Wednesday, May 9, 2012

Installing SNORT as IPS, building from Source

Install below libraries from source in given order by running commands "configure", "make" and "make install".
At the point of writing this article above tar/zip files were the latest available.

By default most of the packages install at /usr/local so forcing them to install in /usr. For example if you install libpcap-1.2.1 by just running ./configure and check the running version, it may show u as libpcap-0.9.4. To overcome the issue we are building with below argument
./configure –enable-ipv6 –prefix=/usr

--enable-ipv6              will enable sniffing IPv6 packets

When DAQ (Data Aquisition) module is successfully configured we get below output
DAQ Output after ./configure –enable-ipv6 --prefix=/etc

Build AFPacket DAQ module.. : yes
Build Dump DAQ module........ : yes
Build IPFW DAQ module......... : yes
Build IPQ DAQ module............ : no
Build NFQ DAQ module........... : yes
Build PCAP DAQ module......... : yes

IPQ is obsoleted so didn't install it

Snort Configuration Command
./configure --libdir=/usr/lib --includedir=/usr/include --enable-ipv6 --enable-gre --enable-targetbased –enable-ipfw –enable-dynamicplugin --enable-decoder-preprocessor-rules --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-zlib

Fore developing preprocessor plugins you can add

Aditionally you might need dpx-1.4.tar.gz.

Errors seen while starting Snort:
For snort_dynamicrules not found error, create /usr/local/lib/snort_dynamicrules and copy .so files there,
For white_listing.rules, black_listing.rules files missing errors create those files and comment out reputation preprocessor from snort.conf.

#/home/praveen/snort- -V
,,_ -*> Snort! <*-
o" )~ Version IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team:
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3

Starting snort with -Q option will make it run as IPS.

You can refer similar article from

For Snort Preprocessors you can refer below link

For sending Snort alerts to Syslog server

For detailed description of various concepts refer SnortTM Users Manual.

No comments:

Post a Comment