Before you begin
- Snort is installed with the prefix /usr/local/snort(see Install Snort).
- You need root privileges for most of the following steps.
To install Snort rules, perform the following steps.
Expand the Snort rules archive snortrules-snapshot-2990.tar.gz into /usr/local/snort:
# tar zxvf snortrules-snapshot-2990.tar.gz -C /usr/local/snort
- Configure dynamic loaded libraries. In the /usr/local/snort/etc/snort.conf file, change /usr/local/lib/ to /usr/local/snort/lib/ in all places.
Create the /usr/local/snort/lib/snort_dynamicrules directory and copy the dynamic rules to /usr/local/snort/lib/snort_dynamicrules:
# cd /usr/local/snort # mkdir lib/snort_dynamicrules # cp so_rules/precompiled/RHEL-6-0/x86-64/22.214.171.124/* lib/snort_dynamicrules
Create empty /usr/local/snort/rules/white_list.rules and /usr/local/snort/rules/black_list.rules files:
# touch rules/white_list.rules # touch rules/black_list.rules
Test the installation and configuration. You may need to specify an interface in order to run Snort in test mode:
# /usr/local/snort/bin/snort -T -i eth0 -c /usr/local/snort/etc/snort.conf Running in Test mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/snort/etc/snort.conf" ...