centos6.4下snort的安装及配置

之前尝试过在centos6.4下安装snort，由于是第一次尝试，或多或少的出现了一些问题，让我纠结了几天，于是，我决定推到重来

首先是centos6.4的安装，这个不需要多做解释了，接着是/etc/resolv.conf的配置问题，加入nameserver 8.8.8.8、nameserver4.4.4.4即可

然后就是安装make编译器yum -y install gcc automake autoconf libtool make，另外还可以安装一个下载工具wget

命令yum -y install wget

接着安装一大堆东西，诸如gcc、flex、bison、zlib、libpcap、pcre、libdent、tcpdump，这些东西一般用yum install xxxxx即可安装

其中gcc建议用yum -y install gcc gcc-c++安装

libdent：wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz

pcre：wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.33.tar.gz

zlib：wget http://prdownloads.sourceforge.net/libpng/zlib-1.2.8.tar.gzw

如果系统已经自带就不用再次安装了

snort：wget http://www.snort.org/downloads/2485

daq：wget http://www.snort.org/downloads/2476

下载下来后分别./configure&make&make install

snort规则，必须注册后才能下载：wget http://www.snort.org/reg-rules/<filename>/<oinkcode here>其中oinkcode在自己账号选项里能生成

到etc目录下，新建目录snort，规则就放在snort中，然后在snort中新建white_list.rules和black_list.rules目录，具体代码为

cd /etc

mkdir -p snort

cd snort

tar -zvxf <path to>snortrules-snapshot-<nnnn>.tar.gz

cp ./etc/* . 

touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules 

设置用户组snort和主目录，若/var/log下没有snort目录可新建一个

groupadd -g 40000 snort 

useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS –g snort 

cd /etc/snort

chown -R snort:snort *

chown -R snort:snort /var/log/snort 

 设置snort.conf（请使用自己机器上实际的安装路径）

var RULE_PATH /etc/snort/rules
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

接着是snort和daq（请使用自己机器上实际的安装路径）

cd /usr/local/src

chown -R snort:snort daq-2.0.0

chmod -R 700 daq-2.0.0

chown -R snort:snort snort-2.9.4.x

chmod -R 700 snort-2.9.4.x

chown -R snort:snort snort_dynamicsrc

chmod -R 700 snort_dynamicsrc

从snort的安装目录下的rpm里找到snortd文件，复制到/etc/init.d下，并改名为snort，然后

chkconfig --add snort

cd /usr/sbin

ln -s /usr/local/bin/snort snort 

在/etc/sysconfig下创建文件snort并编辑

# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $
#### General Configuration
INTERFACE=eth0 
CONF=/etc/snort/snort.conf 
USER=snort 
GROUP=snort 
PASS_FIRST=0
#### Logging & Alerting
LOGDIR=/var/log/snort 
ALERTMODE=fast 
DUMP_APP=1 
BINARY_LOG=1 
NO_PACKET_LOG=0 
PRINT_INTERFACE=0

然后继续分配权限

cd /var/log 

mkdir snort 

chmod 700 snort 

chown -R snort:snort snort 

cd /usr/local/lib

chown -R snort:snort snort*

chown -R snort:snort snort_dynamic*

chown -R snort:snort pkgconfig

chmod -R 700 snort*

chmod -R 700 pkgconfig

cd /usr/local/bin

chown -R snort:snort daq-modules-config

chown -R snort:snort u2*

chmod -R 700 daq-modules-config

chmod 700 u2*

cd /etc

chown -R snort:snort snort 

chmod -R 700 snort

最后就是测试一下

cd /usr/local/bin

./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf 

若出现一下代码说明snort已经配置好了

Snort successfully validated the configuration! 
Snort exiting

若出现报错：

ERROR: snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory. Fatal Error, Quitting.

 

则

mkdir -p /usr/local/lib/snort_dynamicrules

chown -R snort:snort /usr/local/lib/snort_dynamicrules

chmod -R 700 /usr/local/lib/snort_dynamicrules

 

以上配置 参考了一位大神的文章http://wiki.aanval.com/wiki/Community:Snort_2.9.4.X_Installation_Guide_for_CentOS_6.3

 2013-08-07