Contact Us  |  Site Map
Empty Cart
 
More section links

Snort Installation Guide - Linux

This guide will help you install the latest Snort on a Linux server.

 

First step is to download the latest from Snort.org web site;

Snort Download

 

For this guide we are using snort-2.1.3.tar.gz

 

Next if you haven’t already done so, you will need to also download PCRE which can be found Here

 

For this guide we are using pcre-4.3.tar.gz

 

Install PCRE

Extract pcre via:

#tar --zxvf pcre-4.3.tar.gz

Next browse into the extracted pcre folder and run:

#./configure

#make

#make install

 

Creating the user and group “snort”

groupadd snort

useradd -g snort snort

 

Install Snort

Extract the file using:

#tar --zxvf snort-2.1.3.tar.gz

#cd snort-2.1.3

#./configure --with-mysql

#make

#make install

 

Creating the rules directory

#mkdir /etc/snort

 

Creating the Log directory

#mkdir /var/log/snort

 

Installing the rules and Conf file:

(From the Snort Installation directory)

#cd rules

#cp * /etc/snort

#cd ../etc

#cp snort.conf /etc/snort

#cp *.config /etc/snort

#cp unicode.map /etc/snort (I found I needed to do this to get around an error starting snort)

Modifying the snort.conf file

 

The snort.conf is located in /etc/snort

Make the following changes to the file:

 

 

Edit your HOME_NET to whatever IP address you would like to monitor or you can leave it as any.

Same for EXTERNAL_NET, best is to set it for any.

 

Next change the rule path variable.

 

 

Change the rule path to look like /etc/snort/

 

Next we will enable database logging.

 

 

You will need to uncomment the section shown in the above screenshot. Modify the user, password, dbname and host to match your setup.

 

Test snort installation

To test Snort;

#cd /usr/local/bin

#snort -c /etc/snort/snort.conf -l /var/log/snort

If there are no errors, then installation was successful. Ctrl C to kill Snort.

Set Snort to start automatically

Use the script located in the contrib directory, S99snort. Copy it to /etc/init.d and call it

snort. (cp contrib/S99snort /etc/init.d/snort) Change the following lines:

CONFIG=/etc/snort/snort.conf

SNORT_GID=snort

 

Next:

Change directory to /etc/init.d and type:

chmod 755 snort (the file you just edited, or copied from the contrib folder and modified)

cd /etc/rc3.d

ln -s ../init.d/snort S99snort

ln -s ../init.d/snort K99snort

cd /etc/rc5.d

ln -s ../init.d/snort S99snort

ln -s ../init.d/snort K99snort

 

Import Snort database tables

This guide assumes you already have a working MySQL database and a database called snort. You will need to now import the tables into your MySQL database:

 

You can use command line or phpmyadmin. We will describe the command line method as the phpmyadmin method is easy and does not need explaining.

 

#/usr/local/mysql/bin/mysql -u root -p < ./contrib/create_mysql snort

Enter password: (enter password for the root user)

 

Now you need to check and make sure that the snort DB was created correctly

/usr/local/mysql/bin/mysql –p

>Enter password:

mysql> SHOW DATABASES;

(You should see the following)

+------------+

| Database

+------------+

| mysql

| snort

| test

+------------+

3 rows in set (0.00 sec)

mysql> use snort

>Database changed

mysql> SHOW TABLES;

+------------------+

| Tables_in_snort

+------------------+

| data

| detail

| encoding

| event

| flags

| icmphdr

| iphdr

| opt

| protocols

| reference

| reference_system

| schema

| sensor

| services

| sig_class

| sig_reference

| signature

| tcphdr

| udphdr

+------------------+

19 rows in set (0.00 sec)>Bye

 

This shows that the database snort exists and lists the available tables.

 

To start Snort, all you have to do is cd into /etc/rc.d/init.d/ and run Snort like this:

#./snort start