Before you begin
- Snort is installed with the prefix /usr/local/snort(see Install Snort).
- You need root privileges for most of the following steps.
Steps
To install Snort rules, perform the following steps.
Procedure
-
Expand the Snort rules archive snortrules-snapshot-2990.tar.gz into /usr/local/snort:
# tar zxvf snortrules-snapshot-2990.tar.gz -C /usr/local/snort
-
Configure dynamic loaded libraries. In the /usr/local/snort/etc/snort.conf file, change /usr/local/lib/ to /usr/local/snort/lib/ in all places.
-
Create the /usr/local/snort/lib/snort_dynamicrules directory and copy the dynamic rules to /usr/local/snort/lib/snort_dynamicrules:
# cd /usr/local/snort
# mkdir lib/snort_dynamicrules
# cp so_rules/precompiled/RHEL-6-0/x86-64/2.9.9.0/* lib/snort_dynamicrules
-
Create empty /usr/local/snort/rules/white_list.rules and /usr/local/snort/rules/black_list.rules files:
# touch rules/white_list.rules
# touch rules/black_list.rules
-
Test the installation and configuration. You may need to specify an interface in order to run Snort in test mode:
# /usr/local/snort/bin/snort -T -i eth0 -c /usr/local/snort/etc/snort.conf
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/snort/etc/snort.conf"
...