Back to 3rd Party Agents Installation

Installing Snort¶

• Installing Snort
  • • Get the sources
    • Configuration
    • Registering Snort profile
    • Running Snort
    • Snort 2.9.3 or higher

This section explains how to install Snort, including Prelude support, from the tarball available from the main website. However, Snort might be included with your distribution as a package and it would be easier to install it this way.

Get the sources¶

Prelude support is included in the vanilla Snort distribution starting from Snort 2.4.0 up to 2.9.2.
Download Snort from https://www.snort.org/downloads

Then, compile and install Snort using the following:

   $ ./configure --enable-prelude
   $ make
   $ make install

Configuration¶

Create a folder where you will store snort config files. (i.e. /etc/snort).
Copy the contents of the source tree 'etc' folder into this new location , do the same with the rules folder (copy it recursively).

Edit snort.conf in your new location, change settings as needed (you probably may want to change HOME_NET variable, and tune preproccessors, path to the rules (by default it is '../rules', replace it with /etc/snort/rules or smth)).

In order to enable Snort to communicate with Prelude-Manager, activate the following section in snort.conf:

output alert_prelude: profile=snort

The profile argument is optional. The default is to use a profile called snort.

Registering Snort profile¶

You now you need to create snort profile with a command like:

$ prelude-admin register snort "idmef:w admin:r" <manager address> --uid X --gid X

and follow the instructions. If the registration is successful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.

Running Snort¶

Before running Snort, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.

$ snort -c /etc/snort/snort.conf -i eth1

See the snort manual pages and documentation for more options.

Snort 2.9.3 or higher¶

In the 2.9.3 version of Snort several output formats have been deprecated, including Prelude support. However, it remains possible to keep Snort as a Prelude agent through the use of Barnyard2, an open source interpreter for Snort unified2 binary output files.

After a standard install of Snort, get the sources of Barnyard2 from http://www.securixlive.com/barnyard2/download.php

The enable-prelude option was transferred to Barnyard2:

   $ ./configure --enable-prelude
   $ make
   $ make install

Then edit /etc/snort/barnyard2.conf with the following:

output alert_prelude: profile=snort

Finally edit /etc/snort/snort.conf to add unified2 output:

# unified2
output unified2: filename merged.log, limit 128

If you previously registered your sensor, you should be able to start Snort and Barnyard2 by using:

$ snort -c /etc/snort/snort.conf -i eth1
$ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -a /var/log/snort/archived

(assuming you have created a /var/log/snort/archived directory to store your archived unified2 logs)

Back to 3rd Party Agents Installation