Thursday, August 12, 2010

SNORT(IDS/IPS) Configuration and Implemenation


Lets start how to install SNORT which is An Intrusion detection system (IDS) and an Intrusion Prevention System (IPS). We tested installation of SNORT on RHEL5.
Step1 : Download following packageslibpcap-1.0.0.tar.gzpcre-8.00.tar.gzlibnet-1.0.2a.tar.gz (This is optional package if you want SMB popup alerts on window’s machines.)snort-2.8.5.1.tar.gzacid-0.9.6b23.tar.gz
Note : Don’t try to install SNORT through rpm packages, try to install them from source packages because there will be so many dependencies. And install the above packages in the same order to resolve dependencies.
Step2 : Untar packages one by one.#tar xvfz packagename.tar.gz
Step3 : Change the directory to libpcap-1.0.0 and Just run ./configure shell script, this will check system attributes and generate make file, which is used to install libpcap package as following.
#cd libpcap-1.0.0
#./configuration
#make
#make install
Note : If anything goes wrong please search that error message in google..
Step4 : After installing libpcap install pcre package for doing regular expression query in checking the packet capture to match multiple entries. First change the directory to pcre-8.00 then start executing following commands
#cd ../pcre-8.00
#./configure
#make
#make check
#make install
Step5 : Now install libnet package..#cd ../libnet-1.0.2a
#./configure
#make
#make check
#make install
Step6 : Now install the important package in our game of implementing IDS/IDP ie our SNORT package. Just follow below commands to install SNORT. You have to be careful in this step because we can install SNORT in standalone system or a complete system with DB/web server/acid support. If you are planning to install SNORTin standalone just execute ./configure after changing to snort-2.8.5.1 directory. But here I am going to build a complete SNORT system will all the capabilities. Before that we should know what are the content of snort source directory. Please get some knowledge on it and read the required readme files in doc/ folder.
Note : Before installing SNORT do the following things (Before installation you can do this).
1. Make sure that you copy etc/ content in source directory to /etc directory
2. Create /var/log/ snort directory for snort logging activity (remember we have to mention this path in main configuration file, in our case it will be /etc/snort/etc/snort.conf.
3. Create /etc/snort/rules directory for creating rules files for snort.
#mkdir /etc/snort
# cp -ar ./etc /etc/snort/
#mkdir /var/log/snort
# mkdir /etc/snort/rules
Now start installing SNORT
# ./configure --with-mysql --with-snmp --enable-smbalerts --enable-flexresp
#make
#make check
#make install
Hmm..! good we are done with the installation of SNORT
So in the next post I will show you how to configure, integrate SNORT with Mysql and ACID.