Snort's installation prerequisites for Red Hat Enterprise Linux 5

By James Turnbull

Once you've confirmed that the IDS sensor Snort can run on your customer's hardware, the next step is ensuring that the proper software has been installed on Red Hat Enterprise Linux 5 to support Snort -- this includes MySQL/PostgreSQL and PHP. This step lays the groundwork for installing Snort, compiling Snort and then configuring Snort by setting up its network intrusion detection rules.

Snort has a number of prerequisites that you will need to install depending on how you want to configure it. The most common is MySQL, though you could also use PostgreSQL if you prefer. Snort uses MySQL to store events and alerts. If you wish to add a console, such as BASE, to your Snort installation you will also need to install PHP, including MySQL integration for PHP and a Web server like Apache. In this tip, we're going to use MySQL to store events. For the Snort installation with MySQL, we need to add the following RPMs (best done using your package management mechanism as it will prompt you to install additional packages):

• mysql-server
• mysql-bench;
• mysql-devel;
• mysqlclient10
• libpcap
• libpcap-devel
• pcre-devel

After installing MySQL, start the server up by using the init script. Remember to change the MySQL password when MySQL starts up.

# /etc/init.d/mysqld start

After installing the prerequisites, you can install Snort. Snort is available in RPM packages, both binary and source, from Sourcefire or it can be compiled. On the Sourcefire site, RPMs are currently only available for RHEL 4. Until RHEL 5 RPMs are available, you'll need to compile Snort from source or build your own RPMs using the Snort spec file. In this scenario, we're going to compile Snort from source.

Intrusion detection with Snort on Red Hat Enterprise Linux 5

  Introduction to network intrusion detection and prevention using Snort
  Snort hardware and network setup requirements
  Snort's installation prerequisites
  Compiling Snort and configuration with MySQL
  Configuring Snort and setting up rules
  Editing the snort.conf file

About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.