Compiling Snort and configuration with MySQL for Red Hat Enterprise Linux 5

Compiling Snort and configuration with MySQL for Red Hat Enterprise Linux 5

By James Turnbull

Once you've confirmed that Snort can run on your customer's hardware, and ensured that the proper

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information:

By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here

  • Your use of SearchSecurityChannel.com is governed by our Terms of Use
  • We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
  • If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.

software for Snort has been installed on Red Hat Enterprise Linux 5 to support Snort, the next step is to download Snort, then configure, make and install the package with MySQL. This is necessary before you can configure Snort by setting up its network intrusion detection rules.

To compile Snort you will need to have the standard C development and build tools installed on your host. You can always remove these tools after compilation to ensure they can't be used inappropriately. Download the Snort source code package:

# wget http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz

Unpack the package and change into the resulting directory: 

# tar -xzf snort-2.6.1.5.tar.gz
# cd snort-2.6.15

As mentioned, in a directory of the Snort package, called rpm, is a spec file and a script that should allow you to build your own RPMs if you wish. Let's create a Snort user and group: 

# groupadd snort
# useradd -g snort snort

Now we need to configure, make and install the package: 

# ./configure --with-mysql --prefix-/usr
# make all
# make install

The --with-mysql configure option compiles in support for MySQL. The --prefix option specifies the installation location for Snort. We're using the /usr directory, rather than the default of the /usr/local directory.

We also need to add a database and tables to MySQL to hold our events and provide access to these for the Snort user we created. We do this by using the mysql command and a script included with the Snort package like so: 

# mysql -p 
Enter password: 
mysql> create database snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password');
mysql> exit

Change the password value to a suitable password for the Snort user.

Then, we use the script in the schemas directory of the Snort package to create the required tables: 

# cd snort-2.6.1.5/schemas
# mysql -p snort < create_mysql

Intrusion detection with Snort on Red Hat Enterprise Linux 5

  Introduction to network intrusion detection and prevention using Snort
  Snort hardware and network setup requirements
  Snort's installation prerequisites
  Compiling Snort and configuration with MySQL
  Configuring Snort and setting up rules
  Editing the snort.conf file

About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.

This was first published in July 2007

Back to top