Professional Documents
Culture Documents
Lots of instructions on how to install Snort are out on the internet, but most of them are
outdated. There are several books you can buy on the subject, but I've found that they too are
severely outdated. I've gathered instructions from a variety of sites and books to complete this
how-to, enabling Snort to be installed on a modern version of Ubuntu. If anyone finds any
trouble with these instructions please leave a comment!
The following instructions have been verified on Ubuntu Server 10.04.3 32-bit with the ubutu-
desktop package sets installed. Other required package versions: Already a member? Sign in
Snort 2.9.1.2
Mysql 5.1 Subscribe To
libdnet 1.12
Posts
daq 0.6.2
You will also need a machine with two NIC cards unless you intend to do all administration via a Comments
local terminal and web sessions.
Blog Archive
You can install Snort from the package repository, however the version in the repository is
really, really old. As a result we're going to do this all from scratch by downloading and ► 2013 (11)
compiling the required source code.
► 2012 (20)
1. Drop to your terminal window. Type sudo apt-get update and press enter. ▼ 2011 (42)
2. Type sudo apt-get -y install build-essential libpcap0.8-dev ▼ December (8)
libmysqlclient15-dev mysql-client-5.1 mysql-server-5.1 bison flex Why I Use KeePassX
apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb Password Manager
php-pear libc6-dev g++ gcc pcregrep libpcre3-dev and press enter. Google Hangout
Television
3. Enter your superuser password when prompted. Get some coffee, this may take a while.
Commercial
4. MYSQL will require you to create a root password. This password is used just for
Buying the Right Books
MYSQL. Enter your password twice and be sure to document the MYSQL root for Your Kindle
password. I'm going to use mysqlpassword for our example.
Why I Bought a Macmini
5. You may receive a warning about libphp-adodb, click OK.
Snort Installation:
6. When you return to the command prompt visit http://code.google.com/p/libdnet Step-by-step on
/downloads/list. Ubuntu 10.04.3...
7. Download libdnet-1.12.tgz. Intrusion Detection
8. Open your terminal and type cd ~/Downloads then press enter. Systems (Part 1:
Network Intru...
9. Type tar -xvzf libdnet-1.12 and press enter.
Nagios: My First Public
10. Type cd libdnet-1.12 and press enter. Speech
11. Type ./configure and press enter. Handy Virtualization
12. Type make and press enter. Tools
1 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...
2 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...
50. If all looks good then you're in business. Type exit and press enter.
51. OK, it's time to create the snort user in Linux.
52. Type sudo adduser snort and press enter.
53. Enter the superuser password when prompted.
54. Enter in a new password for the snort user and press enter. For our example I am using
snortpassword.
55. Confirm the password and press enter.
56. Press enter 5 times through all the fields and confirm by pressing Y.
57. Type sudo chsh snort and press enter.
58. Type /bin/true and press enter.
59. Now lock the snort user account by typing sudo passwd snort -l and pressing
enter.
60. Type sudo mkdir -p /etc/snort/rules /var/log/snort and press enter.
61. Type sudo chown -R root.snort /var/log/snort and press enter.
62. Type sudo chmod -R 770 /var/log/snort and press enter.
63. Type sudo ldconfig and press enter.
64. Let's test to make sure Snort is working. Type snort --version. Hopefully you'll see
this:
65. Let's get the rules extracted and in place. To do so type cd ~/Downloads and press
enter.
66. Type sudo tar xvzf snortrules-snapshot-2912.tar.gz -C /etc/snort
and press enter.
67. The following changes need to be made to the /etc/snort/etc/snort.conf file:
1. find the line that reads dynamicdetection directory /usr/local
/lib/snort_dynamicrules and remark it by adding a # in front. Set the following
lines:
2. var RULE_PATH /etc/snort/rules
3. var SO_RULE_PATH /etc/snort/so_rules
4. var PREPROC_RULE_PATH /etc/snort/preproc_rules
5. Remark the entire preprocessor reputation section.
6. Search for dynamic library rules. Unremark all of the dynamic rules.
68. Next, from the command line you need to test your snort configuration. Type snort -c
/etc/snort/etc/snort.conf and press enter. If you don't see any errors you're in
3 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...
good shape. Don't worry about the warnings you may see.
12. If you click continue on this screen you can configure the database via web-interface. I don't recommend this. The last step errors out. Instead, use the
13. Close your web browser.
14. Open /var/www/base_conf.php.dist. Ensure the following lines read as follows:
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'snort_password';
22. Click Create AG. If all goes well you should see the following:
4 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...
23. Now when you visit http://localhost/base you should see the Base screen:
24. Drop to the command line and type mysqldump -u root -p snort >snort.db
and press enter.
25. Enter mysqlpassword when prompted.
26. Type mysql -u root -p snort_archive < snort.db and press enter.
27. Enter mysqlpassword when prompted.
28. Type mysql -u root -p and press enter.
29. Type use snort_archive; and press enter.
30. Type grant all privileges on snort_archive.* to
'snort'@'localhost' identified by 'snort_password'; and press enter.
31. Type exit and press enter.
32. Now, refresh your base page and you should see Use Alert Database on the right hand
side. Click Use Alert Database to ensure the page loads.
Testing... finally!
Getting to this point took a long time, no questions about it! Now that you're done we can test
some of the fun stuff. Let's start by getting the IP address of your NIC card:
1. Type ifconfig and press enter. Hopefully you have two NICs installed. Note the IP
address of eth1.
2. Type snort -c /etc/snort/etc/snort.conf -v and press enter.
3. Start pinging and port scanning the IP addresses that your Snort box is using, then
refresh the BASE home page. You should start seeing tons of alerts!
Good luck!
Cited sources:
1. http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10
2. http://ubuntuforums.org/showthread.php?t=145641
3. http://ubuntuforums.org/showthread.php?t=919472
4. http://bailey.st/blog/2010/10/06/compiling-snort-2-9-0/
5. http://www.thegeekstuff.com/2010/08/snort-tutorial/
6. http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
7. http://ubuntuforums.org/showpost.php?p=5786356&postcount=4
8. https://forums.snort.org/forums/third-party-tools/topics/configuring-base-with-snort
9. http://blog.csmonkey.com/2009/03/how-to-duplicate-mysql-database.html
5 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...
Reactions:
2 comments:
Sir,
I have followed your tutorial,but at the last step I am getting the following error
ERROR: /etc/snort/etc/snort.conf(328) => Length of the http request method shoould not exceed
the max request method length of '7'.
Kindly help me
Reply
I am also getting errors when pear install is given,they says unknown package. and apache2:
Syntax error on line 236 of /etc/apache2/apache2.conf: Could not open configuration file
/etc/apache2/sites-enabled/dequeue: No such file or directory
...fail!
Kindly help me
Reply
Publish Preview
6 of 6 06/27/2013 09:24 PM