Some installation notes about install snort from source code on Ubuntu 14.04

SnortTM.png

Install prerequrites for compiling snort

1
2
3
4
$ sudo apt-get update
$ sudo apt-get install flex bison build-essential checkinstall \
libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev \
libnetfilter-queue-dev iptables-dev

Download DAQ, Snort, Libdnet source code

1
2
3
$ wget https://www.snort.org/downloads/snort/daq-2.0.2.tar.gz
$ wget https://www.snort.org/downloads/snort/snort-2.9.6.2.tar.gz
$ wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

Unzip, make and install Libdnet

1
2
3
4
5
6
$ tar zxvf libdnet-1.12.tgz
$ cd libdnet-1.12/
$ ./configure; make
$ sudo checkinstall
$ sudo dpkg -i libdnet_1.12-1_amd64.deb
$ sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

When you type sudo checkinstall will encounter The following messages

  • Should I Creat a default set of package docs?

    Usually we used default, type y and Enter

  • You probably don’t want them to be included in the package. Do you want me to list them? [n]: n

  • Should I exclude them from the package? (Saying yes is a good idea) [n]: y


Unzip, make and install DAQ

1
2
3
4
5
$ tar xvfz daq-2.0.2.tar.gz
$ cd daq-2.0.2
$ ./configure "CFLAGS=-fPIC"; make
$ sudo checkinstall
$ sudo dpkg -i daq_2.0.2-1_amd64.deb

When you type sudo checkinstall will pop out the same meeeages again. Using the same solutions above.


Unzip, make and install Snort

1
2
3
4
5
6
7
$ tar xvfz snort-2.9.6.2.tar.gz
$ cd snort-2.9.6.2
$ ./configure --enable-sourcefire; make
$ sudo checkinstall
$ sudo dpkg -i snort_2.9.6.2-1_amd64.deb
$ sudo ln -s /usr/local/bin/snort /usr/sbin/snort
$ sudo ldconfig -v

When you type sudo checkinstall will pop out the same meeeages again. Using the same solutions above.


Testing Snort

1
$ snort -V

screenshot.png


Some trivial settings

1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo groupadd snort
$ sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort

$ sudo mkdir /var/log/snort
$ sudo chown snort:snort /var/log/snort

$ sudo mkdir /etc/snort
$ sudo tar zxvf snortrules-snapshot-2962.tar.gz -C /etc/snort/
$ sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
$ sudo mkdir /usr/local/lib/snort_dynamicrules

$ sudo chown -R snort:snort /etc/snort/*
$ sudo mv /etc/snort/etc/* /etc/snort/

For snortrules-snapshot-2962 snort rules, need to sign up and download the subscriber rules from here


Edit the snort configuration file

There are two parts of configuriton have to modify

  • Internal and External Network address
1
2
3
4
5
6
7
8
# Setup the network addresses you are protecting
# ipvar HOME_NET any
ipvar HOME_NET 192.168.8.0/24
# Here you need to check your network configure by using ifconfig

# Set up the external network addresses. Leave as "any" in most situations
# ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET
  • Path to your rules files
1
2
3
4
5
6
7
8
9
10
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using repution preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Starts Snort in self-test mode

1
$ sudo snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

If there is a messagge said “Snort successfully validated the configuration! Snort exiting”, it’successful.

screenshot_self_test.png


Troubleshoot

  • snort: error while loading shared libraries: libsfbpf.so.0: cannot open shared object file: No such file or directory
1
$ sudo ldconfig
  • error-snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
1
$ sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Reference