CentOS7 with Snort Barnyard2 Snorby PulledPork SElinux

This post is about how to install Snort "stack" on CentOS7 with potentially all the latest libs an stuff.

Here I will install and configure everything to run Snort as IDS. I will write another post shortly how to run it as IPS - INLINE.

System details:

[root@nfsec-ids-01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

[root@nfsec-ids-01 ~]# uname -a
Linux nfsec-ids-01.nfsec.co.uk 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux  


Installation of snort is very basic:

yum install https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm

yum install https://www.snort.org/downloads/snort/snort-  

Register at Snort and download registered rule set:

mkdir /usr/local/src/snortrules  
cd /usr/local/src/snortrules

wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<oinkcode>

tar -zxvf snortrules-snapshot-2990.tar.gz  

I moved the rules to /etc/snort/rules/rules << this is what I will pass as a var into /etc/snort/snort.conf

What is important to change in /etc/snort/snort.conf

ipvar HOME_NET [X.X.X.X/24,X.X.X.X/24]  
var RULE_PATH /etc/snort/rules/rules  
var SO_RULE_PATH /etc/snort/rules/rules/so_rules  
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/rules  
var BLACK_LIST_PATH /etc/snort/rules/rules

preprocessor reputation: \  
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_listip.rules, \
   blacklist $BLACK_LIST_PATH/black_listip.rules

# Configure DAQ related options for inline operation. For more information, see README.daq
#config daq: afpacket
# config daq_dir: <dir>
#config daq_mode: inline
# config daq_var: <var>
# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
# <mode> ::= read-file | passive | inline
# <var> ::= arbitrary <name>=<value passed to DAQ
# <dir> ::= path as to where to look for DAQ module so's

#Will run snort IDS not IPS in pcap mode

output unified2: filename snort.log, limit 128  
#You may want to send alerts to /var/log/snort/alert file by rsyslog
# local5.*                    /var/log/snort/alert
output alert_syslog: localhost:514, LOG_LOCAL5  
output log_tcpdump: tcpdump.log

include $RULE_PATH/local.rules  
#this will be used by pulledpork
include $RULE_PATH/snort.rules

# dynamic library rules
include $SO_RULE_PATH/browser-ie.rules  
include $SO_RULE_PATH/browser-other.rules  
include $SO_RULE_PATH/exploit-kit.rules  
include $SO_RULE_PATH/file-flash.rules  
include $SO_RULE_PATH/file-image.rules  
include $SO_RULE_PATH/file-java.rules  
include $SO_RULE_PATH/file-multimedia.rules  
include $SO_RULE_PATH/file-office.rules  
include $SO_RULE_PATH/file-other.rules  
include $SO_RULE_PATH/file-pdf.rules  
include $SO_RULE_PATH/indicator-shellcode.rules  
include $SO_RULE_PATH/malware-cnc.rules  
include $SO_RULE_PATH/malware-other.rules  
include $SO_RULE_PATH/netbios.rules  
include $SO_RULE_PATH/os-linux.rules  
include $SO_RULE_PATH/os-other.rules  
include $SO_RULE_PATH/os-windows.rules  
include $SO_RULE_PATH/policy-social.rules  
include $SO_RULE_PATH/protocol-dns.rules  
include $SO_RULE_PATH/protocol-nntp.rules  
include $SO_RULE_PATH/protocol-other.rules  
include $SO_RULE_PATH/protocol-snmp.rules  
include $SO_RULE_PATH/protocol-voip.rules  
include $SO_RULE_PATH/pua-p2p.rules  
include $SO_RULE_PATH/server-apache.rules  
include $SO_RULE_PATH/server-iis.rules  
include $SO_RULE_PATH/server-mail.rules  
include $SO_RULE_PATH/server-mysql.rules  
include $SO_RULE_PATH/server-oracle.rules  
include $SO_RULE_PATH/server-other.rules  
include $SO_RULE_PATH/server-webapp.rules

include threshold.conf

There might be more or less specific VAR's to change however the snort configuration is easy.

The same in this file /etc/sysconfig/snort - VAR's here are self explanatory and most depends on your environment.

Once snort configuration is done and you chown -R snort:snort /etc/snort last thing to do is to create a service as follows:

vi /usr/lib/systemd/system/snort.service  
Description=Snort NIDS Daemon  
After=syslog.target network.target  
ExecStart=/usr/sbin/snort -u snort -g snort -c /etc/snort/snort.conf -i ens160  

That's it:

systemctl enable snort  
systemctl start snort  


Barnyard2 is the daemon which reads the output of snort unified2 file format and stores it in MySQL DB for further processing... (Snorby)

yum install wget man make flex bison zlib zlib-devel  
 libpcap libpcap-devel pcre pcre-devel tcpdump 
gcc-c++  libtool perl-libwww-perl perl-Archive-Tar  
 perl-Crypt-SSLeay git gcc libxml2 libxml2-devel 
libxslt libxslt-devel httpd curl-devel httpd-devel  
apr-devel apr-util-devel libXrender fontconfig  
 libXext ruby-devel unzip xz

yum groupinstall "Development Tools" -y

yum install openssl-devel readline-devel mariadb  
mariadb-devel mariadb-server urw-fonts libX11-devel  
 libXext-devel fontconfig-devel libXrender-devel
 xorg-x11-server-Xvfb libyaml libyaml-devel 
gdbm-devel db4-devel libffi-devel ethtool  
 ImageMagick ImageMagick-devel curl libcurl
 libcurl-devel libmnl-devel jansson-devel
 libnet-devel libnetfilter_queue-devel

yum install libdnet-devel  

I know that is a lot of dependencies but some will just exclude themselves... :)

cd /usr/local/src  
git clone https://github.com/firnsy/barnyard2.git  
cd barnyard2  
make install  
cp etc/barnyard2.conf /etc/snort  
cp rpm/barnyard2 /etc/init.d  
chmod 700 /etc/init.d/barnyard2  
cp rpm/barnyard2.config /etc/sysconfig/barnyard2  
cp /etc/init.d/barnyard2 /etc/init.d/barnyard2_default

-e '/"b.*2"/s/barnyard2/\/usr\/local\/bin\/barnyard2/'
 -e '/touch \/var/s/\$prog/barnyard2/' /etc/init.d/barnyard2

sed -i 's#$SNORTDIR/${INT}#$SNORTDIR#g' /etc/init.d/barnyard2

cp /etc/sysconfig/barnyard2 /etc/sysconfig/barnyard2_default  
sed -i '/CONF=/s/barnyard.conf/barnyard2.conf/' /etc/sysconfig/barnyard2  
sed -i '/LOG_FILE=/s/"snort_unified.log"/"snort.log"/' /etc/sysconfig/barnyard2  

From the above the most important is to check your lines at /etc/init.d/barnyard2 in the following place:


Later just create DB for barnyard2 called snort

mysql -u root -p  
mysql> create database snort;  
mysql> use snort;  
mysql> source /usr/local/src/barnyard2/schemas/create_mysql;  
mysql> CREATE USER 'snort'@'localhost'IDENTIFIED BY '**********';  
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';  

Then configure barnyard2 to log into the DB.

vi /etc/snort/barnyard2.conf  
output database: log, mysql, user=snort password=********** dbname=snort host=localhost

chmod o-r /etc/snort/barnyard2.conf  

Last thing to do is to create barnyard2 service:

vi /usr/lib/systemd/system/barnyard2.service  
Description=Barnyard2 Dedicated Unified2 Spooler  

ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/  
 -w /var/log/snort/ens160/barnyard2.waldo
 -l /var/log/snort/
 -a /var/log/snort/ens160/archive/
 -f snort.log --nolock-pidfile


I used --nolock-pidfile but you can try --create-pidfile /var/lock/subsys/barnyard2.pid.


Snorby is the GUI to display the processed Snort to Barnyard2 output files. It's a ROR application but you can read about it in more details somewhere else.

Most of the below are probably already installed by this point but some may still not be.

yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  
\  urw-fonts libX11-devel libXext-devel git \
 fontconfig-devel libXrender-devel unzip wget \
 xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel \
 db4-devel libffi-devel ethtool httpd  httpd-devel \
 ImageMagick ImageMagick-devel curl libcurl \ 
libcurl-devel libmnl-devel gcc zlib-devel \  
el libnet-devel libnetfilter_queue-devel  
yum install xorg-x11-fonts-Type1  
yum install xorg-x11-fonts-75dpi  
yum install postgresql-devel  
yum install java-1.8.0-openjdk 

wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2/wkhtmltox-0.12.2_linux-centos7-amd64.rpm

rpm -ivh wkhtmltox-0.12.2_linux-centos7-amd64.rpm

curl -L get.rvm.io | bash -s stable  
gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3  
curl -L get.rvm.io | bash -s stable  
source /etc/profile.d/rvm.sh  
rvm reload  
rvm requirements run  
rvm install 2.2.2  
gem install bundler  
gem install rails

cd /var/www/html  
git clone git://github.com/Snorby/snorby.git

vi /var/www/html/snorby/config/snorby_config.yml  
  baseuri: ''
  domain: 'snorby.nfsec.co.uk:8080'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'snorby@nfsec.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'Europe/London'

GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY '****';  
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY '****';  

vi /var/www/html/snorby/config/database.yml  
snorby: &snorby  
  adapter: mysql
  username: snorby
  password: "*****"
  host: localhost

  database: snorby
  <<: *snorby

cd /var/www/html/snorby/  
bundle install  
bundle exec rake snorby:setup RAILS_ENV=production

gem install passenger  
passenger-install-apache2-module -a

cat /etc/httpd/conf.modules.d/passenger.conf  
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so

cat /etc/httpd/conf/httpd.conf |grep "Listen 8080"  
Listen 8080

cat /etc/httpd/conf.d/passenger.conf  
<IfModule mod_passenger.c>  
  PassengerRoot /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1
  PassengerDefaultRuby /usr/local/rvm/gems/ruby-2.2.2/wrappers/ruby

cat /etc/httpd/conf.d/snorby.conf  
<VirtualHost *:8080>  
      ServerName snorby.hextrim.com
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.nfsec.co.uk-access.log combined
        ErrorLog /var/log/httpd/snorby.nfsec.co.uk-error.log

So what we just did above?
Installed dependencies, rvm and RUBY 2.2.2, wkhtmltox, gem bundler, gem rails.
We then configured snorby and created new DB called snorby.
Then we installed gem passenger and configured apache passenger module and created configuration files for apache to use it and point it to snorby HOME_DIR.

Barnyard2 with Snorby - of course - just change as below:

vim /etc/snort/barnyard2.conf  
output database: log, mysql, user=snorby password=********** dbname=snorby host=localhost sensor_name=sensor1

#output database: log, mysql, user=snort password=********** dbname=snort host=localhost

service barnyard2 restart  

Now all should work nicely - the only thing to start manually is the snorby worker which can be started from SnorbyGUI > Administration > Worker & Job Queue Start Worker.

Obviously this will fail and many other things may do if you have SElinux enabled.

Enable SElinux

I would imagine that you had SElinux disabled and you want to enable it?

Yeah I know hard work -> follow these steps:

yum install /usr/bin/audit2allow  
yum install selinux-policy-devel

# Change SElinux policy to Enforcing and reboot.

setsebool -P httpd_can_network_connect_db 1  
setsebool -P httpd_can_network_connect 1

chcon -R -t httpd_sys_rw_content_t /var/www/html/snorby/  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/rubies/ruby-2.2.2/bin/ruby  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/wrappers/ruby-2.2.2/ruby  
chcon -t httpd_sys_script_exec_t /usr/local/rvm/rubies/ruby-2.2.2/lib/libruby.so*  
chcon -R -t httpd_sys_script_exec_t /usr/local/rvm/gems/ruby-2.2.2/gems/  
mkdir -p /usr/src/selinux-devel  
cd /usr/src/selinux-devel/  
ln -s /usr/share/selinux/devel/Makefile .

cat passenger.te  
module passenger 1.0;  
require {  
type init_t;  
type initrc_t;  
type system_cronjob_t;  
type mysqld_t;  
type usr_t;  
type syslogd_t;  
type system_dbusd_t;  
type abrt_dump_oops_t;  
type dhcpc_t;  
type kernel_t;  
type auditd_t;  
type udev_t;  
type mysqld_safe_t;  
type postfix_pickup_t;  
type sshd_t;  
type crond_t;  
type getty_t;  
type anon_inodefs_t;  
type httpd_tmp_t;  
type devpts_t;  
type user_devpts_t;  
type httpd_sys_script_t;  
type security_t;  
type httpd_t;  
type unconfined_t;  
type selinux_config_t;  
type hi_reserved_port_t;  
type httpd_sys_content_t;  
type httpd_sys_rw_content_t;  
type var_t;  
type cert_t;  
type postfix_qmgr_t;  
type postfix_master_t;  
class file { getattr read create append write execute execute_no_trans open };  
class process { siginh signal noatsecure rlimitinh setpgid getsession };  
class unix_stream_socket { read write shutdown };  
class chr_file { read write append ioctl };  
class capability { setuid dac_override chown fsetid setgid fowner sys_nice sys_resource sys_ptrace kill };  
class fifo_file { setattr create getattr unlink };  
class sock_file { write getattr setattr create unlink };  
class lnk_file { read getattr };  
class udp_socket name_bind;  
class dir { write read search add_name getattr };  

#This stuff below is more of an access control list
#These are things the contexts below are requesting to be able to do in order to run properly.

 #============= httpd_sys_script_t ==============

allow httpd_sys_script_t abrt_dump_oops_t:dir { search getattr };  
allow httpd_sys_script_t abrt_dump_oops_t:file { read open };  
allow httpd_sys_script_t anon_inodefs_t:file { read write };  
allow httpd_sys_script_t auditd_t:dir { search getattr };  
allow httpd_sys_script_t auditd_t:file { read open };  
allow httpd_sys_script_t cert_t:dir { search getattr };  
allow httpd_sys_script_t cert_t:file { read getattr };  
allow httpd_sys_script_t cert_t:lnk_file read;  
allow httpd_sys_script_t crond_t:dir { search getattr };  
allow httpd_sys_script_t crond_t:file { read open };  
allow httpd_sys_script_t devpts_t:chr_file { read write };  
allow httpd_sys_script_t dhcpc_t:dir { search getattr };  
allow httpd_sys_script_t dhcpc_t:file { read open };  
allow httpd_sys_script_t getty_t:dir { search getattr };  
allow httpd_sys_script_t getty_t:file { read open };  
allow httpd_sys_script_t httpd_sys_content_t:fifo_file setattr;  
allow httpd_sys_script_t httpd_sys_content_t:sock_file { create unlink setattr };  
allow httpd_sys_script_t httpd_sys_rw_content_t:file { execute execute_no_trans };  
allow httpd_sys_script_t httpd_t:dir { search getattr };  
allow httpd_sys_script_t httpd_t:file { read open };  
allow httpd_sys_script_t httpd_t:unix_stream_socket { read write };  
allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;  
allow httpd_sys_script_t httpd_tmp_t:sock_file { write create unlink setattr };  
allow httpd_sys_script_t init_t:dir { search getattr };  
allow httpd_sys_script_t init_t:file { read open };  
allow httpd_sys_script_t initrc_t:dir { search getattr };  
allow httpd_sys_script_t initrc_t:file { read open };  
allow httpd_sys_script_t kernel_t:dir { search getattr };  
allow httpd_sys_script_t kernel_t:file { read open };  
allow httpd_sys_script_t mysqld_safe_t:dir { search getattr };  
allow httpd_sys_script_t mysqld_safe_t:file { read open };  
allow httpd_sys_script_t mysqld_t:dir { search getattr };  
allow httpd_sys_script_t mysqld_t:file { read open };  
allow httpd_sys_script_t postfix_master_t:dir { search getattr };  
allow httpd_sys_script_t postfix_master_t:file { read open };  
allow httpd_sys_script_t postfix_pickup_t:dir { search getattr };  
allow httpd_sys_script_t postfix_pickup_t:file { read open };  
allow httpd_sys_script_t postfix_qmgr_t:dir { search getattr };  
allow httpd_sys_script_t postfix_qmgr_t:file { read open };  
allow httpd_sys_script_t self:capability { setuid chown fsetid setgid fowner dac_override sys_nice sys_resource sys_ptrace kill };  
allow httpd_sys_script_t self:process { setpgid getsession };  
allow httpd_sys_script_t sshd_t:dir { search getattr };  
allow httpd_sys_script_t sshd_t:file { read open };  
allow httpd_sys_script_t syslogd_t:dir { search getattr };  
allow httpd_sys_script_t syslogd_t:file { read open };  
allow httpd_sys_script_t system_cronjob_t:dir getattr;  
allow httpd_sys_script_t system_dbusd_t:dir { search getattr };  
allow httpd_sys_script_t system_dbusd_t:file { read open };  
allow httpd_sys_script_t udev_t:dir { search getattr };  
allow httpd_sys_script_t udev_t:file { read open };  
allow httpd_sys_script_t unconfined_t:dir { search getattr };  
allow httpd_sys_script_t unconfined_t:file { read open };  
allow httpd_sys_script_t unconfined_t:process signal;  
allow httpd_sys_script_t user_devpts_t:chr_file { read write append ioctl };  
allow httpd_sys_script_t usr_t:file execute;  
allow httpd_sys_script_t var_t:dir { write read add_name };  
allow httpd_sys_script_t var_t:file { read getattr create append };

 #============= httpd_t ==============

allow httpd_t hi_reserved_port_t:udp_socket name_bind;  
allow httpd_t httpd_sys_content_t:fifo_file { create unlink getattr setattr };  
allow httpd_t httpd_sys_content_t:sock_file { getattr unlink setattr };  
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };  
allow httpd_t httpd_sys_script_t:unix_stream_socket { read write shutdown };  
allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };  
allow httpd_t httpd_tmp_t:sock_file { getattr unlink setattr };  
allow httpd_t security_t:dir search;  
allow httpd_t self:capability { fowner fsetid };  
allow httpd_t selinux_config_t:dir search;  
allow httpd_t var_t:file { read getattr };  
allow httpd_t var_t:lnk_file { read getattr };

checkmodule -M -m -o passenger.mod passenger.te  
semodule_package -o passenger.pp -m passenger.mod  
semodule -i passenger.pp  
service httpd restart  

Now your Snorby should work nicely.


PulledPork should keep your Snort rules up to date.
pulledpork.pl -V PulledPork v0.7.3 - Making signature updates great again!

Let's download dependency and unzip and copy the files.

yum install perl-Sys-Syslog  
yum install perl-LWP-Protocol-https 

wget https://github.com/shirkdog/pulledpork/archive/master.zip  
cp ~/pulledpork-master/etc/* /etc/snort/  
cp ~/pulledpork-master/pulledpork.pl /usr/local/bin/pulledpork.pl

[root@ids ~]# vi /etc/snort/pulledpork.conf

Next, just run your piggy.
pulledpork.pl -c /etc/snort/pulledpork.conf

More about pulledpork here https://github.com/shirkdog/pulledpork

Last what you need to do is to setup cronjob for daily updates.

Looks like logrotate kills snort every cycle...

Share this post:

by lo3k