Contact Us  |  Site Map
Empty Cart
More section links

Snort Installation Guide - Linux

This guide will help you install the latest Snort on a Linux server.


First step is to download the latest from web site;

Snort Download


For this guide we are using snort-2.1.3.tar.gz


Next if you haven’t already done so, you will need to also download PCRE which can be found Here


For this guide we are using pcre-4.3.tar.gz


Install PCRE

Extract pcre via:

#tar --zxvf pcre-4.3.tar.gz

Next browse into the extracted pcre folder and run:



#make install


Creating the user and group “snort”

groupadd snort

useradd -g snort snort


Install Snort

Extract the file using:

#tar --zxvf snort-2.1.3.tar.gz

#cd snort-2.1.3

#./configure --with-mysql


#make install


Creating the rules directory

#mkdir /etc/snort


Creating the Log directory

#mkdir /var/log/snort


Installing the rules and Conf file:

(From the Snort Installation directory)

#cd rules

#cp * /etc/snort

#cd ../etc

#cp snort.conf /etc/snort

#cp *.config /etc/snort

#cp /etc/snort (I found I needed to do this to get around an error starting snort)

Modifying the snort.conf file


The snort.conf is located in /etc/snort

Make the following changes to the file:



Edit your HOME_NET to whatever IP address you would like to monitor or you can leave it as any.

Same for EXTERNAL_NET, best is to set it for any.


Next change the rule path variable.



Change the rule path to look like /etc/snort/


Next we will enable database logging.



You will need to uncomment the section shown in the above screenshot. Modify the user, password, dbname and host to match your setup.


Test snort installation

To test Snort;

#cd /usr/local/bin

#snort -c /etc/snort/snort.conf -l /var/log/snort

If there are no errors, then installation was successful. Ctrl C to kill Snort.

Set Snort to start automatically

Use the script located in the contrib directory, S99snort. Copy it to /etc/init.d and call it

snort. (cp contrib/S99snort /etc/init.d/snort) Change the following lines:





Change directory to /etc/init.d and type:

chmod 755 snort (the file you just edited, or copied from the contrib folder and modified)

cd /etc/rc3.d

ln -s ../init.d/snort S99snort

ln -s ../init.d/snort K99snort

cd /etc/rc5.d

ln -s ../init.d/snort S99snort

ln -s ../init.d/snort K99snort


Import Snort database tables

This guide assumes you already have a working MySQL database and a database called snort. You will need to now import the tables into your MySQL database:


You can use command line or phpmyadmin. We will describe the command line method as the phpmyadmin method is easy and does not need explaining.


#/usr/local/mysql/bin/mysql -u root -p < ./contrib/create_mysql snort

Enter password: (enter password for the root user)


Now you need to check and make sure that the snort DB was created correctly

/usr/local/mysql/bin/mysql –p

>Enter password:


(You should see the following)


| Database


| mysql

| snort

| test


3 rows in set (0.00 sec)

mysql> use snort

>Database changed



| Tables_in_snort


| data

| detail

| encoding

| event

| flags

| icmphdr

| iphdr

| opt

| protocols

| reference

| reference_system

| schema

| sensor

| services

| sig_class

| sig_reference

| signature

| tcphdr

| udphdr


19 rows in set (0.00 sec)>Bye


This shows that the database snort exists and lists the available tables.


To start Snort, all you have to do is cd into /etc/rc.d/init.d/ and run Snort like this:

#./snort start