# snort 2.3.2
# ===========
# Prerequisites:
# gawk
# libpcap
# pcre
# OpenSSL (for the XML output plugin)
# libxml (for the XML output plugin)
# MySQL (for --with-mysql - if you want to use ACID with MySQL)
# PostgreSQL (for --with-postgresql - if you want to use ACID with PostgreSQL)
# Oracle (for --with-oracle - if you want to use ACID with Oracle)
# libnet (for --enable-flexresp)
# Be aware that you may need to re-write your rules if you're upgrading from
# a previous version. See RELEASE.NOTES and doc/* in the source directory
# for changes between versions.
cd
rm -f installed/snort-*.tar.*
test -f installed/snort/snort-2.3.2.tar.gz &&
mv installed/snort/snort-2.3.2.tar.gz .
test ! -f snort-2.3.2.tar.gz &&
wget http://www.snort.org/dl/current/snort-2.3.2.tar.gz
# Verify tarball w/ sha1sum:
# (this one came from my gpg-verified tarball)
echo "0171d47eb398e5fffa15f36e4d4787ad55808342 snort-2.3.2.tar.gz" | \
sha1sum -c
cd /usr/local/src
find -type d -maxdepth 1 -name "snort-*" -exec rm -r {} \;
tar xzvf ~/snort-2.3.2.tar.gz
cd snort-2.3.2
chown -R root:root .
# For my own cutting and pasting convenience:
# ./configure --with-mysql=/usr/local/mysql
./configure
make
make install
cd
mkdir -p -m 0700 installed/snort
rm -f installed/snort/snort-*.tar.*
mv snort-2.3.2.tar.gz installed/snort/
# Create the logging directory:
mkdir -p -m 0700 /var/log/snort
# Back up your existing ~/.snortrc and /etc/snort.conf (if you have either):
test -f .snortrc &&
( mkdir -p -m 0700 ~/backup/snort
cp .snortrc backup/snort/snortrc.`date +%Y%m%d` )
test -f /etc/snort.conf &&
( mkdir -p -m 0700 ~/backup/snort
cp /etc/snort.conf backup/snort/snort.conf.`date +%Y%m%d` )
# Back up your existing /usr/local/etc/snort (if you have one):
test -d /usr/local/etc/snort &&
( mkdir -p -m 0700 ~/backup/snort
tar cjvf ~/backup/snort/snort-`date +%Y%m%d`.tar.bz2 /usr/local/etc/snort
chmod 600 ~/backup/snort/snort-`date +%Y%m%d`.tar.bz2 )
# If you don't already have a custom configuration and rules this will
# install the sample configuration and rules that come in the tarball. You
# can also get other rules if you register on snort.org See below if you
# do that. NOTE: This will wipe out any existing /etc/snort.conf and rules
# (that are in /usr/local/etc/snort).
cd /usr/local/src/snort-2.3.2
mkdir -p /usr/local/etc/snort/rules
cat etc/snort.conf | \
sed \
-e 's%../rules%/usr/local/etc/snort/rules%' \
-e 's%classification.config%/usr/local/etc/snort/classification.config%' \
-e 's%reference.config%/usr/local/etc/snort/reference.config%' \
-e 's% unicode.map % /usr/local/etc/snort/unicode.map %' \
> /etc/snort.conf
cp -pr rules /usr/local/etc/snort/
cp etc/classification.config etc/reference.config etc/unicode.map \
/usr/local/etc/snort/
( cd /usr/local/etc/snort/rules ; rm -f Makefile* logsnorter-* )
# If you register at https://www.snort.org/pub-bin/register.cgi you can
# sign up to be notified of new "official" rules. You can also subscribe
# to get them five days sooner than everyone else.
#
# If you have the "VRT Certified Rules for Snort v2.3" put the tarball in
# ~ and run this to "install" those rules with the config files that are
# included in it (instead of from the files in the snort tarball).
# NOTE: This will wipe out any existing /etc/snort.conf and rules
# (that are in /usr/local/etc/snort).
cd
# Verify that the tarball is OK:
echo "3971a94334555ea141ed378903e8f642 snortrules-snapshot-2.3.tar.gz" | \
md5sum -c
# Grab the "Community" rules. They're not "VRT Certified", so if you can't
# risk false positives and such, don't install these. To use these, uncomment
# the appropriate line(s) from the sample /etc/snort.conf
cd
test -f installed/snort/Community-rules.tar.gz &&
mv installed/snort/Community-rules.tar.gz .
wget -N http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/\
Community-Rules.tar.gz
# This md5sum may not match up if you're using this to install a version
# of snort other than 2.3
echo "39d8250f47a33aaec4712e29c0dcd1d0 Community-Rules.tar.gz" | md5sum -c
echo -e "\n# Community rules:" >> /etc/snort.conf
tar tzvf Community-Rules.tar.gz | egrep "\.rules$" | awk '{ print $6 }' |
sed 's%^rules/%#include \$RULE_PATH/%' >> /etc/snort.conf
cd /usr/local/etc/snort
tar xzvf ~/Community-Rules.tar.gz
chown -R root:root docs rules
mkdir -p -m 0700 ~/installed/snort
mv -f ~/Community-Rules.tar.gz ~/installed/snort/
# If you want to prevent anyone but root from reading/writing snort's binary,
# man page, rc file, rules files, and logs, run this:
chown root:root /etc/snort.conf /usr/local/bin/snort \
/usr/local/man/man8/snort.8
chown -R root:root /usr/local/etc/snort /var/log/snort
chmod 600 /etc/snort.conf /usr/local/man/man8/snort.8
chmod 700 /usr/local/bin/snort
chmod -R go-rwx /usr/local/etc/snort /var/log/snort
# At the very least, in /etc/snort.conf you'll want to change HOME_NET,
# DNS_SERVERS, SMTP_SERVERS, HTTP_SERVERS, SQL_SERVERS, etc. with values
# that fit your network:
# var HOME_NET [192.168.0.0/24,192.168.1.0/24]
# var DNS_SERVERS [192.168.0.1,192.168.0.3]
# var SMTP_SERVERS 192.168.0.5
# Usage examples:
#
# To run it in daemon mode as a NIDS (network intrusion detection system):
# /usr/local/bin/snort -D -c /etc/snort.conf
# (logs will go to syslog, alerts will be in /var/log/snort/alert)
#
# To run it like a packet sniffer dumping packet headers:
# snort -v
#
# To run it like a packet sniffer dumping headers and packet payloads:
# snort -dv
#
# Display packet headers only to/from 192.168.1.1, setting the home network to
# 192.168.1.0/24 so the -> arrow will point to it for readability:
# snort -h 192.168.1.0/24 -v host 192.168.1.1
#
# Log packet headers and payloads for the whole 192.168.1.0/24 network except
# for 192.168.1.1:
# snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1
#
# To log packets to the /var/log/foo directory:
# snort -l /var/log/foo
#
# After messing with your rules, run this to make sure it'll start up OK in
# daemon mode as a NIDS. It will test (-T) everything, log the results (to
# syslog unless otherwise set), then it will exit.
# /usr/local/bin/snort -T -D -c /etc/snort.conf
# If you ever need to uninstall snort, back up your files first if you want
# to keep them, then run this:
cd /usr/local/src/snort-2.3.2
make uninstall
cd ..
find -type d -maxdepth 1 -name "snort-*" -exec rm -r {} \;
rm -f ~/installed/snort-*.tar.* /etc/snort.conf
test -d /usr/local/etc/snort && rm -r /usr/local/etc/snort