User Tools

Site Tools


snortnotes
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


snortnotes [2013/01/28 04:29] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +===== Snort Install Notes =====
 +Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages.
  
 +Latest version installed:  2.9.2.1 on 10.04
 +
 +Some required packages:
 +  * gcc
 +  * g++
 +  * bison
 +  * flex
 +  * libpcre3
 +  * libpcre3-dev
 +  * daq <'' http://www.snort.org/snort-downloads
 +  * zlib <'' http://www.zlib.net/
 +  * libdnet <'' http://code.google.com/p/libdnet/
 +  * ''sudo apt-get install linux-headers-$(uname -r)''
 +
 +You may need to copy libdnet.1 to a different directory
 +<file>
 +cp /usr/local/lib/libdnet.1 /usr/lib/
 +</file>
 +
 +In the new version of the snort.conf file if you did not use the --enable-ipv6 option with the ./configure command, change ipvar to var.  Also, you may need to comment out all the IP, ICMP, and TCP normalization.
 +
 +Compiling and installing:
 +<file>
 +sudo ./configure --enable-zlib
 +<OR>
 +sudo ./configure --enable-ipv6 --enable-gre \
 +--enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules \
 +--enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response \
 +--enable-normalizer --enable-reload --enable-react --enable-flexresp3
 +
 +sudo make
 +sudo make install
 +</file>
 +Configuration options:
 +<file>
 + --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE''no)
 + --enable-FEATURE[''ARG]  include FEATURE [ARG''yes]
 + --enable-64bit-gcc        Try to compile 64bit (only tested on Sparc Solaris 9).
 + --enable-maintainer-mode  enable make rules and dependencies not useful
 +                         (and sometimes confusing) to the casual installer
 + --disable-dependency-tracking  speeds up one-time build
 + --enable-dependency-tracking   do not reject slow dependency extractors
 + --enable-shared[''PKGS]
 +                         build shared libraries [default''yes]
 + --enable-static[''PKGS]
 +                         build static libraries [default''yes]
 + --enable-fast-install[''PKGS]
 +                         optimize for fast installation [default''yes]
 + --disable-libtool-lock  avoid locking (might break parallel builds)
 + --enable-debug           Enable debugging options (bugreports and developers only)
 + --enable-profile         Enable profiling options (developers only)
 + --enable-pthread         Enable pthread support
 + --enable-prelude         Enable Prelude Hybrid IDS support
 + --enable-sourcefire      Enable Sourcefire specific build options
 + --enable-rulestate       Enable seperation of Rule State from Rule definition
 + --enable-dynamicplugin   Enable Ability to dynamically load preprocessors, detection engine, and rules lib
 + --enable-timestats       Enable TimeStats functionality
 + --enable-perfprofiling   Enable preprocessor and rule performance profiling
 + --enable-linux-smp-stats Enable statistics reporting through proc
 + --enable-inline          Use the libipq interface for inline snort
 + --enable-ipfw            Enable ipfw Divert mode for use with inline
 + --enable-flexresp        Flexible Responses on hostile connection attempts
 + --enable-flexresp2       NEW Flexible Responses on hostile connection attempts
 + --enable-react           Intercept and terminate offending HTTP accesses
 +</file>
 +
 +To start snort:
 +<file>
 +sudo snort -c /etc/snort/snort.conf -i eth0 -D
 +</file>
 +
 +===== Paths to Create =====
 +| ''/etc/snort/'' | Location of Snort configuration files |
 +| ''/etc/snort/pulledpork/'' | Location of pulledpork scripts and configuration |
 +| ''/etc/snort/rules/'' | Location of Snort rules |
 +| ''/scripts/'' | Location of various custom Snort scripts |
 +| ''/var/log/snort/'' | Snort logging directory |
 +
 +===== Errors =====
 +==== Segmentation Fault: ====
 +  * Check /usr/local/lib/snort_dynamicpreprocessor for a group of outdated preprocessor files.
 +  * Delete the rules and re-download
 +==== Compression Depth ====
 +<file>ERROR: c:\snort\etc\snort.conf(240) ''> 'compress_depth' and 'decompress_depth' should 
 +be set to max in the default policy to enable 'unlimited_decompress'
 +Fatal Error, Quitting.. </file>
 +Open your snort.conf file and look for the line :
 +<file>
 +# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
 +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
 +</file>
 +You can find it in section 5 ... then change your values compress_depth and decompress_depth each to 65535 as shown above.
 +
 +[[http://emergingthreats.net/index.php|Emerging Threats]]
 +
 +[[http://sourceforge.net/projects/oinkmaster/|oinkmaster]]
 +
 +[[http://code.google.com/p/pulledpork/|Pulledpork]]
 +
 +[[http://www.symmetrixtech.com/articles/007-updatingsnortandubuntu.pdf|Updating guide]]
 +
 +-- Main.FredPettis - 2011-01-10
snortnotes.txt · Last modified: 2013/01/28 04:29 by 127.0.0.1