How to compile and install Snort from source code on Ubuntu

Http://www.tuicool.com/articles/v6j2Ab

Snort is by far the very popular Open-source network intrusion detection and Prevention system (IDS/IPS) for Linux. Snort can conduct detailed traffic analysis, including protocol analysis, packet content searching and matching, all in re Al-time. The latest Snort rule sets is available for download either to free or with a paid subscription.

You can install the Snort from it source code or binary Rpm/deb packages on Linux. There is several reasons why do you want to build Snort from source code, not install it from Linux packages. For example, your want to use the latest version of Snort, which May is not being available in Linux distro repositories. Also, want to customize Snort binary on any the (e.g., plug in a custom DAQ module, use a particular version of Li Bpcap library, etc.).

In this tutorial, I'll describe how to compile and install Snort from source code.
Compile and Install Snort and its Dependencies

First, install prerequisites for compiling Snort.
$ sudo apt-get install Flex Bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev L Ibnetfilter-queue-dev Iptables-dev

Next, build and install Libdnet from its source code. The "-fpic" C flag is necessary if your compile it on 64-bit platform.
$ wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
$ tar xvfvz libdnet-1.12.tgz
$./configure "Cflags=-fpic"
$ make
$ sudo checkinstall

The Checkinstall command above the would build. deb package. And while doing so, ask you several questions. You can accept default values.

Install the. deb package, and create a symbolic link where Snort looks for libdnet.
$ sudo dpkg-i libdnet_1.12-1_amd64.deb
$ sudo ln-s/usr/local/lib/libdnet.1.0.1/usr/lib/libdnet.1

Next, build and install the DAQ (Data acquisition) library. DAQ is a abstraction layer for packet I/O, which allows you-plug different DAQ modules into Snort, to-support differen T Hardware/software interfaces for packet I/O, without changing Snort itself. DAQ source code is available from here.
$ tar xvfvz daq-2.0.0.tar.gz
$ CD daq-2.0.0
$./configure
$ make
$ sudo checkinstall
$ sudo dpkg-i daq_2.0.0-1_amd64.deb

Next, compile and install Snort itself. Snort source code is available here.
$ tar xvfvz snort-2.9.5.tar.gz
$ CD snort-2.9.5
$./configure
$ make
$ sudo checkinstall
$ sudo dpkg-i snort_2.9.5-1_amd64.deb
$ sudo ln-s/usr/local/bin/snort/usr/sbin/snort

Finally, run Ldconfig command, so the dynamic linker run-time bindings for Libdnet and DAQ libraries is properly set up.
$ sudo ldconfig-v

After this, verify the Snort is installed successfully.
$ snort-v

,, _-*> snort! <*-
o ") ~ Version 2.9.5 GRE (Build 103)
"By Martin Roesch & the Snort Team:
Http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using Libpcap version 1.3.0
Using PCRE version:8.31 2012-07-06
Using ZLIB version:1.2.7

Configure snort and Download snort Rule sets

After installation, go ahead and configure Snort as follows.

For security reason, it's recommended to create a separate Linux user which Snort would run as.
$ sudo groupadd snort
$ sudo useradd snort-d/var/log/snort-s/sbin/nologin-c snort_ids-g snort

Create a log directory for Snort.
$ sudo mkdir/var/log/snort
$ sudo chown snort:snort/var/log/snort

Download Snort rule sets. You can download a registered the user release for free. After download, install and configure Snort rules as follows.
$ sudo mkdir/etc/snort
$ sudo tar xvfvz snortrules-snapshot-2950.tar.gz-c/etc/snort
$ sudo touch/etc/snort/rules/white_list.rules/etc/snort/rules/black_list.rules
$ sudo mkdir/usr/local/lib/snort_dynamicrules
$ sudo chown-r snort:snort/etc/snort/*
$ sudo mv/etc/snort/etc/*/etc/snort

Edit A default Snort configuration to correct ruleset directories. Also define home_net which is the network to protect with Snort.
$ sudo vi/etc/snort/snort.conf

var rule_path/etc/snort/rules
var so_rule_path/etc/snort/so_rules
var preproc_rule_path/etc/snort/preproc_rules
var white_list_path/etc/snort/rules
var black_list_path/etc/snort/rules
Ipvar home_net 192.168.1.0/24
Ipvar external_net! $HOME _net

Run Snort in Self-Test Mode

After configuration was done, you can test Snort by using the following command. This command would launch Snort in self-test mode, and check if rules is successfully loaded. I assume that eth0 was the network interface that Snort was listening on.
$ sudo snort-t-i eth0-u snort-g snort-c/etc/snort/snort.conf

If Snort passes all the tests successfully, you should see the following messages:

Snort successfully validated the configuration!
Snort exiting

How to compile and install Snort from source code on Ubuntu