Snort Installation

Snort IDS, IPS Setup

Snort is a powerful intrusion prevention/detection system. This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snort’s output, and the installation of a web front end gui called Snorby to help analyze those alerts.

Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:

Install and test NTP server

yum install -y ntpdate

Before installing Snort and Snorby you will need Ruby, ImageMagick, Rails, and Wkhtmltopdf

yum -y groupinstall "Development Tools"
yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man libdnet libdnet-devel

Next we need to install more dependencies.


Use the rpm command to install the dependencies we just downloaded.

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm 
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Install Snort

We start by downloading the tar.gz files from and


We start by libcap

tar -xzvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
make install

Then we move to the daq

tar -xzvf daq-2.0.4.tar.gz
cd daq-2.0.4
make install

Finally we instalal snort

tar -xzvf snort-
cd snort-
./configure --enable-sourcefire
make install

I recommend signing up on to get the registered rules. You’ll receive something called an Oinkcode. The oinkcode acts as an api key for downloading rule packets from URLs provided by snort.

Download and extract the Community Rules:

tar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running so I am looking for the snort rules which contain the numbers 2962:

wget "" --no-check-certificate
wget "" --no-check-certificate
mkdir -p /etc/snort/rules
tar -xvfz snortrules-snapshot-2970.tar.gz -C /etc/snort/rules
tar -xvfz snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Paste your oincode after the = sign.

Now we need to add snort user and group

groupadd snort
useradd -g snort snort -s /sbin/nologin

Create and make the ownership of the Snort directories.

mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules

chown -R snort:snort /var/log/snort
chown -R snort:snort /etc/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules

Locate and Modify the snort.conf file

cp ~/snort-* /etc/snort/
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules
nano /etc/snort/snort.conf

There are many changes to make here. You can download an example of my snort.conf file and modify it to your environment. Some of the values are as follows. Just search for them in your configuration file:

ipvar HOME_NET

var RULE_PATH /etc/snort/rules/rules
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Comment this 5 lines:

#preprocessor normalize_ip4                                       
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

Modify the Output string under Step 6 of the snort.conf file:

output unified2: filename snort.log, limit 128

Test Snort

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

If you get this error:

snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

Type in the following commands:


Installing PulledPork

Before you begin configuring PulledPork, I recommend you register on because you will need the Oinkcode. The Oinkcode will be placed in some of the URLs we will be configuring in PulledPork’s configuration file.

yum -y install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar
tar -zxf pulledpork-0.7.0.tar.gz
cd pulledpork--0.7.0
cp /usr/sbin
chmod 755 /usr/sbin/
cp etc/* /etc/snort/

In the above commands, you have downloaded PulledPork, extracted it and copied files to their proper directories.

nano /etc/snort/pulledpork.conf

Change at the end of those lines by your oinkcode on those two lines:


Within the pulledpork.conf file, make the following changes:


Comment this:


Uncomment those and change them:


Verify PulledPork -vv -c /etc/snort/pulledpork.conf -T -l

Add PulledProk to Crontab

nano /etc/crontab

Add this line

0 0 * * * root /usr/sbin/ -c /etc/snort/pulledpork.conf

Install Barnyard2

mkdir /var/log/barnyard2
mkdir /usr/local/src/firnsy-barnyard2
cd /usr/local/src/firnsy-barnyard2
tar -zxvf v2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
make install

Configure Bardbyard2.conf

nano /usr/local/etc/barnyard2.conf

Set the following

config logdir: /var/log/snort
config interface: eth0
config daemon
config waldo_file: /etc/snort/barnyard2-log.waldo
input unified2
output alert_full
output log_tcpdump: tcpdump.log
log, mysql, user=snort password=snort dbname=snort host=localhost
cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf

Create startup scripts

cd /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
chkconfig barnyard2 on

Modify the file /etc/sysconfig/barnyard2


MySQL srver setup:

service mysqld start
mysql -u root -p
create database snort;
grant all on snort.* to snort@localhost;
set password for snort@localhost=password('snort');
use snort;
source /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysql
show tables;
flush privileges;

chkconfig --add mysqld
chkconfig mysqld on
touch /etc/snort/barnyard2-log.waldo

Test barnyard2:

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/barnyard2-log.waldo -D

Snorby Installation

Get The Snorby code from git:

git clone
cd snorby
bundle install

Edit Snorby configuration config/database.yml:

snorby: &snorby
    adapter: mysql
    username: root
    password: MYSQLPASS
    host: localhost
    database: snorby
    <<: *snorby
    database: snorby
    <<: *snorby
    database: snorby
    <<: *snorby

Modify config/snorby_config.yml

domain: localhost:3000
wkhtmltopdf: /Users/mephux/.rvm/gems/ruby-1.9.2-p0/bin/wkhtmltopdf
mailer_sender: ''
    - "/Users/mephux/.snort/rules"
    - "/Users/mephux/.snort/so_rules"
    domain: localhost:3000
    wkhtmltopdf: /usr/local/bin/wkhtmltopdf
    mailer_sender: ''

    domain: ''
    wkhtmltopdf: /path/to/wkhtmltopdf
    mailer_sender: ''
        - "/path/to/rules/folder"
        - "/path/to/so_rules/folder"

Other way to install Snort and Snorby

Snort Isntalaltion

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm 
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

yum install -y
yum install -y


yum install -y
yum install -y

tar -xvf community.tar.gz -C /etc/snort/rules

Download and extract the Community Rules:

tar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running so I am looking for the snort rules which contain the numbers 2962:

wget "" --no-check-certificate
wget "" --no-check-certificate
mkdir -p /etc/snort/rules
tar -xvfz snortrules-snapshot-2970.tar.gz -C /etc/snort/rules
tar -xvfz snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Modify the ownership of the Snort directories.

cd /etc/snort
chown -R snort:snort *

Locate and Modify the snort.conf file

cd /etc/snort
nano snort.conf

Set those changes:

var RULE_PATH /etc/snort/rules
ipvar HOME_NET any #or set to a network such as
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
output unified2: filename snort.log, limit 128

Test snort:

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Install ImageMagick

yum install -y ImageMagick

Download and Install Wkhtmltopdf

Wkhtmltopdf is used by Snorby to create reports. First download some prerequisites for Wkhtmltopdf:

yum -y install xz urw-fonts libXext openssl-devel libXrender xorg-x11-fonts-75dpi

Install Wkhtmltopdf

mv download wkhtmltox-
rpm -Uvh wkhtmltox-
export PATH=$PATH:/usr/local/bin
echo "export PATH=$PATH:/usr/local/bin" >> /etc/bashrc

You can verify the installation by running this command:

wkhtmltopdf google.pdf

Install Ruby

First the prerequisites:

yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel libyaml-devel
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

I’ll be installing Ruby with RVM:

curl -L | bash -s stable 

Set up the RVM environment:

source /etc/profile.d/

Install Ruby version 1.9.3 which is required for Snorby:

rvm install 1.9.3
rvm use 1.9.3 --default

Install RubyGems

rvm rubygems current

Install Rails

gem install rails

Install Snorby

yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O --no-check-certificate
mv snorby-master/* /var/www/snorby

Create a database for Snorby

mysql -u root -p
create database snorby;
createuser 'snorby'@'localhost' identified by 'snorby';
flush privileges;
cp config/database.yml.example config/database.yml
nano config/database.yml

Change the username and password to Snorby in the database.yml config file under snorby : &snorby

Edit Gemfile

nano Gemfile

Snort and Snorby on debian

As a first step we’re going to install Snort. Luckily it’s up in the repos, so we’re just going to apt-get it. I’m going to go with the snort-mysql package, as it gives a mysql DB support to snort which is a good thing. So first let’s get a mysql server up and running:

apt-get update
apt-get upgrade -y
apt-get install mysql-server mysql-client

Then we can get snorby up:

apt-get install snort-mysql

This will ask a few questions and it doesn’t matter what you answer as we’ll have to reconfigure it after Snorby has been installed anyway.

Moving on to installing Snorby. Prerequisites:

apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev <linux-headers-686-pae> libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev ruby ruby-dev

Don’t forget to use the linux headers for your kernel’s architecture…

gem install bundler rails 
gem install rake --version=0.9.2
cd /var/www/

Download the source for the application.

git clone
cd /var/www/snorby/config/

Set up configuration files.

cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g snorby_config.yml

Tell snorby the mysql database name, user and password that it should use.

nano database.yml

At this point you should also create the user and the database. I just used phpmyadmin, but it shouldn’t be too hard to create a new user from the command line.

cd /var/www/snorby/

Let’s install it.

bundle install --deployment
bundle exec rake snorby:setup

At this point Snorby should start when you type:

bundle exec rails server -e production -b

If you point your browser to


the Snorby WebUI should pop up. You can access it with the default credentials:

Now if you look around the site you’ll notice that Snorby isn’t getting any data just yet. So we’ll have to configure Snort!

dpkg-reconfigure snort-mysql
mv /etc/snort/db-pending-config /etc/snort/db-pending-config_no_more
service snort start

cd /etc/init.d/
nano snorby

A simple script like this should do the trick:

cd /var/www/snorby && bundle exec rails server -e production &

Let’s put it to start in runlevel 2:

chmod +x snorby
update-rc.d -f snorby start 2

Leave a Reply

Your email address will not be published. Required fields are marked *