sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
apt-get install pkg-config
apt-get install luajit*
apt-get install libluajit*
apt-get install libssl-dev
ldconfig -v
2: Install DAO (2.1.0 failed for me)
wget https://www.snort.org/downloads/snortplus/daq-2.1.0.tar.gz
tar zxvf daq-2.1.0.tar.gz
cd daq-2.1.0/
./configure
make
make install
3: Install Snort
28 wget https://www.snort.org/downloads/snortdev/snort-2.9.9_beta.tar.gz
29 tar zxvf snort-2.9.9_beta.tar.gz
30 cd snort-2.9.9_beta/
32 apt-get install luajit*
33 apt-get install libluajit*
34 ldconfig
35 pkg-config
37 apt-get install libssl-dev
38 ldconfig
39 ./configure --enable-file-inspect --enable-open-appid --enable-sourcefire
41 make
42 make install
1
| sudo ldconfig |
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:
1
| sudo ln -s /usr/local/bin/snort /usr/sbin/snort |
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:
1
| /usr/sbin/snort -V |
and you should see output similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
| user@snortserver:~$ /usr/sbin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.7.6 GRE (Build 285) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4user@snortserver:~$ |
5:# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
cd snort-2.9.9_beta/etc
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ../src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
sudo vi /etc/snort/snort.conf
ipvar HOME_NET 10.0.0.0/24
Set the following file paths in snort.conf, beginning at line 104:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
In order to make testing Snort easy, we want to enable the local.rules file, where we can add rules that
Snort can alert on. Un-comment (remove the hash symbol) from line 545 so it looks like this:
include $RULE_PATH/local.rules
Once the configuration file is ready, we will have Snort verify that it is a valid file, and all necessary files
it references are correct. We use the -T flag to test the configuration file, the -c flag to tell Snort which
configuration file to use, and -i to specify the interface that Snort will listen on (this is a new requirement
for the 2.9.8.x version of snort). Run sudo snort -T -c /etc/snort/snort.conf -i eth0. Run this
command as shown below and look for the following output (only the last few lines of the output are shown
for clarity):
user@snortserver:~✩ sudo snort -T -i eth0 -c /etc/snort/snort.conf
(...)
Snort successfully validated the configuration!
Snort exiting
user@snortserver:~✩
Paste the following single line into the empty local rules file: /etc/snort/rules/local.rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
cd snort-2.9.9_beta/etc
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ../src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
sudo vi /etc/snort/snort.conf
ipvar HOME_NET 10.0.0.0/24
Set the following file paths in snort.conf, beginning at line 104:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
In order to make testing Snort easy, we want to enable the local.rules file, where we can add rules that
Snort can alert on. Un-comment (remove the hash symbol) from line 545 so it looks like this:
include $RULE_PATH/local.rules
Once the configuration file is ready, we will have Snort verify that it is a valid file, and all necessary files
it references are correct. We use the -T flag to test the configuration file, the -c flag to tell Snort which
configuration file to use, and -i to specify the interface that Snort will listen on (this is a new requirement
for the 2.9.8.x version of snort). Run sudo snort -T -c /etc/snort/snort.conf -i eth0. Run this
command as shown below and look for the following output (only the last few lines of the output are shown
for clarity):
user@snortserver:~✩ sudo snort -T -i eth0 -c /etc/snort/snort.conf
(...)
Snort successfully validated the configuration!
Snort exiting
user@snortserver:~✩
Paste the following single line into the empty local rules file: /etc/snort/rules/local.rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
