Skip to content

snort

Jump to bottom Edit New page
Chris edited this page Mar 10, 2012 · 7 revisions

To install Snort, be sure to check the Snort docs for the latest details:

Login to the root account

Create a src folder for downloading and installing software (if needed)

cd
mkdir ~/src
cd ~/src

Install DAQ

wget http://www.snort.org/downloads/1408
tar zxvf 1408 
cd daq-0.6.2/
./configure 
make
make install
ldconfig

Install libdnet

cd ..
sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz 
cd libdnet-1.12
./configure 
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Install zlib

cd ..
wget http://zlib.net/zlib-1.2.6.tar.gz
tar zxvf zlib-1.2.6.tar.gz 
cd zlib-1.2.6
./configure 
make
make install

Install Snort

cd ..
wget http://www.snort.org/downloads/1416
tar 1416 
tar zxvf 1416 
cd snort-2.9.2.1/
sudo ./configure --prefix=/usr/local/snort
ls
make
make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort

For the following you will need the mysql root user password you created during the MySQL installation:

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'xxxxx'" | mysql -u root -p

be sure to replace the identified by 'xxxxx' with a password you choose for the mysql snort user.

Install Snort rules

cd ..
wget http://www.snort.org/sub-rules/snortrules-snapshot-2920.tar.gz/23fe804749726f14ae4fc135e4540ad81f27510d -O snortrules-snapshot-2920.tar.gz
sudo mkdir /usr/local/snort/lib/snort_dynamicrules
sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.0/* /usr/local/snort/lib/snort_dynamicrules
sudo touch /usr/local/snort/rules/white_list.rules

Edit the snort configuration:

sudo nano /usr/local/snort/etc/snort.conf

ensure the following changes:

var WHITE_LIST_PATH  /usr/local/snort/rules
var BLACK_LIST_PATH  /usr/local/snort/rules

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128

then save.

Copy the snort configuration based on your network interface (sensor):

sudo cp /usr/local/snort/etc/snort.conf  /usr/local/snort/etc/snort-eth0.conf

Please adjust the paths and settings to match your server.

Add a custom footer
Add a custom sidebar
Clone this wiki locally