snortnotes
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | snortnotes [2013/01/28 04:29] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Snort Install Notes ===== | ||
+ | Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages. | ||
+ | Latest version installed: | ||
+ | |||
+ | Some required packages: | ||
+ | * gcc | ||
+ | * g++ | ||
+ | * bison | ||
+ | * flex | ||
+ | * libpcre3 | ||
+ | * libpcre3-dev | ||
+ | * daq <'' | ||
+ | * zlib <'' | ||
+ | * libdnet <'' | ||
+ | * '' | ||
+ | |||
+ | You may need to copy libdnet.1 to a different directory | ||
+ | < | ||
+ | cp / | ||
+ | </ | ||
+ | |||
+ | In the new version of the snort.conf file if you did not use the --enable-ipv6 option with the ./configure command, change ipvar to var. Also, you may need to comment out all the IP, ICMP, and TCP normalization. | ||
+ | |||
+ | Compiling and installing: | ||
+ | < | ||
+ | sudo ./configure --enable-zlib | ||
+ | <OR> | ||
+ | sudo ./configure --enable-ipv6 --enable-gre \ | ||
+ | --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules \ | ||
+ | --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response \ | ||
+ | --enable-normalizer --enable-reload --enable-react --enable-flexresp3 | ||
+ | |||
+ | sudo make | ||
+ | sudo make install | ||
+ | </ | ||
+ | Configuration options: | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | (and sometimes confusing) to the casual installer | ||
+ | | ||
+ | | ||
+ | | ||
+ | build shared libraries [default'' | ||
+ | | ||
+ | build static libraries [default'' | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | To start snort: | ||
+ | < | ||
+ | sudo snort -c / | ||
+ | </ | ||
+ | |||
+ | ===== Paths to Create ===== | ||
+ | | ''/ | ||
+ | | ''/ | ||
+ | | ''/ | ||
+ | | ''/ | ||
+ | | ''/ | ||
+ | |||
+ | ===== Errors ===== | ||
+ | ==== Segmentation Fault: ==== | ||
+ | * Check / | ||
+ | * Delete the rules and re-download | ||
+ | ==== Compression Depth ==== | ||
+ | < | ||
+ | be set to max in the default policy to enable ' | ||
+ | Fatal Error, Quitting.. </ | ||
+ | Open your snort.conf file and look for the line : | ||
+ | < | ||
+ | # HTTP normalization and anomaly detection. | ||
+ | preprocessor http_inspect: | ||
+ | </ | ||
+ | You can find it in section 5 ... then change your values compress_depth and decompress_depth each to 65535 as shown above. | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | -- Main.FredPettis - 2011-01-10 |
snortnotes.txt · Last modified: 2013/01/28 04:29 by 127.0.0.1