-
Notifications
You must be signed in to change notification settings - Fork 2
snort
Chris edited this page Mar 10, 2012
·
7 revisions
To install Snort, be sure to check the Snort docs for the latest details:
cd
mkdir ~/src
cd ~/src
wget http://www.snort.org/downloads/1408
tar zxvf 1408
cd daq-0.6.2/
./configure
make
make install
ldconfig
cd ..
sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
cd ..
wget http://zlib.net/zlib-1.2.6.tar.gz
tar zxvf zlib-1.2.6.tar.gz
cd zlib-1.2.6
./configure
make
make install
cd ..
wget http://www.snort.org/downloads/1416
tar 1416
tar zxvf 1416
cd snort-2.9.2.1/
sudo ./configure --prefix=/usr/local/snort
ls
make
make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort
For the following you will need the mysql root user password you created during the MySQL installation:
echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'xxxxx'" | mysql -u root -p
be sure to replace the identified by 'xxxxx' with a password you choose for the mysql snort user.
cd ..
wget http://www.snort.org/sub-rules/snortrules-snapshot-2920.tar.gz/23fe804749726f14ae4fc135e4540ad81f27510d -O snortrules-snapshot-2920.tar.gz
sudo mkdir /usr/local/snort/lib/snort_dynamicrules
sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.0/* /usr/local/snort/lib/snort_dynamicrules
sudo touch /usr/local/snort/rules/white_list.rules
Edit the snort configuration:
sudo nano /usr/local/snort/etc/snort.conf
ensure the following changes:
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules
# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
# path to base preprocessor engine
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
# path to dynamic rules libraries
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
output unified2: filename snort.u2, limit 128
then save.
Copy the snort configuration based on your network interface (sensor):
sudo cp /usr/local/snort/etc/snort.conf /usr/local/snort/etc/snort-eth0.conf