Compiling snort 2.9.0
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump , a packet logger , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0 from the source code.
Installation tested on Ubuntu Server 10.04 32bit
Data AcQuisition library
apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev wget --no-check-certificate http://www.snort.org/downloads/263 tar xvfz 263 cd daq-0.2/ ./configure make checkinstall dpkg -i daq_0.2-1_i386.deb
Libdnet
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xvfz libdnet-1.12.tgz cd libdnet-1.12/ ./configure make checkinstall dpkg -i libdnet_1.12-1_i386.deb ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Snort
apt-get install libpcre3-dev libmysqlclient15-dev wget --no-check-certificate http://www.snort.org/downloads/269 tar xvfz 269 cd snort-2.9.0 ./configure --with-mysql --enable-build-dynamic-examples --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib make checkinstall dpkg -i snort_2.9.0-1_i386.deb ldconfig
At this point you need to configure the snort.conf file according to your environment.
Main features introduced in 2.9.0:
* Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
* Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
* A new rule option ‘byte_extract’ that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
* Ability to “test” drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
* Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
* Added a new pattern matcher that supports Intel’s Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort’s integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
* Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.
07/10/2010 at 7:30 pm Permalink
Trying to follow your directions, in compiling the DAQ:
checking for pcap_lib_version… checking for pcap_lib_version in -lpcap… no
ERROR! Libpcap library version >= 1.0.0 not found.
Get it from http://www.tcpdump.org
How is it possible that you installed using the libpcap0.8?
07/10/2010 at 8:48 pm Permalink
Hi, I have been trying to get Snort installed with no luck.
whenever I run the ./cofigure command, I end up with an error stating “dnet library not found.
I have followed your instructions above but still no luck.
Can you help with this?
08/10/2010 at 8:07 am Permalink
@Debian
@Philip
Are you compiling on Ubuntu server 10.04 ?
13/10/2010 at 2:51 pm Permalink
I don’t know i this is a dumb question or not…. but…… how do I get the /etc/snort folder to appear? whenever I compile from source this folder is absent. It is put there when I install from the Ubuntu software repositories though. Just wondering how to get the snort.conf file and all of the other map files and such. Thanks
14/10/2010 at 3:21 am Permalink
@pbailey
I am compiling on 10.04 via your instructions and am getting: ERROR! dnet library not found, go get it from http://…
Any thoughts?
14/10/2010 at 11:21 am Permalink
@Nick
Hello,
when you decompres the snort archive, inside the snort-2.9.0 folder you can find the /etc folder and you can use all the config files located in it.
Bye.
04/11/2010 at 4:24 am Permalink
Hi Philip,
Note: Im tyring to install Snort 2.9.0.1 on CENTOS 2.6.18-128.el5
1) After executing ./configure, I got this message error message
‘Error! “dnet header not found.’
2) So i downloaded libdnet_1.12 and ./configure && make. However, error message appeared as follows:-
configure: error: C++ preprocessor “lib/cpp” fails on sanity check
Pls advise
Thanx
27/11/2010 at 11:22 am Permalink
try
apt-get install gcc
and compile libdnet once again.
BR
10/03/2011 at 8:20 pm Permalink
hi
pleassssssssssssssssssssse i need help
i would install snort
i find a problem in the installation of “daq” the message is :
checking for libpcap version >= “1.0.0″… no
ERROR! Libpcap library version >= 1.0.0 not found.
Get it from http://www.tcpdump.org
i install the version of libpcap 1.0.0
but the same probleme
pleaseeeeeeeeeeeeeeeeeeeeeeeeee help me
thanks
26/07/2011 at 8:19 pm Permalink
After installing Snort-2.9.0.5 on CentOS 5.6, I got an error
“pcap DAQ configured to passive”
Acquiring network traffic from “eth0″
Segmentation fault
Any help wil be thankful as I spend all week to install Snort (new to Snort and Linux)
Thanks,
Sarbhika
09/11/2011 at 5:35 am Permalink
hi everybody
I am having same problem as jawhar.
Any solution for this??