Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

Snort Quickstart on CentOS 5.5 (x86)

Published: 02/24/2011

A phrase that keeps ringing in my head long after taking the SANS 401 class is, "Prevention is ideal but detection is a must."

No matter how tight you run your firewalls or how glued you are to your logs all day, something can inevitably slip by, especially if you blindly allow port 80 inbound (or outbound from your trusted internal network).

Because Snort can be somewhat frustrating for beginners to install from source with all the various dependencies, especially on a Linux system that only has the bare minimum of components installed , this article is designed as a straight path to getting from zero to a full-working IDS within an hour (depending on the speed of your Internet connection). The CentOS 5.5 setup used as an example here does not use a default installation of the operating system, but rather a customized installation with only Apache httpd and a SQL database as the add-ons (during the OS install, check the "Server" package, select "Customize software selection," and unselect everything except "MySQL Database" and "Web Server"). It is assumed this is your starting point for the most secure platform possible with no gimmick services running.

The majority of this exercise was sourced from the Snort 2.8.6 on CentOS 5.5 install guide. However, at the time of this writing Snort is the latest available and there were some quirks in following that guide to the letter (hence this article).

The machine has two interfaces. eth0 is used for management while eth1 will be the sniffing interface. Copy and paste the commands listed here as root.

First, a few things...

   More Information

Onto the show...

   More Information

Now set up your TAP / SPAN port / hub connection so Snort can spy on your Facebook users to ensure everyone conforms to the corporate security guidelines. Test Snort to see if it catches anything by adding a rule in the /etc/snort/rules/local.rules files like so:

alert tcp any any -> any 6767 (msg:"ADMIN TEST RULE 001 - TCP 6767"; sid:99990001; rev:1;)

Then use telnet or netcat to throw an "evil" packet past Snort's nose and see if it shows up in BASE.

Go back to the main articles list.