!"#$% '()(* #" +,"%-! .(.

/"0%1221%3#"
1"4 +#"5367$1%3#" 8734,

-9,$93,:
What is Snoit.
Snoit is an open souice netwoik intiusion pievention anu uetection system
(IBSIPS) uevelopeu by Souicefiie. Combining the benefits of signatuie, piotocol
anu anomaly-baseu inspection, Snoit is the most wiuely ueployeu IBSIPS
technology woiluwiue. With millions of uownloaus anu appioximately Suu,uuu
iegisteieu useis, Snoit has become the ue facto stanuaiu foi IPS.

Authoi: Ken Schai
veision 1.u1
/"0%1223"6 +,"%-! .(.
This will be a minimal Cent0S S.S installation anu then will use yum to upgiaue anu
auu auuitional neeueu packages.
You will fiist see the following giub welcome scieen.

;##%< Click Next
Next you will be see a scieen giving yout he option of testing meuia. If you'ie
confiuent it's ok you can select "skip" anu then entei anu then select "Next". The
next few steps assume a 0S-baseu installation if outsiue of the 0S oi using a
uiffeient language oi keyboaiu layout then just select the appiopiiate options.

=1"6716,< English

>,?@#1$4< 0.S. English

A30B C1$%3%3#"3"6< Choose to automatically patition the haiuuiive by choosing the
following option - "Remove all paititions on selecteu uiives anu cieate uefault
layout". (Assumption is that this installation is not being uone on a uual-boot box, if
so, choose eithei "0se fiee space on selecteu uiives anu cieate uefault layout" oi
"Cieate custom layout".
Click "Yes" when waining uialog box comes up.

D,%:#$B +#"5367$1%3#"<
Select "Euit" to euit ethu uevice. Be suie "Enable IPv4 suppoit" is checkeu anu select
"Nanual configuiation". Set a static IP auuiess anu the subnet mask foi youi
netwoik. Click "0k"
0nuei "Bostname" section, check the box "manually" anu manually set youi
hostname.
Set "Niscellaneouse Settings" incluuing youi uateway anu Piimaiy BNS anu
optionally a Seconuaiy BNS.

E3F, !,%7G< Choose the closest city within youi timezone. Leave the following box
checkeu, "System clock uses 0TC".

H##% C100:#$4< Set a stiong ioot passwoiu heie.

/"0%1221%3#" E?G,< Check "Seivei" anu be suie no othei install types aie checkeu.
Check the box, "Customize now" anu click "Next".
Choose the "Seiveis" categoiy anu make suie the only boxes checkeu aie
"NySQL Batabase" anu "Web Seivei" anu click "Next".
Click "Next" again to begin the installation piocess.

H,@##%< When the initial installation is uone click "Reboot" to ieboot youi new
Cent0S system.

I5%,$ %J, $,@##%< you will be in commanu line only moue (Run Level S). Anu the
"Setup Agent" piogiam will autostait. (If it uoes not you can entei it by fiist logging
in as ioot with the passwoiu you assigneu in a pievious step anu then enteiing
"setup" at the commanu line piompt).

A301@2, K"",L,001$? !,$93L,0< 0nce in the Setup Agent piogiam select "System
Seivices".
0ncheck (uisable) the following seivices - apmu, bluetooth, cups, gpm, isun,
netfs, nfslock, poitmap.

M"1@2, D,,4,4 !,$93L,0<
Check (enable) the following seivices - httpu, mysqlu.
Bit <TAB> anu click "0k".

N3$,:122 !,%7G< Still within the Setup Agent piogiam choose "Fiiewall
Configuiation"
0se youi <TAB> key to move aiounu anu selcteu the following:
Secuiity Level: Enableu, SELinux: Bisableu.
Then choose "Customize" anu unuei the section "Allow Incoming:" check the
boxes foi SSB, WWW(BTTP), anu Secuie WWW (BTTPS). Then select "0k"
anu "0k" again to exit Fiiewall Configuiation anu save changes.
Choose "Quit" to exit the Setup Agent piogiam.

!%1$%7G IG1LJ, O,@ !,$9,$ 1"4 P?!Q= A1%1@10, !,$9,$<
Entei the following 2 commanus to uo this.
seivice httpu stait
seivice mysqlu stait

+$,1%, 1 K0,$ ILL#7"%< Auu a usei account foi youi eveiyuay use. Note - the ioot
usei account shoulu not be useu as youi iegulai login account. If you neeu to access
ioot level functions you can use "su -" oi "suuo" to gain ioot level access to ceitain
piogiams.
Entei the following commanus to cieate a gioup anu usei account.
gioupauu <gioupname>
useiauu -g <gioupname> <useiname>
Next, assign a passwoiu to this new usei account.
passwu <useiname>

KG41%3"6 %J, !?0%,F
Next we neeu to apply any secuiity upuates, etc. that weie ieleaseu aftei youi
Cent0S S.S installation CB was fiist ieleaseu.
Entei the following commanu to install all available upuates - "yum -y upuate"

EJ, !"#$% /"0%1221%3#" 1"4 !,%7G
0se the following commanu to install all of the neeueu components that aie
available within the Cent0S yum iepositoiy:
yum -y install mysql-bench mysql-uevel php-mysql gcc pcie-uevel php-gu gu glib2-
uevel gcc-c++ libpcap-uevel
Secuiing SSB:
Euit the following etcsshsshu_config file using youi favoiite file euitoi to make
the following changes (if the lines aie theie but aie commenteu out be suie to
iemove the # sign).
Piotocol 2
PeimitRootLogin no
PeimitEmptyPassoius no

+$,1%, 43$,L%#$? 5#$ 3"0%1221%3#" 70,<
It is a goou iuea to place all of the uownloaueu files into a single uiiectoiy foi easy
access. This uiiectoiy will no longei be neeueu aftei installation is finisheu anu can
be safely iemoveu fiom youi system.
Cieate a uiiectoiy unuei ioot calleu snoitinstall. 0se the following to uo this.
cu ioot
mkuii snoitinstall
cu iootsnoitinstall

A#:"2#14 ",,4,4 !"#$% 532,0<
Entei the following commanus to uownloau anu install Snoit.
wget http:www.snoit.oiguownloaus14 (this location has changeu fiom time to
time so you aie encouiageu to visit the Snoit.oig site with youi web biowsei anu
confiim the piopei location to uownloau the latest veision of Snoit.
P1B3"6 43$,L%#$3,0 1"4 @7323"6R3"0%1223"6 !"#$%<
tai xvzf snoit-2.8.6.tai.gz
cu snoit-2.8.6
.configuie --with-mysql --enable-uynamicplugin
( if builuing foi Cent0S 64 bit use the following insteau -> !"#$%&'()*+ -.'/01
2345616'7*8*'+49")4*"6'7:;"23456" 11+%876+1<3%82'#=6)('% )
make
make install
gioupauu snoit
useiauu -g snoit snoit -s sbinnologin
mkuii etcsnoit
mkuii etcsnoitiules
mkuii etcsnoitso_iules
mkuii vailogsnoit
chown snoit:snoit vailogsnoit
cu etc >28?+ 4)*+ 3$) <$ @AB #< /$ "+/# 7)/ /08/ '/ '4 +/# <'*+#/$*3 )%<+* 4%$*/ '%4/866 &'6+4 <'*+#/$*3C!
cp * etcsnoit
cu iootsnoitinstall
Snoit iules come in two flavois. 0ne is a paiu subsciiption that assuies you have the
latest anu gieatest (highly iecommenueu anu veiy inexpensive), the othei is foi
iegisteieu useis at Snoit.oig. So at the veiy least go to Snoit.oig anu iegistei foi an
email account anu then uownloau the latest iules file. 0nce you have uone this you
can use scp (ssh secuie copy) to copy these files ovei to youi new Snoit installation
using a commanu similai to the following.
scp snoitiules-snapshot-286u.tai.gz <useiname><ip auuiess of snoit sensoi>:
Then fiom iootsnoitinstall you can copy that file ovei using the following
commanu.
cp home<useiname> snoitiules-snapshot-286u.tai.gz . (note the space anu
then . (uot) at the enu).
Next we can untai that fileanu put the iules files into the iight uiiectoiy.
tai xvzf snoitiules-snapshot-286u.tai.gz
cu .iules
cp * etcsnoitiules
cp ..so_iulespiecompileuCent0S-S.uiS862.8.6.u* etcsnoitso_iules
P#435? ?#7$ 0"#$%(L#"5 532,<
The snoit.conf file is locateu in etcsnoit. Again using youi favoiite text euitoi
open this file anu make the following changes.
"vai R0LE_PATB ..iules" change this line to "vai R0LE_PATB etcsnoitiules"
"vai S0_R0LE_PATB ..so_iules" change this line to "vai S0_R0LE_PATB
etcsnoitso_iules"

Next - scioll uown to the "output" section anu auu the following line
output unifieu2: filename snoit.log, limit 128

P?!Q= A1%1@10, !,%7G
Entei the following commanus to setup youi Snoit uatabase.
D-EM< B0+ &'*4/ /'2+ 3$) 8*+ =*$2=/+< &$* 8 =844.$*< 4'2=63 0'/ +%/+*!
You will neeu to cieate passwoius foi 2 uatabase useis, one is ioot , the othei will be
a usei nameu Snoit. It is impoitant to iemembei both of these passwoius.
In the fiist commanu below entei the G100:#$4 you choose in the 2
nu
passwoiu
fielu below. Be suie to leave in the single quotes aiounu youi new passwoiu.
echo "SET PASSW0RB F0R iootlocalhost=PASSW0RB('G100:#$4');" | mysql -u
ioot -p
echo "cieate uatabase snoit;" | mysql -u ioot -p
mysql -u ioot -p -B snoit < .schemascieate_mysql
echo "giant cieate, inseit on ioot.* to snoitlocalhost" | mysql -u ioot -p
echo "SET PASSW0RB F0R snoitlocalhost=PASSW0RB('G100:#$4');" | mysql -u
ioot -p
echo "giant cieate, inseit, select, uelete, upuate on snoit.* to snoitlocalhost" |
mysql -u ioot -p

/"0%122 1"4 +#"5367$, ;I!M S;103L I"12?030 1"4
!,L7$3%? M"63", 1"4 IA-A;
0se the following commanu to install php-peai anu some auuitional suppoiting files
to allow foi giaphing within BASE to function piopeily:
yum -y install php-peai_numbeis_ioman php-peai_numbeis_woius php-
peai_image_coloi php-peai_image_canvas php-peai_image_giaph
A#:"2#14 IA-A;<
cu iootsnoitinstall
wget http:souicefoige.netpiojectsauoubfilesauoub-phpS-onlyauoub-S11-
foi-phpSauoubS11.tgzuownloau
A#:"2#14 ;I!M<
wget http:souicefoige.netpiojectssecuieiueasfilesBASEbase-1.4.Sbase-
1.4.S.tai.gzuownloau
/"0%1223"6 IA-A;<
cu vaiwww
tai xvzf iootsnoitinstallauoub-S11.tgz
mv auoubS auoub >/0'4 #$228%< .'66 *+%82+ D<$<7E <'*+#/$*3 /$ F)4/ GD<$<7HC

/"0%1223"6 1"4 L#"5367$3"6 ;I!M<
cu vaiwwwhtml
tai xvzf iootsnoitinstallbase-1.4.S.tai.gz
mv base-1.4.S base >/0'4 #$228%< .'66 *+%82+ 784+1I!;!E <'*+#/$*3 /$ F)4/ G784+HC

Copy the base_conf.php.uist file to base_conf.php using the following commanus.
cu base
cp base_conf.php.uist base_conf.php

Next:
Euit "base_conf.php" anu inseit the following paiameteis.

$BASE_uilpath = 'base';
$BBlib_path = 'vaiwwwauoub';
$BBtype = 'mysql';

$aleit_ubname = 'snoit';
$aleit_host = 'localhost';
$aleit_poit = '';
$aleit_usei = 'snoit';
$aleit_passwoiu = 'G100:#$4 L$,1%,4 3" F?0T2 0,L%3#" 1@#9, 5#$ 0"#$% 70,$';

* Aichive BB connection paiameteis *
$aichive_exists = u; # Set this to 1 if you have an aichive BB

Next, biing up a web biowsei anu access youi sensoi at the following auuiess:
https:<ip auuiess of sensoi>base
Click on "Setup Page" then click on "Cieate BASE Au".

!,L7$3"6 %J, ;I!M 43$,L%#$?<
Entei the following commanus in oiuei to iequiie a passwoiu when biinging up the
BASE webpage.
mkuii vaiwwwpasswoius
usibinhtpasswu -c vaiwwwpasswoiuspasswoius base
(base will be the useiname useu to accesseu as listeu above. If you'u like to use a
uiffeient useiname just substitute that useiname on the commanu line listeu above.
You will then be piompteu to entei a passwoiu that you will use foi this account).

Euit the httpu.conf (etchttpuconf).
<Biiectoiy "vaiwwwhtmlbase">
AuthType Basic
AuthName "SnoitIBS"
Auth0seiFile vaiwwwpasswoiuspasswoius
Requiie usei base
<Biiectoiy>

@$/+J $% /0+ 6'%+ 87$K+ /08/ 4834 GL+5)'*+ )4+* 784+H '& 3$) 844'(%+< 8 <'&&+*+%/
)4+*%82+ +%/+* '/ 87$K+ '%4/+8< $& G784+HM
Finally - save this file anu iestait Apache by typing the following on the commanu
line:
seivice httpu iestait

/"0%1223"6 ;1$"?1$4'
Bainyaiu2 impioves the efficiency of Snoit by ieuucing the loau on the main
uetection engine by allowing Bainyaiu2 to hanule the inseiting of events into the
NySQL uatabase.
A#:"2#143"6 ;1$"?1$4'<
wget http:www.secuiixlive.comuownloaubainyaiu2bainyaiu2-1.8.tai.gz

/"0%122 1"4 +#"5367$, ;1$"?1$4'<
tai xvzf bainyaiu2-1.8.tai.gz
cu bainyaiu2-1.8
configuie --with-mysql
( if builuing foi Cent0S 64 bit use the following insteau -> !"#$%&'()*+ -.'/01
2345616'7*8*'+49")4*"6'7:;"23456" )
make
make install
cp etcbainyaiu2.conf etcsnoit
mkuii vailogbainyaiu2
chmou 666 vailogbainyaiu2
touch vailogsnoitbainyaiu2.waluo
chown snoit:snoit vailogsnoitbainyaiu2.waluo
Euit etcsnoitbainyaiu2.conf anu mouify the following lines.
#config hostname: thoi
#config inteiface: ethu
#output uatabase: log, mysql, usei=ioot passwoiu=test ubname=ub host=localhost
Remove the # sign fiom the lines above anu change to the below:
config hostname: localhost
config inteiface: ethu >'& )4'%( 2)6/'=6+ '%/+*&8#+4 /0'4 40$)6< 7+ +/0IC
output uatabase: log, mysql, usei=snoit passwoiu='G100:#$4 L$,1%,4 3" F?0T2
0,L%3#" 1@#9, 5#$ 0"#$% 70,$' ubname=snoit host=localhost

O$1GG3"6 3% 122 7G S1"4 1 5,: 1443%3#"12 3%,F0U

E,0%3"6 !"#$%<
You can launch Snoit fiom the commanu line to make suie that it loaus piopeily.
Entei the following commanu:
usilocalbinsnoit -u snoit -g snoit -c etcsnoitsnoit.conf -i ethu
Note: if you'ie monitoiing inteiface is eth1 then entei that above insteau.
If all woiks well you shoulu see a message says "Initialization Complete". You can
kill this instance of Snoit by hitting Contiol-C.
!,%%3"6 7G !"#$% V ;1$"?1$4' %# 0%1$% 17%#F1%3L122?<
To setup Snoit & Bainyaiu2 to stait automatically on youi system you neeu to euit
the ic.local file which is locateu heie -> etcic.local
Paste in the following commanus:
ifconfig ethu up
usilocalbinsnoit -B -u snoit -g snoit -c etcsnoitsnoit.conf -i ethu
>@$/+J B0+ &$66$.'%( 6'%+ 40$)6< 866 7+ +%/+*+< $% $%+ 6'%+C
usilocalbinbainyaiu2 -c etcsnoitbainyaiu2.conf -u vailogsnoit -f
snoit.log -w vailogsnoitbainyaiu2.waluo -B
Exit anu save the file. You can then eithei ieboot the system anu veiify eveiything
comes back up piopeily oi simply stait Snoit & Bainyaiu2 by issuing the following
commanu:
etcic.local stait

EJ, M"4 S5#$ "#:U
Comments, feedback and contributions are always welcome and
encouraged. Please send to kschar@sourcefire.com
,,_
o" )~ Sourcefire - The Creators of Snort
''''

Revision Bistoiy:
2u1u-u6-27 - 1.u - Initial ielease
2u1u-u7-1S - 1.u1 - Ninoi euits