• How to compile and install Snort from source code on Ubuntu


    http://www.tuicool.com/articles/v6j2Ab



    Snort is by far the most popular open-source network intrusion detection and prevention system (IDS/IPS) for Linux. Snort can conduct detailed traffic analysis, including protocol analysis, packet content searching and matching, all in real-time. The latest Snort rule sets are available for download either for free or with a paid subscription.

    You can install Snort from its source code or binary rpm/deb packages on Linux. There are several reasons why you want to build Snort from source code, not install it from Linux packages. For example, you want to use the latest version of Snort, which may not be available in Linux distro repositories. Also, you may want to customize Snort binary in any way (e.g., plug in a custom DAQ module, use a particular version of libpcap library, etc.).

    In this tutorial, I will describe how to compile and install Snort from source code .
    Compile and Install Snort and Its Dependencies

    First, install prerequisites for compiling Snort.
    $ sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

    Next, build and install libdnet from its source code. The “-fPIC” C flag is necessary if you compile it on 64-bit platform.
    $ wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
    $ tar xvfvz libdnet-1.12.tgz
    $ ./configure “CFLAGS=-fPIC”
    $ make
    $ sudo checkinstall

    The checkinstall command above will build .deb package. and while doing so, ask you several questions. You can accept default values.

    Install .deb package, and create a symbolic link where Snort looks for libdnet .
    $ sudo dpkg -i libdnet_1.12-1_amd64.deb
    $ sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

    Next, build and install DAQ (Data Acquisition) library. DAQ is an abstraction layer for packet I/O, which allows you to plug different DAQ modules into Snort, to support different hardware/software interfaces for packet I/O, without changing Snort itself. DAQ source code is available from here .
    $ tar xvfvz daq-2.0.0.tar.gz
    $ cd daq-2.0.0
    $ ./configure
    $ make
    $ sudo checkinstall
    $ sudo dpkg -i daq_2.0.0-1_amd64.deb

    Next, compile and install Snort itself. Snort source code is available here .
    $ tar xvfvz snort-2.9.5.tar.gz
    $ cd snort-2.9.5
    $ ./configure
    $ make
    $ sudo checkinstall
    $ sudo dpkg -i snort_2.9.5-1_amd64.deb
    $ sudo ln -s /usr/local/bin/snort /usr/sbin/snort

    Finally, run ldconfig command, so that dynamic linker run-time bindings for libdnet and DAQ libraries are properly set up.
    $ sudo ldconfig -v

    After this, verify that Snort is installed successfully.
    $ snort -V

    ,,_     -*> Snort! <*-
      o"  )~   Version 2.9.5 GRE (Build 103)
       ''''    By Martin Roesch & The Snort Team:
    http://www.snort.org/snort/snort-team
               Copyright (C) 1998-2013 Sourcefire, Inc., et al.
               Using libpcap version 1.3.0
               Using PCRE version: 8.31 2012-07-06
               Using ZLIB version: 1.2.7

    Configure Snort and Download Snort Rule Sets

    After installation, go ahead and configure Snort as follows.

    For security reason, it is recommended to create a separate Linux user which Snort will run as.
    $ sudo groupadd snort
    $ sudo useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort

    Create a log directory for Snort.
    $ sudo mkdir /var/log/snort
    $ sudo chown snort:snort /var/log/snort

    Download Snort rule sets . You can download a registered user release for free. After download, install and configure Snort rules as follows.
    $ sudo mkdir /etc/snort
    $ sudo tar xvfvz snortrules-snapshot-2950.tar.gz -C /etc/snort
    $ sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
    $ sudo mkdir /usr/local/lib/snort_dynamicrules
    $ sudo chown -R snort:snort /etc/snort/*
    $ sudo mv /etc/snort/etc/* /etc/snort

    Edit a default Snort configuration to point to correct ruleset directories. Also define HOME_NET which is the network to protect with Snort.
    $ sudo vi /etc/snort/snort.conf

    var RULE_PATH /etc/snort/rules
    var SO_RULE_PATH /etc/snort/so_rules
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    var WHITE_LIST_PATH /etc/snort/rules
    var BLACK_LIST_PATH /etc/snort/rules
    ipvar HOME_NET 192.168.1.0/24
    ipvar EXTERNAL_NET !$HOME_NET

    Run Snort in Self-Test Mode

    After configuration is done, you can test Snort by using the following command. This command will launch Snort in self-test mode, and check if rules are successfully loaded. I assume that eth0 is the network interface that Snort is listening on.
    $ sudo snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

    If Snort passes all the tests successfully, you should see the following messages:

    Snort successfully validated the configuration!
    Snort exiting

  • 相关阅读:
    流水线操作verilog
    16x16移位相加乘法器verilog实现
    Nios II对flash进行读写(DE2)
    initial使用的要点
    边沿检测电路设计verilog
    DDoS攻防战 (四):CC攻击防御系统部署
    DDoS攻防战(三):ip黑白名单防火墙frdev的原理与实现
    DDoS攻防战 (二) :CC攻击工具实现与防御理论
    DDoS攻防战 (一) : 概述
    IP流量重放与pcap文件格式解析
  • 原文地址:https://www.cnblogs.com/tangxiaosheng/p/4930304.html
Copyright © 2020-2023  润新知