Any time you are going to be downloading source code, it’s a good idea to settle on a standard place to put it. Many online guides suggest creating a temporary directory under your home user directory or even the Linux root folder (something like “/root/temp“), with the assumption that you’ll just delete the downloaded source files once you’re done with them. There’s nothing wrong with this approach, although conventional Unix/Linux wisdom has long held that you should put source files in the /usr/src directory that already exists by default in most Linux distributions. In any case, the first step is to open up a terminal session (also called a “shell”), elevate privileges to root to use administrator privileges, and either create and move to a directory for your downloaded packages or go to the existing src directory.
Now it’s time to get the source files from www.snort.org. There are three things we want to download: the source code for Snort itself, the data acquisition library, and the rules files. To get these files, we will use the Linux wget command, which will retrieve a file to the current directory from any location we specify. There is an alternate approach to the wget command – if you prefer, you can use the Firefox web browser from the Ubuntu desktop, browse to Snort.org, and download the files using the browser. With this method, the files will be downloaded to the user Downloads directory under the user desktop (/home/<username>/desktop) or the Downloads directory (/home/<username>/Downloads) and you will need to move them from this location to the src directory or other location from which you intend to run the installation commands. These instructions use the wget approach to bring everything to the working location and to provide a continuous set of instructions using the terminal shell, rather than switching back and forth between the command line and the graphical desktop (if you install Snort on a Linux server instance rather than the desktop version, the command line is the only approach you can use).
Note: If you read over the Snort web site, particularly the Downloads page, you will also find links to various third-party tools that complement Snort, including Barnyard2. Barnyard is a program that receives Snort output in unified2 binary format and then writes that output to any of a number of target formats and destinations, including to a logging database such as MySQL. By taking over the database writing functions from Snort, Barnyard allows Snort to allocate more resources to detection, and fewer resources to logging output, and is therefore recommended by Sourcefire to maximize Snort performance in terms of processing speed. Separate instructions are provided for Installing and setting up Barnyard2.
To know where to tell wget to look, we need to go to Snort.org and find the URLs for the files we want. Please note: two of the three available Snort rulesets (registered and subscriber) require you to be a registered user on Snort.org so you can generate an “oinkcode” to use when downloading and updating rules. There is also a community ruleset that does not require user registration, but also does not include rules for the most recent vulnerabilities addressed by the Sourcefire team. To generate an oinkcode, log in to Snort.org, click on your username at the top right of the screen, and click on the “Oinkcode” link on the left-hand navigation menu. Bear in mind that an Oinkcode is a long string of characters, and that many Linux distributions don’t allow pasting into the command line, so you will want to transcribe it carefully from the web page where it is shown to the command line you are working on.
This is all the source code we need to compile Snort and begin configuring it on a Linux system.