Configuring Snort for Red Hat Enteprise Linux 5

Configuring Snort for Red Hat Enteprise Linux 5

By James Turnbull

Once you've confirmed that the IDS sensor Snort can run on your customer's hardware under Red Hat Enterprise Linux 5, ensured

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information:

By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here

  • Your use of SearchSecurityChannel.com is governed by our Terms of Use
  • We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
  • If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.

that the proper software for Snort has been installed, and configured Snort with MySQL, the next step is to configure Snort's configuration directory and logging directory. This paves the way for the final step of editing the snort.conf file.

We need to configure Snort and add some detection rules. We start by creating a configuration directory, /etc/snort, and a logging directory, /var/log/snort. We then add the example configuration files from the package to /etc/snort.

# mkdir /etc/snort
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# cd snort-2.6.1.5/etc
# cp *.conf *.config *.map sid generators /etc/snort

Now, we make a directory to hold the rules and signature documents and then download a set of rules. 

# mkdir /etc/snort/rules

Snort rules come in a variety of flavours:

  • a default set that is available at the time of a Snort release,
  • a set available to unregistered users, a set available to users who register on the Sourcefire site,
  • a set of community created rules
  • and finally, a set for users who buy a subscription from Sourcefire.

We're going to grab the unregistered user set initially: 

# wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/
snortrules-pr-2.4.tar.gz

You can go to the Sourcefire site and register, or buy a subscription to get the other rule sets. The other sets contain a more recent collection of rules. New rules are available and are added to these sets much quicker.

Next, we unpack the rules and signatures in the archive and moved them into the /etc/snort directory. 

# tar –xvzf snortrules-pr-2.4.tar.gz
# mv doc rules /etc/snort

Intrusion detection with Snort on Red Hat Enterprise Linux 5

  Introduction to network intrusion detection and prevention using Snort
  Snort hardware and network setup requirements
  Snort's installation prerequisites
  Compiling Snort and configuration with MySQL
  Configuring Snort and setting up rules
  Editing the snort.conf file

About the author
James Turnbull works for the National Australia Bank as a Security Architect. He is also the author of Hardening Linux, which focuses on hardening Linux hosts including the base operating system, file systems, firewalling, connections, logging, testing your security and securing a number of common applications including e-mail, FTP and DNS. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.

This was first published in July 2007

Back to top