Snort Installation and Configuration

Running Open-Source Libraries and Applications with Napatech SmartNICs

Platform
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.11

Download, install and configure Snort software packages

Before you begin

Make sure that you have completed the following:
  • The Napatech driver and the Napatech libpcap are installed. The default installation directory, /opt/napatech3/ is used in this example. See Before you begin.
  • You have installed the software packages required for building and running libdnet, daq, and Snort, such as pcre and zlib libraries and headers.
  • The snort.conf from the Snort rules package may assume that additional software packages are installed, such as lzma libraries and headers.

About this task

This procedure describes commands to download, install and configure Snort with Napatech support.

Procedure

  1. Download Snort software packages from https://www.snort.org as shown in the example. You must register and log in to https://www.snort.org to download registered snort rules. After that, you have access to the Oink code to download the registered user rules. See https://www.snort.org/oinkcodes. Replace <oinkcode> in the following command with your code.
    wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
    wget https://www.snort.org/downloads/snort/snort-2.9.18.tar.gz
    wget \
    https://www.snort.org/rules/snortrules-snapshot-29180.tar.gz?oinkcode=<oinkcode>
    Note: The version number of the Snort rules package must correspond to the version number of the Snort package.
  2. Install required libraries and development packages as shown in the following command examples.
    yum install -y gcc flex bison zlib pcre libdnet tcpdump
    yum install -y libdnet-devel luajit-devel openssl-devel \
     zlib-devel pcre-devel
  3. To install DAQ, execute the following commands.
    tar zxvf daq-2.0.7.tar.gz
    cd daq-2.0.7
    ./configure --with-libpcap-includes=/opt/napatech3/include/ \
     --with-libpcap-libraries=/opt/napatech3/lib/
    make
    make install
  4. To install Snort with the prefix /usr/local/snort, execute the following commands.
    tar zxvf snort-2.9.18.0.tar.gz
    cd snort-2.9.18.0
    ./configure --enable-sourcefire --prefix=/usr/local/snort \
     --with-libpcap-includes=/opt/napatech3/include/ \
     --with-libpcap-libraries=/opt/napatech3/lib/
    make
    make install
    mkdir /var/log/snort
    You can verify the installation with this command.
    /usr/local/snort/bin/snort -V
    
    An output example:
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.9.18 GRE (Build 169)
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
               Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
               Copyright (C) 1998-2013 Sourcefire, Inc., et al.
               Using libpcap version 1.9.0 (with TPACKET_V3)
               Using PCRE version: 8.32 2012-11-30
               Using ZLIB version: 1.2.7
    
  5. Expand the Snort rules package into /usr/local/snort as shown in the following command example.
    tar zxvf snortrules-snapshot-29180.tar.gz -C /usr/local/snort
  6. Configure dynamic loaded libraries. In the /usr/local/snort/etc/snort.conf file, change /usr/local/lib/ to /usr/local/snort/lib/ in all places.
  7. Create the /usr/local/snort/lib/snort_dynamicrules directory and copy the dynamic rules to /usr/local/snort/lib/snort_dynamicrules.
    cd /usr/local/snort
    mkdir lib/snort_dynamicrules
    cp so_rules/precompiled/RHEL-7/x86-64/2.9.18.0/* \
    lib/snort_dynamicrules/
  8. Create empty /usr/local/snort/rules/white_list.rules and /usr/local/snort/rules/black_list.rules files.
    # touch rules/white_list.rules
    # touch rules/black_list.rules
  9. Test the installation and configuration. You may need to specify an interface in order to run Snort in test mode.
    # /usr/local/snort/bin/snort -T -i eth0 -c \
    /usr/local/snort/etc/snort.conf
    
    An output example:
    Running in Test mode
    
            --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file "/usr/local/snort/etc/snort.conf"
    ...
            --== Initialization Complete ==--
    
       ,,_     -*> Snort! <*-
      o"  )~   Version 2.9.18 GRE (Build 169)
       ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
               Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
    ...
    Total snort Fixed Memory Cost - MaxRss:793016
    Snort successfully validated the configuration!
    Snort exiting