Problem
You want to install Snort from source on a Unix-type operating system.
Solution
To install from source, download it from the Snort web site (http://www.snort.org). Uncompress, unpack, compile, and install by using the following commands:
tar xzf snort-2.2.0.tar.gz cd snort-2.2.0 ./configure make
And then as root:
make install
Discussion
Installing from source is nearly as easy as installing from precompiled packages, and it works across all Unix platforms. There is also a lot more flexibility in the options you can choose. First of all, you need to download the latest source tar file from snort.org. At this point, if possible, you should ensure that the source has not been meddled with; you can do this by verifying the checksum given using the MD5 utilities.
[simon@frodo downloads]$ md5sum snort-2.2.x.tar.gz 6194278217e4e3f733b046256a31f0e6 *snort-2.2.x.tar.gz
The source is a tarred gzip file; to extract it, enter the following at a command prompt:
[simon@frodo downloads]$ gunzip snort-2.2.x.tar.gz [simon@frodo downloads]$ tar -xvf snort-2.2.x.tar
You'll then see the entire list of filenames scroll past as they are decompressed and extracted. This creates a directory structure under the current directory. In this case, with the base directory ./snort-2.2.0/. Change into this directory. At this point, if you wish to perform an ordinary installation, type the following:
[simon@frodo snort-2.2.x]$ ./configure
This will create the make file optimized for your architecture. There are a number of options that you can specify to configure. These are listed in Table 1-1. They include options for specifying switches for the compliers as well as turning on support for certain features.
Switch |
Action |
---|---|
--enable-debug |
Turn on the debugging options. |
--with-snmp |
Enable SNMP alerting code. |
--enable-smbalerts |
Enable SMB alerting code. |
--enable-flexresp |
Enable the "Flexible Response" code. |
--with-mysql=DIR |
Turn on support for MySQL. |
--with-odbc=DIR |
Turn on support for ODBC databases. |
--with-postgresql=DIR |
Turn on support for PostgreSQL. |
--with-oracle=DIR |
Turn on support for Oracle. |
--with-openssl=DIR |
Turn on support for OpenSSL. |
--with-libpq-includes=DIR |
Set the support directories for PostgreSQL. |
--with-libpq-libraries=DIR |
Set the library directories for PostgreSQL. |
--with-libpcap-include=DIR |
Point the configure script in the right direction for the libpcap include files. |
--with-libpcap-libraries=DIR |
Point the configure script in the right direction for the libpcap library files. |
--prefix=PATH |
Set the install directory to PATH rather than /usr/local. |
--exec-prefix=PATH |
Set the install directory for the executables and libraries to PATH; install all other files in the usual place. |
--help |
Print out all the available options. |
For further information on these switches, you should read through the INSTALL file included in the /doc directory. Also in this file are some of the known issues and fixes for compilation on different Unix operating systems. The configure script may warn you of missing dependencies (other applications or utilities that are required by Snort). Download and install the required files from their respective web sites and rerun the configure command. In the many installations we've done, we can only recall coming across two missing prerequisites. These were libpcap, the library for performing packet capture on Linux systems, available for download from http://www.tcpdump.org, and Perl Compatible Regular Expressions (PCRE), available for download from http://www.pcre.org/.
Then you need to compile it using the make command:
[simon@frodo snort-2.2.0]$ make
Now go and get the hot beverage of your choice. This can take some time, even on a pretty fast machine. There are no test cases to run, so at this point, you need to run the install as root:
[root@frodo snort-2.2.0]# make install
Provided at this point you see no error messages, your installation is complete.
Also ensure that the directory to which Snort writes logfiles exists and is writable by the user that Snort runs as. If Snort can't write its logfiles, it will fail during any attempt to run it.
See Also
Recipe 1.6
Recipe 1.2
Recipe 1.3
The INSTALL document in the /doc directory of Snort
http://www.tcpdump.org
http://www.pcre.org/
Installing Snort Binaries on Linux |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index