort:
# /etc/init.d/snortd start
Starting snort: /usr/sbin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
                                                           [FAILED]
In case cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output looks like that one, you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with libdnet.1 too. To solve it, to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory /usr/lib64 and run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
# ln -s libdnet.so.1 libdnet.1
This is actually a hack, since build process has a bug, but as I didn't want to look or modify build process, this was easier to do and I did it that way.

The error with library libdnet was caused by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manually installed libdnet in /usr/local/ which had name libdnet.1 for whatever reason and that was picked by configure script. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, if you compile snort manually you'll not have that problem, only if you used old binary that I provided (now that is fixed!).
You'll also need to obtain snort rules and that requires you to register on Snort Web page. After registering, and downloading rules, unpack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 archive you obtained in some directory. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following text I'm using package snortrules-snapshot-2910.tar.gz from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 September 1st, 2011 (and which was obtained on October 1st, 2011).

What you'll get is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following structure:
$ ls -1
etc
preproc_rules
rules
so_rules
Move directories preproc_rules, rules and so_rules into /etc/snort directory. Also, move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of etc directory to /etc/snort directory overwriting any files cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

In case you have SELinux enabled snort will be prevented from starting because of wrongly labeled preprocessor plugins. This manifests itself with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following line in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log files:
FATAL ERROR: Failed to load /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: failed to map segment from shared object: Permission denied
Of course, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact paths will differ depending on your exact installation. Note that snort runs as unconfined process and until I find a way to confine it this can be solved by running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0 (note that this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directory reported in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log file!):
# chcon system_u:object_r:lib_t:s0 *
Configuration

The final step is snort configuration prior to running it. Master configuration is stored in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/snort/snort.conf file, so open it with your favorite text editor and modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following lines:
  1. Line that reads ipvar HOME_NET any (cca. 45th line). Replace any with you network address. In my case that was 192.168.1.0/24.
  2. Line that starts with dynamicpreprocessor directory words (cca. 234th line). Parameter is directory and change this parameter to /usr/lib64/snort-2.9.1_dynamicpreprocessor/.
  3. Immediately following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous line is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line that starts with dynamicengine. Change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parameter of that line with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value /usr/lib64/snort-2.9.1_dynamicengine/libsf_engine.so.
  4. And, immediately following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous line is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line that starts with words dynamicdetection directory whose parameter should be /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0/.
  5. Also, you have to create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules. Alternatively, you can disable reputation pretprocessor (find line that begins with preprocessor reputation and comment out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole block.
Additionally, open /etc/sysconfig/snort file and look if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is something you need to change. For example, in case you have multiple interfaces on which you would like to run snort, you'll have to configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in that file.

Finally, start snort with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
# /etc/init.d/snortd stop
and, if snort should be started during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boot process, also run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
# chkconfig snortd on
And, that's it! :)

5 comments:

B-rad said...

You saved me a lot of time and hassle. Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 write up!

Enok said...

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re some way to fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sip preprocessor problem without starting everything from scratch?

I'm getting that error as well and I'm so close to getting this working. I would appreciate yr help ALOT!

Stjepan Groš (sgros) said...

@Enok...

You could try to copy libsf_sip_preproc* files into /lib/snort_dynamicpreprocessor/ directory. But you need to obtain it from somewhere. It could work if you match versions and processor architectures.

But, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end, I don't think it takes so much time to recompile snort. Especially if you take spec file I provided.

Enok said...

Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reply! I have taken a break from SNORT for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time being but I will do it from scratch at a later stage using your spec file, and will let you now how it goes. Thanks again for your help.

Unknown said...

You have :
Finally, start snort with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
# /etc/init.d/snortd stop

Should be:
Finally, start snort with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
# /etc/init.d/snortd start

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive