Snort related tools

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Snort related tools

Installing oinkmaster

Oinkmaster can be used to download latest snort rules from snort website automatically and install them on your system.

  1. Download latest oinkmaster source code from
  2. Extract tar.gz file with something like 'tar xzf oinkmaster-2.0.tar.gz'
  3. cp /usr/local/bin
  4. cp oinkmaster.conf /etc
  5. cp oinkmaster.1 /usr/share/man/man1
  6. Test 'man oinkmaster'
  7. Login on with your snort username and password
  8. Go to 'My account -> My Oinkcode' section. If you have not generated Oinkcode so far then generate one for your account.
  9. Copy URL from 'Configuring oinkmaster' to /etc/oinkmaster.conf file. It will look like
    url =<oinkcode>/snortrules-snapshot-2900.tar.gz
  10. Export http_proxy using 'export http_proxy='
  11. Use ' -o /etc/snort/rules -v'. Note that you can download rules only once in 15 minutes. So do not stop this command in between as it will take some time to finish
  12. crontab -e
    Add 01 4 * * * /usr/local/bin/ -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” root@localhost
    For cron method to work system must have direct connection to Internet

Setting up MySQL database

  1. service mysqld start
  2. mysql -u root
  3. create database snort;
  4. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to 'snort'@'localhost' identified by 'snortpass';
  5. Go to folder 'schemas' located in extracted snort source code directory.
  6. Use 'mysql -u root snort < create_mysql' to update snort database

Configure snort to log to database

One should ideally use barnyard to do this. But since working barnyard configuration method needs to be determined we will use snort to log directly into database.

  1. Edit /etc/snort/snort.conf and use these lines
    output database: alert, mysql, user=snort password=snortpass dbname=snort host=localhost
    output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

Installing base

  1. Download latest base from
  2. yum install php-adodb php-gd
  3. pear install --alldeps Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
  4. Copy base source code to /var/www/html
  5. Extract base source code
  6. Move source directory name to base using something like 'mv base-1.4.5 base'
  7. cp base_conf.php.dist base_conf.php
  8. Set following variables in 'base_conf.php' file:
    $BASE_urlpath = '/base';
    $DBlib_path = '/var/www/adodb/';
    $DBtype = 'mysql';
    $alert_dbname = 'snort';
    $alert_host = 'localhost';
    $alert_port = '';
    $alert_user = 'snort';
    $alert_password = 'snortpass';
    Sometimes adodb can get installed in other locations like '/usr/share/php/adodb/'. Use 'locate' and 'updatedb' combo to get things done in this case.
  9. service httpd start
  10. Allow connections to port 80 through firewall
  11. Open http://<IP>/base from browser
  12. Use 'Base Setup Page' link
  13. Click on 'Create Base AG' button
  14. Click on 'Main page' link to start using BASE

Testing setup

  1. Add following rules to '/etc/snort/rules/local.rules' file
    alert tcp any any <> 80 (msg: "HTTP password access on vm7"; sid:1000001; rev:1; content:"PASSWORD";)
  2. Create few HTML pages with content PASSWORD on them
  3. Try to access those pages and check if logs are getting generated or not.

Most steps learned from

Installing barnyard2

After basic snort to database logging is working, we can insert barnyard2 in between and ask snort to log in unified2 format instead. Steps for configuring barnyard2 are:

  1. Go to /var/log/snort and delete all files
  2. Create directory named processed using 'mkdir -p /var/log/snort/processed'
  3. mkdir -p /var/log/barnyard2
  4. Configure snort to log both alerts and logs into single file using unified2 file format. Configuration line should be something like:
    output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
  5. Download latest source code from The site seems to be down hence barnyard2 can be downloaded from In this case first run ./ to get configure scripts created.
  6. Use './configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --libdir=/usr/lib64' to configure.
  7. make clean; make; make install
  8. Edit file '/usr/local/etc/barnyard2.conf' so that it has following configuration
    config reference_file: /etc/snort/reference.config
    config classification_file: /etc/snort/classification.config
    config gen_file: /etc/snort/
    config sid_file: /etc/snort/
    config hostname: vm5
    config interface: eth0
    config alert_with_interface_name
    config daemon
    config show_year
    config waldo_file: /etc/snort/barnyard2.waldo
    config archivedir: /var/log/snort/processed
    config process_new_records_only
    input unified2
    output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
  9. Use following command to start barnyard2
    barnyard2 -c /usr/local/etc/barnyard2.conf -f merged.log -d /var/log/snort -n -w /etc/snort/barnyard2.waldo -v -l /var/log/barnyard2 -D
  10. Access more pages with content 'PASSWORD' and verify that new logs are shown in base

Lot of things learned from

Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Snort related tools