Back to 3rd Party Agents Installation
Installing Snort¶
This section explains how to install Snort, including Prelude support, from the tarball available from the main website. However, Snort might be included with your distribution as a package and it would be easier to install it this way.
Get the sources¶
Prelude support is included in the vanilla Snort distribution starting from Snort 2.4.0 up to 2.9.2.
Download Snort from https://www.snort.org/downloads
Then, compile and install Snort using the following:
$ ./configure --enable-prelude $ make $ make install
Configuration¶
Create a folder where you will store snort config files. (i.e. /etc/snort).
Copy the contents of the source tree 'etc' folder into this new location , do the same with the rules folder (copy it recursively).
Edit snort.conf in your new location, change settings as needed (you probably may want to change HOME_NET variable, and tune preproccessors, path to the rules (by default it is '../rules', replace it with /etc/snort/rules or smth)).
In order to enable Snort to communicate with Prelude-Manager, activate the following section in snort.conf:
output alert_prelude: profile=snort
The profile argument is optional. The default is to use a profile called snort.
Registering Snort profile¶
You now you need to create snort profile with a command like:
$ prelude-admin register snort "idmef:w admin:r" <manager address> --uid X --gid X
and follow the instructions. If the registration is successful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.
Running Snort¶
Before running Snort, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.
$ snort -c /etc/snort/snort.conf -i eth1
See the snort manual pages and documentation for more options.
Snort 2.9.3 or higher¶
In the 2.9.3 version of Snort several output formats have been deprecated, including Prelude support. However, it remains possible to keep Snort as a Prelude agent through the use of Barnyard2, an open source interpreter for Snort unified2 binary output files.
After a standard install of Snort, get the sources of Barnyard2 from http://www.securixlive.com/barnyard2/download.php
The enable-prelude option was transferred to Barnyard2:
$ ./configure --enable-prelude $ make $ make install
Then edit /etc/snort/barnyard2.conf with the following:
output alert_prelude: profile=snort
Finally edit /etc/snort/snort.conf to add unified2 output:
# unified2 output unified2: filename merged.log, limit 128
If you previously registered your sensor, you should be able to start Snort and Barnyard2 by using:
$ snort -c /etc/snort/snort.conf -i eth1 $ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -a /var/log/snort/archived
(assuming you have created a /var/log/snort/archived directory to store your archived unified2 logs)