snort - Open source network intrusion detection system ChangeLog


# snort 2.3.2
# ===========
# Prerequisites:
# gawk
# libpcap
# pcre
# OpenSSL (for the XML output plugin)
# libxml (for the XML output plugin)
# MySQL (for --with-mysql - if you want to use ACID with MySQL)
# PostgreSQL (for --with-postgresql - if you want to use ACID with PostgreSQL)
# Oracle (for --with-oracle - if you want to use ACID with Oracle)
# libnet (for --enable-flexresp)

# Be aware that you may need to re-write your rules if you're upgrading from
# a previous version.  See RELEASE.NOTES and doc/* in the source directory
# for changes between versions.

rm -f installed/snort-*.tar.*
test -f installed/snort/snort-2.3.2.tar.gz &&
mv installed/snort/snort-2.3.2.tar.gz .
test ! -f snort-2.3.2.tar.gz &&

# Verify tarball w/ md5sum:
echo "692602827ce9d1a611630149f8e50ec8  snort-2.3.2.tar.gz" | md5sum -c

# Verify tarball w/ sha1sum:
# (this one came from my gpg-verified tarball)
echo "0171d47eb398e5fffa15f36e4d4787ad55808342  snort-2.3.2.tar.gz" | \
sha1sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 1946E4A1 > /dev/null 2>&1 || gpg --recv-keys 1946E4A1 ) &&
wget -nc &&
gpg --verify snort-2.3.2.tar.gz.asc && rm snort-2.3.2.tar.gz.asc

cd /usr/local/src
find -type d -maxdepth 1 -name "snort-*" -exec rm -r {} \;
tar xzvf ~/snort-2.3.2.tar.gz
cd snort-2.3.2
chown -R root:root .

# For my own cutting and pasting convenience:
# ./configure --with-mysql=/usr/local/mysql

make install
mkdir -p -m 0700 installed/snort
rm -f installed/snort/snort-*.tar.*
mv snort-2.3.2.tar.gz installed/snort/

# Create the logging directory:
mkdir -p -m 0700 /var/log/snort

# Back up your existing ~/.snortrc and /etc/snort.conf (if you have either):
test -f .snortrc &&
( mkdir -p -m 0700 ~/backup/snort
   cp .snortrc backup/snort/snortrc.`date +%Y%m%d` )
test -f /etc/snort.conf &&
( mkdir -p -m 0700 ~/backup/snort
   cp /etc/snort.conf backup/snort/snort.conf.`date +%Y%m%d` )

# Back up your existing /usr/local/etc/snort (if you have one):
test -d /usr/local/etc/snort &&
( mkdir -p -m 0700 ~/backup/snort
   tar cjvf ~/backup/snort/snort-`date +%Y%m%d`.tar.bz2 /usr/local/etc/snort
   chmod 600 ~/backup/snort/snort-`date +%Y%m%d`.tar.bz2 )

# If you don't already have a custom configuration and rules this will
# install the sample configuration and rules that come in the tarball.  You
# can also get other rules if you register on  See below if you
# do that.  NOTE: This will wipe out any existing /etc/snort.conf and rules
# (that are in /usr/local/etc/snort).
cd /usr/local/src/snort-2.3.2
mkdir -p /usr/local/etc/snort/rules
cat etc/snort.conf | \
sed \
-e 's%../rules%/usr/local/etc/snort/rules%' \
-e 's%classification.config%/usr/local/etc/snort/classification.config%' \
-e 's%reference.config%/usr/local/etc/snort/reference.config%' \
-e 's% % /usr/local/etc/snort/ %' \
> /etc/snort.conf
cp -pr rules /usr/local/etc/snort/
cp etc/classification.config etc/reference.config etc/ \
( cd /usr/local/etc/snort/rules ; rm -f Makefile* logsnorter-* )

# If you register at you can
# sign up to be notified of new "official" rules.  You can also subscribe
# to get them five days sooner than everyone else.
# If you have the "VRT Certified Rules for Snort v2.3" put the tarball in
# ~ and run this to "install" those rules with the config files that are
# included in it (instead of from the files in the snort tarball).
# NOTE: This will wipe out any existing /etc/snort.conf and rules
# (that are in /usr/local/etc/snort).


# Verify that the tarball is OK:
echo "3971a94334555ea141ed378903e8f642  snortrules-snapshot-2.3.tar.gz" | \
md5sum -c

mkdir -p /usr/local/etc/snort
cd /usr/local/etc/snort
tar xzvf ~/snortrules-snapshot-2.3.tar.gz
mv rules/*.config rules/ .
cat rules/snort.conf | \
sed \
-e 's%../rules%/usr/local/etc/snort/rules%' \
-e 's%classification.config%/usr/local/etc/snort/classification.config%' \
-e 's%reference.config%/usr/local/etc/snort/reference.config%' \
-e 's% % /usr/local/etc/snort/ %' \
> /etc/snort.conf
chown -R root:root .
rm -f ~/installed/snort/snortrules-snapshot-*.tar.*
mv ~/snortrules-snapshot-2.3.tar.gz ~/installed/snort/

# Grab the "Community" rules.  They're not "VRT Certified", so if you can't
# risk false positives and such, don't install these.  To use these, uncomment
# the appropriate line(s) from the sample /etc/snort.conf

test -f installed/snort/Community-rules.tar.gz &&
mv installed/snort/Community-rules.tar.gz .
wget -N\

# This md5sum may not match up if you're using this to install a version
# of snort other than 2.3
echo "39d8250f47a33aaec4712e29c0dcd1d0  Community-Rules.tar.gz" | md5sum -c

echo -e "\n# Community rules:" >> /etc/snort.conf
tar tzvf Community-Rules.tar.gz | egrep "\.rules$" | awk '{ print $6 }' |
sed 's%^rules/%#include \$RULE_PATH/%' >> /etc/snort.conf
cd /usr/local/etc/snort
tar xzvf ~/Community-Rules.tar.gz
chown -R root:root docs rules
mkdir -p -m 0700 ~/installed/snort
mv -f ~/Community-Rules.tar.gz ~/installed/snort/

# If you want to prevent anyone but root from reading/writing snort's binary,
# man page, rc file, rules files, and logs, run this:
chown root:root /etc/snort.conf /usr/local/bin/snort \
chown -R root:root /usr/local/etc/snort /var/log/snort
chmod 600 /etc/snort.conf /usr/local/man/man8/snort.8
chmod 700 /usr/local/bin/snort
chmod -R go-rwx /usr/local/etc/snort /var/log/snort

# At the very least, in /etc/snort.conf you'll want to change HOME_NET,
# that fit your network:
# var HOME_NET [,]
# var DNS_SERVERS [,]

# Usage examples:
# To run it in daemon mode as a NIDS (network intrusion detection system):
# /usr/local/bin/snort -D -c /etc/snort.conf
# (logs will go to syslog, alerts will be in /var/log/snort/alert)
# To run it like a packet sniffer dumping packet headers:
# snort -v
# To run it like a packet sniffer dumping headers and packet payloads:
# snort -dv
# Display packet headers only to/from, setting the home network to
# so the -> arrow will point to it for readability:
# snort -h -v host
# Log packet headers and payloads for the whole network except
# for
# snort -h -d -v net 192.168.1 and not host
# To log packets to the /var/log/foo directory:
# snort -l /var/log/foo
# After messing with your rules, run this to make sure it'll start up OK in
# daemon mode as a NIDS.  It will test (-T) everything, log the results (to
# syslog unless otherwise set), then it will exit.
# /usr/local/bin/snort -T -D -c /etc/snort.conf

# If you ever need to uninstall snort, back up your files first if you want
# to keep them, then run this:
cd /usr/local/src/snort-2.3.2
make uninstall
cd ..
find -type d -maxdepth 1 -name "snort-*" -exec rm -r {} \;
rm -f ~/installed/snort-*.tar.* /etc/snort.conf
test -d /usr/local/etc/snort && rm -r /usr/local/etc/snort

List of HOWTOs

Web page itself last updated: 2023-12-20 8:06pm (EST -0500)
HOWTO last updated: 2005-04-06 2:41pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.