Running Snort on a Solaris 7 firewall

Situation: We are using the Snort Lightweight Intrusion Detection system on our Solaris 7 firewall. The firewall has two network interfaces--hme0 is the internal interface, qfe0 is the external interface. After downloading, compiling, and installing Snort, here are the steps I used to monitor both firewall interfaces with Snort. Note: I found it convenient to place the Snort executable, configuration, rules, and classification file in the same directory.

1. Create a directory for the Snort executable, rules, and classification file:
mkdir /usr/local/snort

2. Move the Snort executable file into /usr/local/snort:
mv /usr/local/bin/snort /usr/local/snort

3. Move the *.rules and classification.config from your Snort tarball into /usr/local/snort:
mv *.rules classification.config /usr/local/snort

4. Make two copies of the snort.conf file from your Snort tarball into /usr/local/snort:
cp snort.conf /usr/local/snort/snort_hme0.conf
cp snort.conf /usr/local/snort/snort_qfe0.conf

5. Create Snort logfile directories:
mkdir -p /var/log/snort/hme0
mkdir /var/log/snort/qfe0

6. Create an /etc/init.d/snort startup and shutdown script. The following file will run an instance of Snort in daemon mode for each network interface, log the alerts in separate directories, and log the payload of each packet.

#!/bin/sh

case $1 in
'start' )
/usr/local/snort/snort -Afull -i hme0 -d -c /usr/local/snort/snort_hme0.conf
-D -l /var/log/snort/hme0
/usr/local/snort/snort -Afull -i qfe0 -d -c /usr/local/snort/snort_qfe0.conf
-D -l /var/log/snort/qfe0
;;
'stop' )
kill `ps -ef | grep snort | grep -v grep | awk '{print $2}'` > /dev/null 2>&1 ;;
*)
echo "usage: $0 {start|stop}"
esac

7. Create Snort system startup/shutdown links:
ln -s /etc/init.d/snort /etc/rc2.d/S99snort
ln -s /etc/init.d/snort /etc/rc1.d/K55snort

Back to brandonhutchinson.com.

Last modified: 04/18/2002