Eclectic Security

Year 2010 is going to end. In a few hours, people all over the world and with all sort of celebrations will say goodbye to the old year. For me, 2010 has been a very challenging year, with lot of up and downs. I’m just taking a moment to reflect on the past year and to figure out may be ahead in the months to come.

I Wish everyone a peaceful new year. (a  special wish to Bradley Manning , www.bradleymanning.org )

Phillip

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0.3 with with in-line mode capabilities . Tested on Ubuntu Server 10.04 32bit

Release Notes:
2010-12-20 – Snort 2.9.0.3

[*] Improvements
* Fixed an issue where “uricontent” didn’t behave correctly with
“depth”, “offset”, “distance”, and “within” modifiers.

* Fixed overlapping flags in the Shared Object rule API.

* Improved error checking for invalid combinations of “depth”, “offset”,
“distance”, and “within” modifiers in rules. Rules that mix relative
and non-relative options on the same content will now cause errors.

* Updated the documentation to fix some inconsistencies.

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev  libpcre3-dev libmysqlclient15-dev  libnetfilter-queue-dev iptables-dev

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

wget http://www.snort.org/downloads/630
tar xvfz 630
cd daq-0.5/
./configure

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : yes
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

make
checkinstall
dpkg -i /root/daq-0.5/daq_0.5-1_i386.deb

wget http://www.snort.org/downloads/637
tar xvfz 637
cd snort-2.9.0.3/
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib --enable-active-response --enable-react --enable-flexresp3

make
checkinstall
dpkg -i /root/snort-2.9.0.3/snort_2.9.0.3-1_i386.deb
ldconfig

snort  -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 GRE (Build 98)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3.3

I couldn’t not write something about the new release of Snorby 2.

I am pleased to announce the official release of Snorby 2.0.0. A big “Thank you” to all the early testers and to
everyone for submitting bug reports and writing documentation. (https://github.com/Snorby/snorby/wiki/Contributors)

Read more on the http://www.lookycode.com blog.