User Tools

Site Tools


snortnotes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

snortnotes [2013/01/27 21:29] (current)
Line 1: Line 1:
 +===== Snort Install Notes =====
 +Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages.
  
 +Latest version installed: ​ 2.9.2.1 on 10.04
 +
 +Some required packages:
 +  * gcc
 +  * g++
 +  * bison
 +  * flex
 +  * libpcre3
 +  * libpcre3-dev
 +  * daq <''​ http://​www.snort.org/​snort-downloads
 +  * zlib <''​ http://​www.zlib.net/​
 +  * libdnet <''​ http://​code.google.com/​p/​libdnet/​
 +  * ''​sudo apt-get install linux-headers-$(uname -r)''​
 +
 +You may need to copy libdnet.1 to a different directory
 +<​file>​
 +cp /​usr/​local/​lib/​libdnet.1 /usr/lib/
 +</​file>​
 +
 +In the new version of the snort.conf file if you did not use the --enable-ipv6 option with the ./configure command, change ipvar to var.  Also, you may need to comment out all the IP, ICMP, and TCP normalization.
 +
 +Compiling and installing:
 +<​file>​
 +sudo ./configure --enable-zlib
 +<OR>
 +sudo ./configure --enable-ipv6 --enable-gre \
 +--enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules \
 +--enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response \
 +--enable-normalizer --enable-reload --enable-react --enable-flexresp3
 +
 +sudo make
 +sudo make install
 +</​file>​
 +Configuration options:
 +<​file>​
 + ​--disable-FEATURE ​      do not include FEATURE (same as --enable-FEATURE''​no)
 + ​--enable-FEATURE[''​ARG] ​ include FEATURE [ARG''​yes]
 + ​--enable-64bit-gcc ​       Try to compile 64bit (only tested on Sparc Solaris 9).
 + ​--enable-maintainer-mode ​ enable make rules and dependencies not useful
 +                         (and sometimes confusing) to the casual installer
 + ​--disable-dependency-tracking ​ speeds up one-time build
 + ​--enable-dependency-tracking ​  do not reject slow dependency extractors
 + ​--enable-shared[''​PKGS]
 +                         build shared libraries [default''​yes]
 + ​--enable-static[''​PKGS]
 +                         build static libraries [default''​yes]
 + ​--enable-fast-install[''​PKGS]
 +                         ​optimize for fast installation [default''​yes]
 + ​--disable-libtool-lock ​ avoid locking (might break parallel builds)
 + ​--enable-debug ​          ​Enable debugging options (bugreports and developers only)
 + ​--enable-profile ​        ​Enable profiling options (developers only)
 + ​--enable-pthread ​        ​Enable pthread support
 + ​--enable-prelude ​        ​Enable Prelude Hybrid IDS support
 + ​--enable-sourcefire ​     Enable Sourcefire specific build options
 + ​--enable-rulestate ​      ​Enable seperation of Rule State from Rule definition
 + ​--enable-dynamicplugin ​  ​Enable Ability to dynamically load preprocessors,​ detection engine, and rules lib
 + ​--enable-timestats ​      ​Enable TimeStats functionality
 + ​--enable-perfprofiling ​  ​Enable preprocessor and rule performance profiling
 + ​--enable-linux-smp-stats Enable statistics reporting through proc
 + ​--enable-inline ​         Use the libipq interface for inline snort
 + ​--enable-ipfw ​           Enable ipfw Divert mode for use with inline
 + ​--enable-flexresp ​       Flexible Responses on hostile connection attempts
 + ​--enable-flexresp2 ​      NEW Flexible Responses on hostile connection attempts
 + ​--enable-react ​          ​Intercept and terminate offending HTTP accesses
 +</​file>​
 +
 +To start snort:
 +<​file>​
 +sudo snort -c /​etc/​snort/​snort.conf -i eth0 -D
 +</​file>​
 +
 +===== Paths to Create =====
 +| ''/​etc/​snort/''​ | Location of Snort configuration files |
 +| ''/​etc/​snort/​pulledpork/''​ | Location of pulledpork scripts and configuration |
 +| ''/​etc/​snort/​rules/''​ | Location of Snort rules |
 +| ''/​scripts/''​ | Location of various custom Snort scripts |
 +| ''/​var/​log/​snort/''​ | Snort logging directory |
 +
 +===== Errors =====
 +==== Segmentation Fault: ====
 +  * Check /​usr/​local/​lib/​snort_dynamicpreprocessor for a group of outdated preprocessor files.
 +  * Delete the rules and re-download
 +==== Compression Depth ====
 +<​file>​ERROR:​ c:​\snort\etc\snort.conf(240) ''>​ '​compress_depth'​ and '​decompress_depth'​ should ​
 +be set to max in the default policy to enable '​unlimited_decompress'​
 +Fatal Error, Quitting.. </​file>​
 +Open your snort.conf file and look for the line :
 +<​file>​
 +# HTTP normalization and anomaly detection. ​ For more information,​ see README.http_inspect
 +preprocessor http_inspect:​ global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
 +</​file>​
 +You can find it in section 5 ... then change your values compress_depth and decompress_depth each to 65535 as shown above.
 +
 +[[http://​emergingthreats.net/​index.php|Emerging Threats]]
 +
 +[[http://​sourceforge.net/​projects/​oinkmaster/​|oinkmaster]]
 +
 +[[http://​code.google.com/​p/​pulledpork/​|Pulledpork]]
 +
 +[[http://​www.symmetrixtech.com/​articles/​007-updatingsnortandubuntu.pdf|Updating guide]]
 +
 +-- Main.FredPettis - 2011-01-10
snortnotes.txt ยท Last modified: 2013/01/27 21:29 (external edit)