Installing Tools from Source
The installation steps are very straightforward when everything goes right, but bear in mind that it is entirely possible that the Snort compilation will fail at some point, due perhaps to a missing dependency or needed compiler or other program not being installed or referenced properly. If you are starting your process from a bare-bones Linux install, particularly a Linux server instance, you may need to obtain and install additional prerequisite components (again, either through the distribution’s package manager or manually). These instructions are intended (and have been tested) to include everything you need on Ubuntu Linux and comparable distributions, but if a missing dependency does turn up, the usual corrective action is to go back to the package manager and make sure all required packages (including -dev variations where applicable) have been installed.
- Change to the libdnet directory: # cd libdnet-1.12
- Build the library using the standard Linux 3-step series of commands (waiting for each one to finish successfully before starting the next). The prefix specification in the first step makes sure that libdnet ends up in a directory where DAQ and Snort will expect to see it.
- # ./configure –prefix=/usr
- # make
- # make install
- Return to the snorttemp directory with cd .. and change to the DAQ directory: # cd daq-2.0.6
- Build the library using the same 3-step series of commands (waiting for each one to finish successfully before starting the next)
- # ./configure
- # make
- # make install
- Return to the snorttemp directory with cd .. and change to the Snort directory created when you extracted the Snort package: # cd snort-220.127.116.11
- To configure Snort to install, you need to execute the standard source code compilation commands, with a configuration option included that will ensure all of the latest Snort components are installed:
- # ./configure –enable-sourcefire
- # make
- # make install
This process will install Snort by default in the /usr/local/bin directory; if your distribution came with Snort or if you use a package manager to install, the location may actually be different, or you can force it to a different location using the –prefix option with the ./configure command. The easiest way to determine Snort’s location is to use the “whereis” Linux command: # whereis snort
The next step is to set up the configuration directories and move some files from the temporary directory to the new locations. The syntax for move or copy in Linux is to list the source location first, then the destination. Start these steps from within the directory where you have downloaded the Snort packages (e.g., /usr/src/snorttemp).
- # mkdir /etc/snort
- # mkdir /etc/snort/rules
- # mkdir /etc/snort/preproc_rules
- # mkdir /etc/snort/so_rules
- # mkdir /usr/local/lib/snort_dynamicrules
- # mkdir /var/log/snort
- Make sure you are in the temporary directory where you have been working with the Snort installation files: # pwd
- Change to the Snort etc directory created when you extracted the Snort package: # cd snort-18.104.22.168/etc
- Copy the contents of this directory to the Snort subdirectory under the Linux /etc directory: # cp * /etc/snort
- Go back to the temporary directory with cd .. twice, then change to the etc directory created when you extracted the Snort rules package: # cd etc
- Copy the file sid-msg.map to the /etc/snort directory (Snort does not need this file, but Barnyard2 does): # cp sid-msg.map /etc/snort
- Go back to the temporary directory with cd .. twice, then change to the rules directory created when you extracted the Snort rules package: # cd rules
- Copy all files in this directory to /etc/snort/rules: # cp * /etc/snort/rules
- Change to the preprocessor rules directory created when you extracted the Snort package: # cd ../preproc_rules
- Copy all files in this directory to /etc/snort/preproc_rules: # cp * /etc/snort/preproc_rules
- Change to the shared object rules directory created when you extracted the Snort package: # cd ../so_rules
- Unlike the regular VRT rules, shared object rules need to be compiled before they can be used. You have two options here: make and install the shared object rules from source; or execute a Snort routine to perform the installation using the precompiled shared object rules available as part of the Snort rules package. In most cases, using the precompiled rules is the easiest approach. Under the so_rules directory, there is a subdirectory called “precompiled” that contains numerous subdirectories names for different Linux distributions. Find the directory for the most recent version of Ubuntu Linux (there is not a separate set of rules for Ubuntu 14.04, so use the one for 12.04), and then drill down to the right set of rules. In the current release of Snort, there is only one set of precompiled rules for Ubuntu 12.04, so use the rules in the Ubuntu-12-04 directory corresponding to the 22.214.171.124 version of Snort. To get to the precompiled rules you first navigate to the appropriate directory for your processor type (such as i386) and then to the directory for your version of Snort (126.96.36.199).
Note for 64-bit users: if you are running the 64-bit version of Ubuntu Linux, the correct processor type directory should be x86-64 rather than i386.
So now you should be in a subdirectory with a path like: /usr/src/snorttemp/so_rules/precompiled/Ubuntu-12-04/i386/188.8.131.52/. Once you reach this point, copy the rules files in the directory to the snort_dynamicrules directory you created in step 5 above:
- # cp * /usr/local/lib/snort_dynamicrules
- Completing the installation of the shared object rules requires us make some changes to the snort.conf configuration file, and to run Snort with a special option enabled. We’ll finish the shared object rule installation after we edit snort.conf, following the instructions on the page Configuring Snort.
The last thing we need to do is to edit the snort.conf file to make it reflect the environment where your computer is running (see Configuring Snort on Linux instructions). You should make sure that when you edit the file, you are working on the one in /etc/snort and not the one in your temporary source code directory. Also, to be able to use Barnyard2 and BASE effectively, we need to set up MySQL to work with Snort. Installing Barnyard2 requires enough steps to warrant its own set of instructions, which are provided at Setting up Barnyard2.