Table of Contents
Snort Install Notes
Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages.
Latest version installed: 2.9.2.1 on 10.04
Some required packages:
- gcc
- g++
- bison
- flex
- libpcre3
- libpcre3-dev
- daq <
http://www.snort.org/snort-downloads * zlib <http://www.zlib.net/ - libdnet <
http://code.google.com/p/libdnet/ *sudo apt-get install linux-headers-$(uname -r)You may need to copy libdnet.1 to a different directory <file> cp /usr/local/lib/libdnet.1 /usr/lib/ </file> In the new version of the snort.conf file if you did not use the –enable-ipv6 option with the ./configure command, change ipvar to var. Also, you may need to comment out all the IP, ICMP, and TCP normalization. Compiling and installing: <file> sudo ./configure –enable-zlib <OR> sudo ./configure –enable-ipv6 –enable-gre \ –enable-mpls –enable-targetbased –enable-decoder-preprocessor-rules \ –enable-ppm –enable-perfprofiling –enable-zlib –enable-active-response \ –enable-normalizer –enable-reload –enable-react –enable-flexresp3 sudo make sudo make install </file> Configuration options: <file> –disable-FEATURE do not include FEATURE (same as –enable-FEATUREno)
–enable-FEATURE[ARG] include FEATURE [ARGyes]
–enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9).
–enable-maintainer-mode enable make rules and dependencies not useful
(and sometimes confusing) to the casual installer
–disable-dependency-tracking speeds up one-time build
–enable-dependency-tracking do not reject slow dependency extractors
–enable-shared[PKGS]
build shared libraries [defaultyes]
–enable-static[PKGS]
build static libraries [defaultyes]
–enable-fast-install[PKGS]
optimize for fast installation [defaultyes]
–disable-libtool-lock avoid locking (might break parallel builds)
–enable-debug Enable debugging options (bugreports and developers only)
–enable-profile Enable profiling options (developers only)
–enable-pthread Enable pthread support
–enable-prelude Enable Prelude Hybrid IDS support
–enable-sourcefire Enable Sourcefire specific build options
–enable-rulestate Enable seperation of Rule State from Rule definition
–enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib
–enable-timestats Enable TimeStats functionality
–enable-perfprofiling Enable preprocessor and rule performance profiling
–enable-linux-smp-stats Enable statistics reporting through proc
–enable-inline Use the libipq interface for inline snort
–enable-ipfw Enable ipfw Divert mode for use with inline
–enable-flexresp Flexible Responses on hostile connection attempts
–enable-flexresp2 NEW Flexible Responses on hostile connection attempts
–enable-react Intercept and terminate offending HTTP accesses
</file>
To start snort:
sudo snort -c /etc/snort/snort.conf -i eth0 -D
Paths to Create
/etc/snort/ | Location of Snort configuration files |
/etc/snort/pulledpork/ | Location of pulledpork scripts and configuration |
/etc/snort/rules/ | Location of Snort rules |
/scripts/ | Location of various custom Snort scripts |
/var/log/snort/ | Snort logging directory |
Errors
Segmentation Fault:
- Check /usr/local/lib/snort_dynamicpreprocessor for a group of outdated preprocessor files.
- Delete the rules and re-download
Compression Depth
ERROR: c:\snort\etc\snort.conf(240) ''> 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompress' Fatal Error, Quitting..
Open your snort.conf file and look for the line :
# HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
You can find it in section 5 … then change your values compress_depth and decompress_depth each to 65535 as shown above.
– Main.FredPettis - 2011-01-10