A simple Bash script for install Snort and Barnyard on Cent OS 7 from source

Install-Barnyard.sh

!/bin/bash

# Set the internal field separator 
IFS=$'\n' 

##
# Install pre-reqs
##

yum install libtool autoconf git

##
# Clone and install Barnyard
##

git clone git://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen.sh
./configure 
make
make install

##
# Configure Barnyard
##

# This is done by editing the /usr/local/etc/barnyard2.conf
# But we should first search for these files
find / -name reference.config
find / -name classification.config
find / -name sid-msg.map
find / -namegen-msg.map  # [Note: this will likely need to be copied from the source code directory]
# then change these lines in the conf file
## config reference_file:     /etc/snort/reference.config
## config classification_file: /etc/snort/classification.config
## config gen_file:            /etc/snort/gen-msg.map
## config sid_file:               /etc/snort/sid-msg.map

# Setup the input plugins (should already be set)
# this is not hard, only unified2 is supported ;)
## input unified2

# Set up the output plugins (Set this to the IP address of your syslog server)
# alert_syslog
#-----------------------------
## output alert_syslog: LOG_AUTH LOG_INFO

##
# Create the Barnyard log directory
##

mkdir /var/log/barnyard2 

##
# Setup Postgresql
## 

/root/sourcecode/barnyard2/schemas/create_postgresql

unset IFS 

Install-Snort.sh

#!/bin/bash

##########
# https://www.upcloud.com/support/installing-snort-on-centos/
##########

# Set the internal field separator 
IFS=$'\n' 

src_dir="$HOME/snort_src"

####
# Preparing your server
####
# Install the required libraries
sudo yum install gcc flex bison zlib libpcap pcre libdnet tcpdump nano

####
# Installing from the source
####
# you will also need the following development packages in addition to the already install prerequisites
sudo yum install -y zlib-devel libpcap-devel pcre-devel libdnet-devel
sudo yum install -y https://dl.fedoraproject.org/pub/epel/7/x86_64/l/libnghttp2-devel-1.21.1-1.el7.x86_64.rpm

# make a temporary download folder to your home directory and then change into it with the command below
mkdir "$src_dir"
cd "$src_dir" || exit

# Download the latest (stable) DAQ source package from the Snort website with the wget command underneath
wget -O "$src_dir/daq-2.0.6.tar.gz" https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

# extract the source code and jump into the new directory
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6 || exit

# Run the configuration script using its default values, then compile the program with make and finally install DAQ
./configure
make 
sudo make install

# With the DAQ installed you can updating the shared libraries and get started with Snort, change back to the download folder
sudo ldconfig
cd "$src_dir" || exit

# Now, we can download the Snort source code with wget
wget -O "$src_dir/snort-2.9.11.tar.gz" https://www.snort.org/downloads/snort/snort-2.9.11.tar.gz

# extract the source and change into the new directory
tar -xvzf snort-2.9.11.tar.gz
cd snort-2.9.11 || exit

# Then configure the installation with sourcefire enabled, run make and make install
./configure --enable-sourcefire
make
sudo make install

# To run Snort on CentOS as a service in the background you should download a startup script from Snort documentation
wget https://www.snort.org/documents/snort-startup-script-for-centos -O "$HOME/snortd"
sudo chmod 755 "$HOME/snortd" 
sudo mv "$HOME/snortd" /etc/init.d/

####
# Configuring Snort to run in NIDS mode
####
# Start with updating the shared libraries
sudo ldconfig

# Snort on CentOS gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort
sudo ln -s /usr/local/bin/snort /usr/sbin/snort

# To run Snort on CentOS safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# Then create the folder structure to house the Snort configuration
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

# Set the permissions for the new directories accordingly
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

# Create new files for the white and black lists as well as the local rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

# copy over the configuration files from the download folder
sudo cp "$src_dir/snort-2.9.11/etc/"*.conf* /etc/snort  # Inside quotes, the * will not expand to a list of files
sudo cp "$src_dir/snort-2.9.11/etc/"*.map /etc/snort

# using community rules 
wget https://www.snort.org/rules/community -O "$HOME/community.tar.gz"
sudo tar -xvf "$HOME/community.tar.gz" -C "$HOME/"
sudo cp "$HOME/community-rules/"* /etc/snort/rules
# By default, Snort on CentOS expects to find a number of different rule files which are not included in the community rules. Comment out the unnecessary lines
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# using registered user rules
# You can also take a moment and register on the Snort website. 
# Registering gives you access to use their Oink code to download the registered user rules. 
# You can find the code in the Snort user account details.
#wget https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz
#sudo tar -xvf ~/registered.tar.gz -C /etc/snort

# With the configuration and rule files in place, edit the snort.conf to modify a few parameters.
sudo nano /etc/snort/snort.conf

# Find these sections shown below in the configuration file and change the parameters to reflect the examples here.
###
## # Setup the network addresses you are protecting
## ipvar HOME_NET <server public IP>/32
###
## # Set up the external network addresses. Leave as "any" in most situations
## ipvar EXTERNAL_NET !$HOME_NET
###
## # Path to your rules files (this can be a relative path)
## var RULE_PATH /etc/snort/rules
## var SO_RULE_PATH /etc/snort/so_rules
## var PREPROC_RULE_PATH /etc/snort/preproc_rules
###
## # Set the absolute path appropriately
## var WHITE_LIST_PATH /etc/snort/rules
## var BLACK_LIST_PATH /etc/snort/rules
###

# In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.
### 
## # unified2
## # Recommended for most installs
## output unified2: filename snort.log, limit 128
###

# Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.
###
## include $RULE_PATH/local.rules

# If you are using the community rules, add the line underneath to your rule set as well, for example just below your local.rules line
###
## include $RULE_PATH/community.rules

# Once you are done with the configuration file, save the changes and exit the editor.
 
####
# Validating settings
####
# Test the configuration using the parameter -T to enable test mode.
sudo snort -T -c /etc/snort/snort.conf
# After running the Snort configuration test, you should get a message like this example below.
## Snort successfully validated the configuration!
## Snort exiting

unset IFS