Intrusion detection with Snort on Red Hat Enterprise Linux 5

Snort is a popular open source intrusion detection system (IDS). Learn how to install this security tool and configure it with MySQL on Red Hat Enterprise Linux 5. This is also applicable to Red Hat Enterprise Linux 4, CentOS 4 and 5 and Fedora Core 5 and 6.

Intrusion detection and intrusion prevention systems (IDS and IPS, respectively) provide the ability to inspect and analyze network traffic and either generate alerts or drop traffic in the event that an attack or a malicious event is detected. They are two of a number of controls, such as firewalls, designed to protect your network from a variety of attacks. Both IDS and IPS are commonly deployed in organization's perimeters to protect externally-facing assets, like Internet-facing Web services. They can also be deployed internally to ward off attacks or virus outbreaks. For example, an IPS sensor that can be configured to stop the spread of a virus or worm may be located in-line on an internal network choke point.

More intrusion detection help with Snort:
Improving Snort performance with Barnyard

Snort makes IDS worth the time and effort

We're going to demonstrate how to quickly install and run the open source IDS sensor Snort on Red Hat Enterprise Linux 5 (RHEL 5). The instructions below will also generally work for RHEL 4, CentOS 4 and 5, as well as Fedora Core 5 and 6.

For many environments, especially in the small-medium business market but also in many larger corporate and government clients, Snort remains the ubiquitous IDS tool. It is fast and easy to set up and runs on most commercially available hardware, including platforms from IBM, HP, Sun and commodity PC hardware. It is a signature-based, (which Snort calls "rules") IDS engine that is easy to deploy and easy to tune. Rules are open and can be readily edited, and writing and adding your own rules requires only a little learning. Snort is also capable of outputting data in a variety of formats: binary (called "Unified"), syslog, to a file and to a SQL database (one of Oracle, PostgreSQL, MySQL or Microsoft SQL Server). Many users commonly output data to a SQL database.

Snort hardware and network setup requirements

First, you're going to need to ensure the hardware you are using for your sensor is sufficient to perform the required detection. IDS sensing can be memory-, processor- and disk space-intensive depending on the volume of traffic flowing through it. For a high-volume environment, you should make use of a fast processor (or processors), lots of memory and sufficient disk space to store whatever period of alerts and logs your environment requires. You will also need to ensure that you have a sufficiently sized network card and enough interfaces. I recommend at least two interfaces, one for sensing and another for management. You can also have Snort monitor on multiple interfaces on your sensors, but I recommend keeping a dedicated management port.

Secondly, you need to deploy your Snort sensor at a point where it can see the traffic you want to monitor. The best places to deploy sensors are network choke points, like an area located between your perimeter and core network or monitoring externally-facing DMZs. Traffic monitoring can be done by using a SPAN session on a switch, or via Ethernet or fibre tabs that are inserted into links and replicates traffic on those links to your sensor. SPAN mirrors traffic on one or more ports on a switch to another port.

Next, your IDS sensor needs to be secure. This minimizes the risk that your sensor could be used by an attacker to compromise your network. When you install Red Hat, make sure that you carefully harden the sensor, including installing a firewall. You should only install the minimum number of packages and remove unnecessary users and services. If you intend to deploy a number of sensors, then a dedicated Kickstart build is a good approach. There are also a variety of good hardening guides are available for Red Hat and, more generically, Linux hosts. You should make use of one of these guides. You should also make certain that you regularly update and patch your sensor to ensure any potential vulnerabilities are addressed.

Snort's installation prerequisites

Snort has a number of prerequisites that you will need to install depending on how you want to configure it. The most common is MySQL, though you could also use PostgreSQL if you prefer. Snort uses MySQL to store events and alerts. If you wish to add a console, such as BASE, to your Snort installation you will also need to install PHP, including MySQL integration for PHP and a Web server like Apache. In this tip, we're going to use MySQL to store events. For the Snort installation with MySQL, we need to add the following RPMs (best done using your package management mechanism as it will prompt you to install additional packages):

  • mysql-server
  • mysql-bench;
  • mysql-devel;
  • mysqlclient10
  • libpcap
  • libpcap-devel
  • pcre-devel

After installing MySQL, start the server up by using the init script. Remember to change the MySQL password when MySQL starts up.

# /etc/init.d/mysqld start

After installing the prerequisites, you can install Snort. Snort is available in RPM packages, both binary and source, from Sourcefire or it can be compiled. On the Sourcefire site, RPMs are currently only available for RHEL 4. Until RHEL 5 RPMs are available, you'll need to compile Snort from source or build your own RPMs using the Snort spec file. In this scenario, we're going to compile Snort from source.

Compiling Snort and configuration with MySQL

To compile Snort you will need to have the standard C development and build tools installed on your host. You can always remove these tools after compilation to ensure they can't be used inappropriately. Download the Snort source code package:

# wget http://www.snort.org/dl/current/snort-

Unpack the package and change into the resulting directory:

# tar -xzf snort-
# cd snort-2.6.15

As mentioned, in a directory of the Snort package, called rpm, is a spec file and a script that should allow you to build your own RPMs if you wish. Let's create a Snort user and group:

# groupadd snort
# useradd -g snort snort

Now we need to configure, make and install the package:

# ./configure --with-mysql --prefix-/usr
# make all
# make install

The --with-mysql configure option compiles in support for MySQL. The --prefix option specifies the installation location for Snort. We're using the /usr directory, rather than the default of the /usr/local directory.

We also need to add a database and tables to MySQL to hold our events and provide access to these for the Snort user we created. We do this by using the mysql command and a script included with the Snort package like so:

# mysql -p 
Enter password: 
mysql> create database snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to [email protected];
mysql> SET PASSWORD FOR [email protected]=PASSWORD('password');
mysql> exit 

Change the password value to a suitable password for the Snort user.

Then, we use the script in the schemas directory of the Snort package to create the required tables:

# cd snort-
# mysql -p snort < create_mysql

Configuring Snort and setting up rules

We need to configure Snort and add some detection rules. We start by creating a configuration directory, /etc/snort, and a logging directory, /var/log/snort. We then add the example configuration files from the package to /etc/snort.

# mkdir /etc/snort
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# cd snort-
# cp *.conf *.config *.map sid generators /etc/snort

Now, we make a directory to hold the rules and signature documents and then download a set of rules.

# mkdir /etc/snort/rules

Snort rules come in a variety of flavours:

  • a default set that is available at the time of a Snort release,
  • a set available to unregistered users, a set available to users who register on the Sourcefire site,
  • a set of community created rules
  • and finally, a set for users who buy a subscription from Sourcefire.

We're going to grab the unregistered user set initially:

# wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

You can go to the Sourcefire site and register, or buy a subscription to get the other rule sets. The other sets contain a more recent collection of rules. New rules are available and are added to these sets much quicker.

Next, we unpack the rules and signatures in the archive and moved them into the /etc/snort directory.

# tar –xvzf snortrules-pr-2.4.tar.gz
# mv doc rules /etc/snort

Editing the snort.conf file

Now we're ready to edit the snort.conf configuration file to set up Snort.

# vi /etc/snort/snort.conf

We want to define four items: our home network, external networks, the path to the Snort rules and to tell Snort to output to the MySQL database we created.

Your home network is set using the var HOME_NET variable. The home network variable defines the network you wish to protect, like the local LAN segment for instance It is set by specifying one or more networks in the form of a CIDR. For example:


The external network is set using the var EXTERNAL_NET variable. The external network is one or more networks where you believe threats or attacks will originate. It can also be set by specifying a CIDR, or you can make use of the home network variable we've just specified like so:


Setting the external network, as we did in the latter example, tells Snort that external networks are any networks except those specified in the home network variable.

The next variable we need to change is the path to the Snort rules that we've downloaded. It is set using the var RULE_PATH variable, in our case like:

var RULE_PATH /etc/snort/rules

Later in the configuration file, you'll find a section where you can enable and disable specific rule files contained in that directory.

Lastly, for our configuration, we need to direct Snort to output events and logs into a MySQL database. Find the example output database entry in the configuration file like this and un-comment it:

output database: log, mysql, user=snort password=password dbname=snort host=localhost

Change the password portion of the password you selected for your MySQL database and make sure the dbname variable matches the name of the database you created for Snort.

Once you've configured Snort, you can start the Snort daemon. Snort does not directly come with an init script. In the rpm directory of the Snort package you can find two files, snortd and snort.sysconfig, which are a Red Hat-style init script and a sysconfig file, respectively. You can modify the init script and sysconfig file to suit your environment. For instance, you may need to change the path for the snort binary in the script.

You can also start Snort via the command line like so:

# /usr/bin/snort -c /etc/snort/snort.conf -D -g snort -u snort -i eth0 -l /var/log/snort

The -c option specifies the location of the snort.conf configuration file, -D indicates you'd like to run in daemon mode, the -g and -u options specify the group and user to run Snort as, respectively, the -i option specifies the interface that Snort should listen on and finally, the -l option specifies the location of the Snort logging directory (which we created earlier).

Once Snort is running it will send alerts and log entries to MySQL and the /var/log/snort directory.

Adding BASE to Snort

You can now see how easy it is to install and configure a basic Snort sensor. Of course, your simple sensor is currently not tuned and will require that you tune pre-processors, rules and similar features to get the best out of its detection capabilities. You will probably also want to install a Web-based console, such as BASE, to view the alerts and logs.

Dig Deeper on Linux servers