Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages.

Latest version installed: 2.9.2.1 on 10.04

Some required packages:

• gcc
• g++
• bison
• flex
• libpcre3
• libpcre3-dev
• daq < http://www.snort.org/snort-downloads * zlib < http://www.zlib.net/
• libdnet < http://code.google.com/p/libdnet/ * sudo apt-get install linux-headers-$(uname -r) You may need to copy libdnet.1 to a different directory <file> cp /usr/local/lib/libdnet.1 /usr/lib/ </file> In the new version of the snort.conf file if you did not use the –enable-ipv6 option with the ./configure command, change ipvar to var. Also, you may need to comment out all the IP, ICMP, and TCP normalization. Compiling and installing: <file> sudo ./configure –enable-zlib <OR> sudo ./configure –enable-ipv6 –enable-gre \ –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules \ –enable-ppm –enable-perfprofiling –enable-zlib –enable-active-response \ –enable-normalizer –enable-reload –enable-react –enable-flexresp3 sudo make sudo make install </file> Configuration options: <file> –disable-FEATURE do not include FEATURE (same as –enable-FEATUREno)

–enable-FEATURE[ARG] include FEATURE [ARGyes] –enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9). –enable-maintainer-mode enable make rules and dependencies not useful

                       (and sometimes confusing) to the casual installer

–disable-dependency-tracking speeds up one-time build –enable-dependency-tracking do not reject slow dependency extractors –enable-shared[PKGS] build shared libraries [defaultyes] –enable-static[PKGS] build static libraries [defaultyes] –enable-fast-install[PKGS] optimize for fast installation [defaultyes] –disable-libtool-lock avoid locking (might break parallel builds) –enable-debug Enable debugging options (bugreports and developers only) –enable-profile Enable profiling options (developers only) –enable-pthread Enable pthread support –enable-prelude Enable Prelude Hybrid IDS support –enable-sourcefire Enable Sourcefire specific build options –enable-rulestate Enable seperation of Rule State from Rule definition –enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib –enable-timestats Enable TimeStats functionality –enable-perfprofiling Enable preprocessor and rule performance profiling –enable-linux-smp-stats Enable statistics reporting through proc –enable-inline Use the libipq interface for inline snort –enable-ipfw Enable ipfw Divert mode for use with inline –enable-flexresp Flexible Responses on hostile connection attempts –enable-flexresp2 NEW Flexible Responses on hostile connection attempts –enable-react Intercept and terminate offending HTTP accesses </file>

To start snort:

sudo snort -c /etc/snort/snort.conf -i eth0 -D

• Check /usr/local/lib/snort_dynamicpreprocessor for a group of outdated preprocessor files.
• Delete the rules and re-download

ERROR: c:\snort\etc\snort.conf(240) ''> 'compress_depth' and 'decompress_depth' should 
be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting.. 

Open your snort.conf file and look for the line :

# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

You can find it in section 5 … then change your values compress_depth and decompress_depth each to 65535 as shown above.

Emerging Threats

oinkmaster

Pulledpork

Updating guide

– Main.FredPettis - 2011-01-10