Install Snort Rules

Running Snort on Linux

Platform
Intel® PAC
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.7

Before you begin

  • Snort is installed with the prefix /usr/local/snort(see Install Snort).
  • You need root privileges for most of the following steps.

Steps

To install Snort rules, perform the following steps.

Procedure

  1. Expand the Snort rules archive snortrules-snapshot-2990.tar.gz into /usr/local/snort:
    # tar zxvf snortrules-snapshot-2990.tar.gz -C /usr/local/snort
  2. Configure dynamic loaded libraries. In the /usr/local/snort/etc/snort.conf file, change /usr/local/lib/ to /usr/local/snort/lib/ in all places.
  3. Create the /usr/local/snort/lib/snort_dynamicrules directory and copy the dynamic rules to /usr/local/snort/lib/snort_dynamicrules:
    # cd /usr/local/snort
    # mkdir lib/snort_dynamicrules
    # cp so_rules/precompiled/RHEL-6-0/x86-64/2.9.9.0/* lib/snort_dynamicrules
  4. Create empty /usr/local/snort/rules/white_list.rules and /usr/local/snort/rules/black_list.rules files:
    # touch rules/white_list.rules
    # touch rules/black_list.rules
  5. Test the installation and configuration. You may need to specify an interface in order to run Snort in test mode:
    # /usr/local/snort/bin/snort -T -i eth0 -c /usr/local/snort/etc/snort.conf
    Running in Test mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/usr/local/snort/etc/snort.conf"
    ...