Ubuntu under snort from compile, install to debug the whole process

From: https://www.newbyter.net/?p=1403
First, compile

The compilation was done under Ubuntu 11.04 (32bit), and Ubuntu was installed by default.

Snort itself uses some third-party libraries, which are not installed by default in Ubuntu, so we need to install them manually. These include: libdnet-1.12, libpcap-1.0.0, pcre-8.12, zlib-1.2.5, etc., in addition to the installation of build-essential, Flex and bison packages.

The compilation and installation of these third-party libraries is relatively straightforward, and typically requires only the following three commands to be executed:

./configure
Make
sudo make install

After you have installed the packages and libraries that you depend on, you can compile and install snort.

Snort source code can be obtained from www.snort.org, this article uses the Snort source version is 2.9.0.5, after the download of the compressed package named snort-2.9.0.5.tar.gz. In addition, you should download the DAQ source code, because snort needs to use the library at compile time. DAQ also provides direct source download at Snort's official site. This article uses a DAQ version of 0.5, and the downloaded zip package is named daq-0.5.tar.gz. Finally, we need to download the rules library for snort, because we need snort to work in IDs mode, which requires a corresponding intrusion detection rule library. Fortunately, snort official also provides the rules library download, but is divided into the pay version and the free version. Just sign up for a free account to download the free version of the rules library. The version library that this article uses is downloaded with the zip package named snortrules-snapshot-2905.tar.gz. The rules library is not required at compile time and is not used by the runtime.

The next step is Snort's compilation process, directly./configure is possible, but some of the features of the snort that have been compiled are not enabled and do not meet our needs, so you must use some configuration options, as follows:

./configure–enable-ipv6–enable-gre–enable-mpls–enable-targetbased–enable-decoder-preprocessor-rules–enable-ppm –enable-perfprofiling–enable-zlib–enable-active-response–enable-normalizer–enable-reload–enable-react– Enable-flexresp3

When finished, use the make command to compile, and after editing, use sudo make install to complete the installation.

The following is the compilation process:

"Figure 1" in snort compilation

"Figure 2" snort compilation complete

Second, installation and operation

After the build snort succeeds, execute the sudo make install and install it successfully. Snort will be installed in the/usr/local directory.

The next step is to get snort up and running. Now you need to extract the Snort Rule Library compression package that you just downloaded, assuming the extracted folder name is called snort-rules-2905, There is a snort.conf file under the ETC directory in this folder, which provides some default configuration, which is enough for this article, but to run it, there is one more detail that needs to be changed:

Find Compress_depth 20480 decompress_depth 20480 and replace two of these 20480 with 65535

Remember to save it after you modify it. You will then need to copy the snort-rules-2905/so_rules/precompiled/ubuntu-10-4/i386/2.9.0.5 folder to/usr/local/lib and rename it to Snort_ Dynamicrules.
Once you've completed the steps above, you're ready to start running snort.

Open the console, switch to the/usr/local/bin directory, and execute:

sudo./snort-dev-l/home/jian/tmp/log-h 192.168.1.0/24-c/home/jian/soft/snort-rules-2905/etc/snort.conf

Where the-l parameter indicates where the log file is stored, the-h parameter indicates the detected network segment, and the-c parameter indicates the location of the configuration file.

If it runs successfully, a screen similar to the following will appear:

"Figure 3" successfully running snort

Third, commissioning

A convenient debugging and development environment is important to facilitate the analysis of Snort's source code and subsequent development. This article chooses to use Eclipse IDE for C + + developers (hereinafter referred to as Eclipse) as the debugging and development environment.

First turn on eclipse, but you need to open it with administrator privileges, because snort requires administrator privileges when running in IDs mode, and if you open it, Eclipse runs under normal user rights, but running snort will fail if it compiles. There are several ways to solve this problem, but running eclipse directly with administrator privileges is a straightforward solution.

Specifically: Switch to the directory where Eclipse is located and execute sudo./eclipse.

After you open Eclipse, select Menu File→new→project, and then in the dialog box that pops up, select Makefile Project with Existing Code under the C + + category, such as:

Figure 4 Selecting the project type

Then click Next to proceed to the next step. This step requires telling eclipse where our snort source is and choosing the compiler type. Compiler type We select Linux GCC as shown in:

Figure 5 Locating the snort source location and selecting the compiler type

After the click Finish,eclipse will immediately start compiling snort source code.

The eclipse compiled source code is compiled directly based on the makefile file generated by the./configure (with corresponding parameters) that we previously switched to the Snort source directory under the console, so we need to make sure that we have manually called the eclipse before compiling it. Configure (with corresponding parameters) has generated the correct makefile file.

By the end of this, the difference is one step away from the final success:

Open the Debug configurations and switch to the Arguments tab and enter:

-dev-l/home/jian/tmp/log-h 192.168.1.0/24-c/home/jian/soft/snort-rules-2905/etc/snort.conf

Figure 6 Configuring the Debug configurations

OK, click the Apply button, then close.

Similarly, you should configure run configurations, which is not mentioned here.

Through the above configuration, we can start debugging snort source. It is also possible to modify the source code in snort at will and recompile it for various experiments.

Ubuntu under snort from compile, install to debug the whole process