Configuring Snort for Red Hat Enteprise Linux 5

By James Turnbull

Once you've confirmed that the IDS sensor Snort can run on your customer's hardware under Red Hat Enterprise Linux 5, ensured that the proper software for Snort has been installed, and configured Snort with MySQL, the next step is to configure Snort's configuration directory and logging directory. This paves the way for the final step of editing the snort.conf file.

We need to configure Snort and add some detection rules. We start by creating a configuration directory, /etc/snort, and a logging directory, /var/log/snort. We then add the example configuration files from the package to /etc/snort.

# mkdir /etc/snort
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# cd snort-2.6.1.5/etc
# cp *.conf *.config *.map sid generators /etc/snort

Now, we make a directory to hold the rules and signature documents and then download a set of rules.

# mkdir /etc/snort/rules

Snort rules come in a variety of flavours:

• a default set that is available at the time of a Snort release,
• a set available to unregistered users, a set available to users who register on the Sourcefire site,
• a set of community created rules
• and finally, a set for users who buy a subscription from Sourcefire.

We're going to grab the unregistered user set initially:

# wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/
snortrules-pr-2.4.tar.gz

You can go to the Sourcefire site and register, or buy a subscription to get the other rule sets. The other sets contain a more recent collection of rules. New rules are available and are added to these sets much quicker.

Next, we unpack the rules and signatures in the archive and moved them into the /etc/snort directory.

# tar –xvzf snortrules-pr-2.4.tar.gz
# mv doc rules /etc/snort

Intrusion detection with Snort on Red Hat Enterprise Linux 5

  Introduction to network intrusion detection and prevention using Snort
  Snort hardware and network setup requirements
  Snort's installation prerequisites
  Compiling Snort and configuration with MySQL
  Configuring Snort and setting up rules
  Editing the snort.conf file

About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.