Compiling snort 2.9.0.3 on Ubuntu
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump , a packet logger , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0.3 with with in-line mode capabilities . Tested on Ubuntu Server 10.04 32bit
Release Notes:
2010-12-20 – Snort 2.9.0.3
[*] Improvements
* Fixed an issue where “uricontent” didn’t behave correctly with
“depth”, “offset”, “distance”, and “within” modifiers.
* Fixed overlapping flags in the Shared Object rule API.
* Improved error checking for invalid combinations of “depth”, “offset”,
“distance”, and “within” modifiers in rules. Rules that mix relative
and non-relative options on the same content will now cause errors.
* Updated the documentation to fix some inconsistencies.
apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xvfz libdnet-1.12.tgz cd libdnet-1.12/ ./configure make checkinstall dpkg -i libdnet_1.12-1_i386.deb ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
wget http://www.snort.org/downloads/630 tar xvfz 630 cd daq-0.5/ ./configure Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : yes Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes make checkinstall dpkg -i /root/daq-0.5/daq_0.5-1_i386.deb
wget http://www.snort.org/downloads/637
tar xvfz 637
cd snort-2.9.0.3/
./configure --with-mysql --enable-build-dynamic-examples --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib --enable-active-response --enable-react --enable-flexresp3
make
checkinstall
dpkg -i /root/snort-2.9.0.3/snort_2.9.0.3-1_i386.deb
ldconfig
snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.3 GRE (Build 98)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3.3
Scridb filter
21/12/2010 at 5:51 pm Permalink
Hi,
When I ran ./configure (snort) I got the following:
Build AFPacket DAQ module.. : yes
Build Dump DAQ module…… : yes
Build IPFW DAQ module…… : yes
Build IPQ DAQ module……. : no
Build NFQ DAQ module……. : no
Build PCAP DAQ module…… : yes
I’m using Ubuntu 10.10 64bit. I’m not sure what caused this. (I followed the exact steps described)
Thanks
29/12/2010 at 8:58 am Permalink
Same here on Obi-Wanti 10.10 32-Bit … figured this has to do with libs not being there
From : http://hpux.connect.org.uk/hppd/hpux/Networking/Misc/daq-0.2/readme.html
( untested so far however , please let me known when you do )
Also, libdnet is required for IPQ and NFQ DAQs. If you get a relocation error
trying to build those DAQs, you may need to reinstall libdnet and configure it
with something like this:
./configure “CFLAGS=-fPIC -g -O2″
30/12/2010 at 5:57 pm Permalink
I’m having a segfault when I pass the snort.conf file…
Tested on debian squeeze.
snort[1912]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
snort[1912]: alert_fragments: INACTIVE
snort[1912]: alert_large_fragments: INACTIVE
snort[1912]: alert_incomplete: INACTIVE
snort[1912]: alert_multiple_requests: INACTIVE
kernel: [ 758.457112] snort_inline[1912]: segfault at 76ea0d00 ip 08cd300e sp bfdb1690 error 4
12/01/2011 at 8:41 pm Permalink
Building the DAQ Library and DAQ Modules
========================================
The DAQ is bundled with Snort but must be built first using these steps:
./configure
make
sudo make install
This will build and install both static and dynamic DAQ modules.
Note that pcap >= 1.0.0 is required. pcap 1.1.1 is available at the time
of this writing and is recommended.
Also, libdnet is required for IPQ and NFQ DAQs. If you get a relocation error
trying to build those DAQs, you may need to reinstall libdnet and configure it
with something like this:
./configure “CFLAGS=-fPIC -g -O2″
09/05/2011 at 9:49 pm Permalink
To get NFQ to show as yes, apt-get install libnetfilter-queue-dev
Greg
24/05/2011 at 7:50 am Permalink
hi,
I got this error:
snort-2.9.0.3# checkinstall
…
ranlib: could not create temporary file whilst writing archive: No more archived files
…
make[1]: Leaving directory `/usr/src/snort-2.9.0.3/src’
make: *** [install-recursive] Error 1
You can fix this issue with ‘make install’ before a checkinstall.
Best regards!
25/10/2011 at 5:58 am Permalink
hi S4a,
I had a same problem as you do. But I fixed it.
I think you should use ” sudo checkinstall” instead of “checkinstall”.
I hope it helps.