Download, install and configure Snort software packages
Before you begin
Make sure that you have completed the following:
- The Napatech driver and the Napatech libpcap are installed. The default installation
directory, /opt/napatech3/ is used in this example. See Before you begin.
- You have installed the software packages required for building and running libdnet, daq,
and Snort, such as pcre and zlib libraries and headers.
- The snort.conf from the Snort rules package may assume that
additional software packages are installed, such as lzma libraries and headers.
About this task
This procedure describes commands to download, install and configure Snort with Napatech
support.
Procedure
-
Download Snort software packages from https://www.snort.org as shown in the example. You must register
and log in to https://www.snort.org to download registered snort rules. After that, you have
access to the Oink code to download the registered user rules. See https://www.snort.org/oinkcodes. Replace <oinkcode> in
the following command with your code.
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.18.tar.gz
wget \
https://www.snort.org/rules/snortrules-snapshot-29180.tar.gz?oinkcode=<oinkcode>
Note: The version number of the Snort rules package must correspond to the version number
of the Snort package.
-
Install required libraries and development packages as shown in the following command
examples.
yum install -y gcc flex bison zlib pcre libdnet tcpdump
yum install -y libdnet-devel luajit-devel openssl-devel \
zlib-devel pcre-devel
-
To install DAQ, execute the following commands.
tar zxvf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure --with-libpcap-includes=/opt/napatech3/include/ \
--with-libpcap-libraries=/opt/napatech3/lib/
make
make install
-
To install Snort with the prefix /usr/local/snort, execute the
following commands.
tar zxvf snort-2.9.18.0.tar.gz
cd snort-2.9.18.0
./configure --enable-sourcefire --prefix=/usr/local/snort \
--with-libpcap-includes=/opt/napatech3/include/ \
--with-libpcap-libraries=/opt/napatech3/lib/
make
make install
mkdir /var/log/snort
You
can verify the installation with this
command.
/usr/local/snort/bin/snort -V
An
output
example:
,,_ -*> Snort! <*-
o" )~ Version 2.9.18 GRE (Build 169)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.0 (with TPACKET_V3)
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
-
Expand the Snort rules package into /usr/local/snort as shown in
the following command example.
tar zxvf snortrules-snapshot-29180.tar.gz -C /usr/local/snort
-
Configure dynamic loaded libraries. In the
/usr/local/snort/etc/snort.conf file, change
/usr/local/lib/ to /usr/local/snort/lib/ in
all places.
-
Create the /usr/local/snort/lib/snort_dynamicrules directory and
copy the dynamic rules to
/usr/local/snort/lib/snort_dynamicrules.
cd /usr/local/snort
mkdir lib/snort_dynamicrules
cp so_rules/precompiled/RHEL-7/x86-64/2.9.18.0/* \
lib/snort_dynamicrules/
-
Create empty /usr/local/snort/rules/white_list.rules and
/usr/local/snort/rules/black_list.rules files.
# touch rules/white_list.rules
# touch rules/black_list.rules
-
Test the installation and configuration. You may need to specify an interface in order
to run Snort in test mode.
# /usr/local/snort/bin/snort -T -i eth0 -c \
/usr/local/snort/etc/snort.conf
An
output
example:
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/snort/etc/snort.conf"
...
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.18 GRE (Build 169)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
...
Total snort Fixed Memory Cost - MaxRss:793016
Snort successfully validated the configuration!
Snort exiting