How to install Snort on CentOS

Snort CentOS

Snort is a popular choice for running a network intrusion detection system or NIDS. It monitors the package data sent and received through a specific network interface. NIDS can catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can identify the latest attacks, malware infections, compromised systems, and network policy violations. In this guide, you will find instructions on how to install Snort on CentOS 7. The install guide is also available for cloud servers running Debian 9 and Ubuntu 16.

Snort logo

Snort is one of the most commonly used network-based IDS. It is lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.

Preparing your server

Setting up a basic configuration of Snort on CentOS is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.

sudo yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdump

The latest Snort version at this time also requires libnghttp2 which can be downloaded from the Extra Packages for Enterprise Linux (EPEL) and installed using the commands underneath.

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y libnghttp2

With the prerequisites fulfilled, next up is how to install Snort on CentOS 7. Snort can be installed with ready-built packages, which simplifies the setup process considerably, and allows you to install Snort easily with yum. Alternatively, you can download and install the Snort on CentOS manually from the source. Below you will find instructions for both of these methods.

Option 1. Installing with yum

Snort provides convenient rpm packets for CentOS 7, which can be installed simply with the commands below. Snort itself uses something called a Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Check the latest version number on the Snort front page, if a newer version of DAQ or Snort is available simply replace the version number in the following commands with the latest option.

sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
sudo yum install https://www.snort.org/downloads/snort/snort-2.9.12-1.centos7.x86_64.rpm

Once you are done with the installation, jump forward to the configuration to continue.

Option 2. Installing from the source

Setting up Snort on CentOS from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.

Before getting started, you will also need the following development packages in addition to the already install prerequisites.

sudo yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel openssl-devel libnghttp2-devel luajit-devel

When ready, make a temporary download folder to your home directory and then change into it with the command below.

mkdir ~/snort_src && cd ~/snort_src

Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source is available.

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

The download will only take a few seconds when complete extract the source code and jump into the new directory with the following commands.

tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6

Run the configuration script using its default values, then compile the program with make and finally install DAQ.

./configure && make && sudo make install

With the DAQ installed, you can get started with Snort, change back to the download folder.

cd ~/snort_src

Next, download the Snort source code with wget. Check the latest version number from the Snort website and replace it in the following command if necessary.

wget https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz

Once the download is complete, extract the source and change into the new directory with these commands.

tar -xvzf snort-2.9.12.tar.gz
cd snort-2.9.12

Then configure the installation with sourcefire enabled, run make and make install.

./configure --enable-sourcefire && make && sudo make install

With that done, continue below on how to set up the configuration files.

Configuring Snort to run in NIDS mode

Next, you will need to set up Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.

Start with updating the shared libraries using the command underneath.

sudo ldconfig

Snort on CentOS gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.

If you installed Snort with yum you can skip this command.

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Setting up username and folder structure

To run Snort on CentOS safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Then create the folder structure to house the Snort configuration, just copy over the commands below. If you installed Snort using yum these directories should have already been added at installation, but check to make sure.

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

Set the permissions for the new directories accordingly.

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create new files for the white and blacklists as well as the local rules.

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

Then if you installed Snort from the source code, copy over the configuration files from the download folder. Skip this if you installed Snort with yum.

sudo cp ~/snort_src/snort-2.9.12/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.12/etc/*.map /etc/snort

Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.

  • Community rules are freely available though slightly limited.
  • By registering for free on their website you get access to your Oink code, which lets you download the registered user’s rule sets.
  • Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.

Underneath you can find instructions for downloading both community rules and registered user rule sets.

Option 1. Using community rules

If you just want to quickly test out Snort, grab the community rules using wget with the command below.

wget https://www.snort.org/rules/community -O ~/community.tar.gz

Extract the rules and copy them to your configuration folder.

sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules

By default, Snort on CentOS expects to find a number of different rule files which are not included in the community rules. Comment out the unnecessary lines using the next command.

sudo sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf

Option 2. Obtaining registered user rules

You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.

Replace the oinkcode in the following command with your personal code.

wget https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=oinkcode -O ~/registered.tar.gz

Once downloaded, extract the rules and copy them over to your configuration directory.

sudo tar -xvf ~/registered.tar.gz -C /etc/snort

The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.

Configuring the network and rule sets

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file for editing with the following command.

sudo vi /etc/snort/snort.conf

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

# Setup the network addresses you are protecting
ipvar HOME_NET server_public_ip/32
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

In the same snort.conf file, scroll down to section 6 and set the output for unified2 to log under the filename of snort.log like below.

# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.

include $RULE_PATH/local.rules

If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.

include $RULE_PATH/community.rules

Once you are done with the configuration file, save the changes and exit the editor.

Validating settings

Your Snort should now be ready to run. Test the configuration using the parameter -T to enable test mode and validate the configuration.

sudo snort -T -c /etc/snort/snort.conf

If you get an error while loading shared libdnet.1 libraries, create the following link and try again.

ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1

After running the Snort configuration test, you should get a message like this example below.

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  
           Preprocessor Object: appid  Version 1.1  
           Preprocessor Object: SF_DNP3  Version 1.1  
           Preprocessor Object: SF_MODBUS  Version 1.1  
           Preprocessor Object: SF_GTP  Version 1.1  
           Preprocessor Object: SF_REPUTATION  Version 1.1  
           Preprocessor Object: SF_SIP  Version 1.1  
           Preprocessor Object: SF_SDF  Version 1.1  
           Preprocessor Object: SF_DCERPC2  Version 1.0  
           Preprocessor Object: SF_SSLPP  Version 1.1  
           Preprocessor Object: SF_DNS  Version 1.1  
           Preprocessor Object: SF_SSH  Version 1.1  
           Preprocessor Object: SF_SMTP  Version 1.1  
           Preprocessor Object: SF_IMAP  Version 1.0  
           Preprocessor Object: SF_POP  Version 1.0  
           Preprocessor Object: SF_FTPTELNET  Version 1.2  

Snort successfully validated the configuration!
Snort exiting

In case you get an error, the printout should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.

Testing the configuration

To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules file. Open your local rules in a text editor.

sudo vi /etc/snort/rules/local.rules

Then add the following line to the file.

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

The rule consists of the following parts:

  • action for traffic matching the rule, alert in this case
  • traffic protocol like TCP, UDP or ICMP like here
  • the source address and port, simply marked as any to include all addresses and ports
  • the destination address and port, $HOME_NET as declared in the configuration and any port
  • some additional bits
    • log message
    • unique rule identifier (sid) which for local rules needs to be 1000001 or higher
    • rule version number.

Save the local.rules and exit the editor. You then need to restart Snort since you made changes to the files it loads.

Start Snort with -A console option to print the alerts to stdout. You will need to select the correct network interface with the public IP address of your server, for example, eth0.

sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

If you are not sure which interface to use, check your UpCloud control panel for the public IPv4 address of your server in the Network settings. You can also use the following command on your server.

ip addr

The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0.

With Snort up and running ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.

07/12-11:20:33.501624  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202

After the alerts show up you can stop Snort with ctrl+C.

Snort records the alerts to a log under /var/log/snort/snort.log.timestamp, where the time stamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.

snort -r /var/log/snort/snort.log.

The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.

WARNING: No preprocessors configured for policy 0.
07/12-11:20:33.501624 83.136.252.118 -> 80.69.173.202
ICMP TTL:63 TOS:0x0 ID:20187 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:13891 Seq:1 ECHO

Running Snort in the background

Lastly, if you wish to run Snort on CentOS as a service in the background you should download a startup script from Snort documentation.

If you installed Snort using yum, you should already have the startup script configured. Start the service as described below.

Use the following commands to get and install a startup script for your system.

wget https://www.snort.org/documents/snort-startup-script-for-centos -O ~/snortd
sudo chmod 755 ~/snortd && sudo mv ~/snortd /etc/init.d/

Next, reload the system daemon.

sudo systemctl daemon-reload

Then start the service.

sudo systemctl start snortd

The startup script also includes the other usual systemctl commands: stop, restart, and status. For example, you can check the status of the service with the following command.

sudo systemctl status snortd

Conclusions

Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort documents page, or jump right into writing your own detection rules with their helpful Snort rules info graph.

Janne Ruostemaa

Editor-in-Chief

  1. Libnet is now version 1.7.0 and apparently can only be directly downloaded from https://rpmfind.net/linux/rpm2html/search.php?query=libnet.so.1()(64bit)/lib64net1-1.1.6-8.mga7.aarch64.rpm

  2. Janne Ruostemaa

    Hi Michael and thanks for bringing up the new version. Snort should work perfectly fine using the previous option found in the package manager. We’ll update the guide if that changes.

  3. I tried using the snort background script “snortd”. Followed the instructions but got an exceeded resources error and the service won’t start. Snort itself works if I manually start it. Running Centos7. Since I am running it in a VM I know the network interface is named differently and I changed all references in the snortd.service that pointed to eth0 to enp0s3 (vm adapter), still no luck. Any suggestions on what I can look for?

  4. Janne Ruostemaa

    Hi Ryan, thanks for the question. Unfortunately, without knowing more about your configuration, it’s quite difficult to say. Snort itself is very lightweight so I would be inclined to think your VM instance might have some systemd process specific limitations. If possible, you could try increasing the resources allocated to the VM and see if it has any effect, 1CPU core and 1GB of RAM should be enough.

  5. Awesome intro to Snort. That would be cool to have a follow up article to built something similar to what those products such as Fingbox, Firewalla, etc… but with Snort. It does not need to have a fancy UI, just an automated way for example:
    1) if a new device appears on your network, you get aa notification
    2) all new devices are blocked by default, (blacklisted), then you can manually whitelist them
    3) notifications would come as emails – any alert
    stuff like that. That would be very cool – I could not find anything on that…

  6. Hi, I have the same problem.

    This is my output.

    snortd.service – LSB: Start up the Snort Intrusion Detection System daemon
    Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
    Active: failed (Result: resources) since mar 2019-05-21 11:35:35 EDT; 17s ago
    Docs: man:systemd-sysv-generator(8)
    Process: 14781 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)

    may 21 11:35:35 localhost.localdomain snortd[14781]: Daemon parent exiting (0)
    may 21 11:35:35 localhost.localdomain snortd[14781]: [17B blob data]
    may 21 11:35:35 localhost.localdomain snort[14797]: Daemon initialized, signaled parent pid: 14792
    may 21 11:35:35 localhost.localdomain snort[14797]: Reload thread starting…
    may 21 11:35:35 localhost.localdomain snort[14797]: Reload thread started, thread 0x7fd2a7235700 (14798)
    may 21 11:35:35 localhost.localdomain systemd[1]: PID file /var/run/snort_eth0.pid not readable (yet?) after start.
    may 21 11:35:35 localhost.localdomain systemd[1]: snortd.service never wrote its PID file. Failing.
    may 21 11:35:35 localhost.localdomain systemd[1]: Failed to start LSB: Start up the Snort Intrusion Detection System daemon.
    may 21 11:35:35 localhost.localdomain systemd[1]: Unit snortd.service entered failed state.
    may 21 11:35:35 localhost.localdomain systemd[1]: snortd.service failed.
    [root@localhost system]#

    I followed the guide stop by step. My interface is eth0

  7. Janne Ruostemaa

    Hi Christian. By your output, it appears Snort is unable to set the process ID to /var/run/snort_eth0.pid. This could be due to permission issues but also due to a problem with the current startup script provided by Snort. If you installed Snort from source, I’d recommend uninstalling it and installing Snort again using yum which will include a working startup script.

  8. Whats wrong ?
    Running in Test mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file “/root/community-rules/snort.conf”
    PortVar ‘HTTP_PORTS’ defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
    PortVar ‘SHELLCODE_PORTS’ defined : [ 0:79 81:65535 ]
    PortVar ‘ORACLE_PORTS’ defined : [ 1024:65535 ]
    PortVar ‘SSH_PORTS’ defined : [ 22 ]
    PortVar ‘FTP_PORTS’ defined : [ 21 2100 3535 ]
    PortVar ‘SIP_PORTS’ defined : [ 5060:5061 5600 ]
    PortVar ‘FILE_DATA_PORTS’ defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
    PortVar ‘GTP_PORTS’ defined : [ 2123 2152 3386 ]
    Detection:
    Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
    ERROR: /root/community-rules/classification.config(0) Unable to open rules file “/root/community-rules/classification.config”: No such file or directory.

    Fatal Error, Quitting..

  9. Janne Ruostemaa

    Hi there, thanks for the question and for posting the full error message. The issue is outlined at the end, Snort is looking for a rule file at /root/community-rules/classification.config which doesn’t exist. Check the path and filename are correct or download the classification.config file from Snort configuration files.

  10. hi
    i need steps to install in RHEL linux

  11. Janne Ruostemaa

    Hi Narendra, as CentOS is based on RHEL, the method of installing Snort from the source should work much the same.

  12. Hi , Snort gets me this error saying daq static library not found

    ./configure: line 16264 daq-modules-config: command not found
    checking for daq_load_modules in idaq_static… no
    Error! daq_static_library not found , go get it from snort.com

    What could be the problem ?

  13. Janne Ruostemaa

    Hi there, thanks for the question. It seems you are missing the DAQ package that Snort relies on. Install it, for example, by running the following command: sudo yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm

  14. To save you the deep digging. If you are running selinux, follow that link to start snort in background or at all.

    https://seclists.org/snort/2018/q4/338

  15. any reason as to why not to install daq directly from centos repo itself?
    (yum install daq)

  16. Janne Ruostemaa

    Hi there, thanks for the question. DAQ is available in the EPEL repository which is perfectly fine if you already have EPEL installed. The instructions in this guide let you install DAQ without needing to also install EPEL.

  17. Hello, I am getting a fatal error permission denied. I checked permissions and everything is correct.

    snortd.service – SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
    Loaded: loaded (/etc/rc.d/init.d/snortd; generated)
    Active: active (exited) since Sun 2019-09-08 23:24:48 UTC; 9min ago
    Docs: man:systemd-sysv-generator(8)
    Process: 21917 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
    Process: 21932 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)

    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: Running in IDS mode
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]:
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: –== Initializing Snort ==–
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: Initializing Output Plugins!
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: Initializing Preprocessors!
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: Initializing Plug-ins!
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: Parsing Rules file “/etc/snort/snort.conf”
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snort[21943]: FATAL ERROR: /etc/snort/snort.conf(0) Unable to open rules file “/etc/snort/snort.conf”: Permission denied.
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal snortd[21932]: [29B blob data]
    Sep 08 23:24:48 ip-172-31-14-159.us-east-2.compute.internal systemd[1]: Started SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, p>

  18. Janne Ruostemaa

    Hi Ryan, thanks for the question. By the error message, Snort is indeed unable to access the config file due to permission issue. You mentioned having already checked for permissions but I’d recommend reapplying the permissions to the Snort configuration directories. Also, try running Snort with sudo if you weren’t already.

  19. Can’t initialize DAQ afpacket (-1) – afpacket_daq_initialize: Invalid interface specification: ”!
    i am getting the error in snort installtion
    run this command means
    [root@splunklo daq-2.0.6]# sudo snort -T -c /etc/snort/snort.conf

    Rule application order: pass->drop->sdrop->reject->alert->log
    Verifying Preprocessor Configurations!

    [ Port Based Pattern Matching Memory ]
    [ Number of patterns truncated to 20 bytes: 0 ]
    afpacket DAQ configured to inline.
    ERROR: Can’t initialize DAQ afpacket (-1) – afpacket_daq_initialize: Invalid interface specification: ”!
    Fatal Error, Quitting..

  20. Janne Ruostemaa

    Hi Tamil, thanks for the question. As per the error message, DAQ is not able to find the network interface. Try running the configuration test by including the NIC you want to monitor, e.g. sudo snort -T -c /etc/snort/snort.conf -i eth0

  21. Hii all i want some custom rules any body give example

  22. Janne Ruostemaa

    Hi Tamil, thanks for the question. Have a look at the community rules for examples as provided by Snort. If you followed the first option in obtaining the community rules they would be at /etc/snort/rules/community-rules

  23. Hi, thank you for making this very detail! I would like to try snort inline mode with my centos 7, unfortunately it doesn’t work well. Is it possible that you can give me some help? Such as how to set up inline mode.

    I have follow the steps from this link already.
    http://brianshowto.com/?p=78

  24. Janne Ruostemaa

    Hi there, thanks for the question. Configuring Snort inline sets it up as a bridge between two networks. On our cloud servers, you’d need to create a private network without source IP filtering to allow the gateway to function.

  25. Excellent documento, thank you!

  26. I’m going nuts.. have tried and re tried this many times on a VM with Centos 7, always getting this error:

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains…
    ERROR: /etc/snort/rules/app-detect.rules(33) Unknown ClassType: web-application-attack
    Fatal Error, Quitting..

    Please help.. I beg help!!! not even google has an explanation for this :/

  27. Nevermind I see now it’s because I did not have a classification file, I guess it would have been very nice if who wrote this guy added that in the tutorial!!

  28. Janne Ruostemaa

    Hi there, thanks for the comment and glad to hear you found the solution. Indeed the classification.config file is required for the application detection rules and it should have been included in the registered user ruleset I’m assuming you downloaded. In case of any other errors, make sure you’ve extracted all files from the registered rules package into your /etc/snort/ directory.

  29. Hello,

    Can someone help me to solve the following issue.
    I have installed Snort Version 2.9.15.1 GRE (Build 15125) on Centos 7.
    when I run it on the interface which has all the network traffic sniffed I got this message in every alert: WARNING: No preprocessors configured for policy 0

    WARNING: No preprocessors configured for policy 0.
    02/20-09:50:33.478603 10.xx.xx.xx -> 10.xx.xx.xx
    ICMP TTL:253 TOS:0x0 ID:0 IpLen:20 DgmLen:56
    Type:11 Code:0 TTL EXCEEDED IN TRANSIT
    ** ORIGINAL DATAGRAM DUMP:
    10.xx.xx.xx -> 10.xx.xx.xx
    ICMP TTL:1 TOS:0x0 ID:50625 IpLen:20 DgmLen:64
    Type: 8 Code: 0 Csum: 21084 Id: 40215 SeqNo: 32403
    ** END OF DUMP

    Can someone help me to solve this problem?

  30. Janne Ruostemaa

    Hi Claudiu, thanks for the question. The warning indicates that Snort is missing preprocessors. You should check that preprocessors are enabled in your snort.conf file and that the config file is included in the command e.g. snort -v -c /etc/snort/snort.conf

  31. Hello,

    Thank you for your answer.
    I-am getting the following error when I run : snort -v -c /etc/snort/snort.conf
    Acquiring network traffic from “nflog”.
    Reload thread starting…
    Reload thread started, thread 0x7fee169df700 (18766)
    ERROR: Cannot decode data link type 239
    Fatal Error, Quitting..

  32. Also I’m getting:
    Memory stats information for preprocessor is NULL
    when I run:
    snort -A console -i eno1 -u snort -g snort -c /etc/snort/snort.conf

    PS: I getting that error if I increase the sniffed traffic on the eno1 interface

  33. I am getting this error. Any idea?
    # snort -r /var/log/snort/snort.log.1583254619
    Running in packet dump mode

    –== Initializing Snort ==–
    Initializing Output Plugins!
    pcap DAQ configured to read-file.
    ERROR: Can’t initialize DAQ pcap (-1) – unknown file format
    Fatal Error, Quitting..

  34. Janne Ruostemaa

    Hi Sheng, thanks for the question. It’s possible that your log file is empty. I’d suggest checking your configuration and try running Snort on the console to see if your rules are firing e.g. sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

  35. Suryalakshminarayana Dhulipudi

    Hi I am getting below issue while installing snort, it used to work before on the same os.

    [centos@localhost ~]$ sudo yum install https://www.snort.org/downloads/snort/snort-2.9.16.1-1.centos8.x86_64.rpm
    Loaded plugins: fastestmirror
    Cannot open: https://www.snort.org/downloads/snort/snort-2.9.16.1-1.centos8.x86_64.rpm. Skipping.
    Error: Nothing to do

  36. Janne Ruostemaa

    Hi there, thanks for the comment. If there’s no other difference in the servers and installing the prebuilt binaries doesn’t work, I’d recommend trying to install Snort from the source to better see if something is missing.

  37. Hi,

    Someone can help me? I am still new with Snort.

    I following all step mention above. But Snort Rules not read.

    Below is the outcome.

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains…
    0 Snort rules read
    0 detection rules
    0 decoder rules
    0 preprocessor rules
    0 Option Chains linked into 0 Chain Headers
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    +——————-[Rule Port Counts]—————————————
    | tcp udp icmp ip
    | src 0 0 0 0
    | dst 0 0 0 0
    | any 0 0 0 0
    | nc 0 0 0 0
    | s+d 0 0 0 0
    +—————————————————————————-

  38. Janne Ruostemaa

    Hi Isyam, thanks for the question. You should check your snort.conf to make sure your rules are loaded. These can be found towards the end of your config file:

    include $RULE_PATH/community.rules
    include $RULE_PATH/local.rules
  39. ERROR size 1432 != 1464
    ERROR: Failed to initialize dynamic preprocessor: SF_REPUTATION version 1.1.1 (-2)
    Fatal Error, Quitting..
    would you help me please

  40. Janne Ruostemaa

    Hi Hocine, thanks for the question. The error could be caused by having the preprocessor rule path set incorrectly or the directory is empty. Check your snort.conf file has set the following var PREPROC_RULE_PATH /etc/snort/preproc_rules and that the rules you downloaded were extracted successfully.

  41. hi, went back and checked everything but i know i missed something.
    i am getting “sudo: snort: command not found” error when i try and verify.
    ran that as root user and still get the same error. what am i missing?

  42. Janne Ruostemaa

    Hi Rudy, thanks for the question. It sounds like either Snort, DAQ, or both failed to install which could be due to an old version. The currently latest versions of both Snort and DAQ have changed since the tutorial was last updated so make sure you are downloading the right ones. At this time, the latest versions are snort-2.9.17.1 and daq-2.0.7.

  43. ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)
    not found, go get it from http://www.tcpdump.org
    or use the –with-libpcap-* options, if you have it installed
    in unusual place. Also check if your libpcap depends on another
    shared library that may be installed in an unusual place

    can someone help me please

  44. Janne Ruostemaa

    Hi Mian, thanks for the question. It seems you are missing the Libpcap library files or Snort couldn’t find it. You can search for the file using the following command:

    find / -iname libpcap*

    If you can’t find a file called libpcap.so.1* usually under /usr/lib64/, try reinstalling it.

    sudo yum install libpcap
  45. Hello! Can i use this tutorial for CentOS 8? Thanks before!

  46. Janne Ruostemaa

    Hi Ronaldo, thanks for the question. You should choose the version to install for EPEL and Snort according to your OS version but the rest of the guide should work much the same regardless. The following commands will get Snort installed on CentOS 8:

    sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    sudo yum install -y libnghttp2
    sudo yum install -y https://forensics.cert.org/centos/cert/8/x86_64/daq-2.0.7-10.1.el8.x86_64.rpm
    sudo yum install -y https://snort.org/downloads/snort/snort-2.9.18-1.centos8.x86_64.rpm
  47. I followed the same steps, but did not get any test alert:-

    I am pinging from another machine and it is successful.
    Note: the interface is IPv6.
    All machines are centos-7

    The below results is all I got and it stucks like this till I hit ctl+c

    Preprocessor Object: SF_SIP Version 1.1
    Preprocessor Object: SF_SDF Version 1.1
    Preprocessor Object: SF_S7COMMPLUS Version 1.0
    Preprocessor Object: SF_REPUTATION Version 1.1
    Preprocessor Object: SF_POP Version 1.0
    Preprocessor Object: SF_SSLPP Version 1.1
    Preprocessor Object: SF_MODBUS Version 1.1
    Preprocessor Object: SF_IMAP Version 1.0
    Preprocessor Object: SF_GTP Version 1.1
    Preprocessor Object: SF_SSH Version 1.1
    Preprocessor Object: SF_FTPTELNET Version 1.2
    Preprocessor Object: SF_DNS Version 1.1
    Preprocessor Object: SF_DNP3 Version 1.1
    Preprocessor Object: SF_DCERPC2 Version 1.0
    Commencing packet processing (pid=1854)

  48. Janne Ruostemaa

    Hi Ameen, thanks for the comment. Starting Snort with the test command will leave it running on the console as you saw, that’s normal. If you didn’t get alerts, check that your alert configuration sets your public IPv6 address correctly as the target.

  49. ‘-=SystemD script for Snort=-
    ===========================

    #nano /lib/systemd/system/snort.service

    [Unit]
    Description=Snort NIDS Daemon
    After=syslog.target network.target

    [Service]
    Type=simple
    ExecStart=/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens1

    [Install]
    WantedBy=multi-user.target
    _________________________
    #systemctl daemon-reload
    &&
    #systemctl start snort

Leave a Reply to tamil

Your email address will not be published. Required fields are marked *

Back to top