If you have libraries in a
nonstandard directory “,
CPPFLAGS refers to the C/C++ preprocessor flags, such as `-I`,
if you have headers located in a nonstandard directory “.Certainly! Here’s the plain text content translated into American English while keeping all formatting, HTML tags, and structure intact from the WordPress post:
CPP C Preprocessor
Use these variables to override choices determined by `configure`, or to assist it in locating libraries and programs that have unconventional names or are located in unusual directories.
Values in square brackets indicate the default system value if the option is not explicitly set. For example, the `–prefix` option as shown on the second line indicates that if `–prefix` is not set, the system will default to `/usr/local`. PREFIX refers to the directory where Snort files will be installed when you execute the `make install` command.
–prefix=PREFIX Install architecture-independent files into PREFIX
[/usr/local]
A typical session running the configure script is shown below. For brevity, output information has been truncated. Pay close attention to the enabled options in the command line:
[root@conformix snort-1.9.0]# ./configure –prefix=/opt/snort \
–enable-smbalerts –enable-flexresp –with-mysql –with-snmp \
–with-openssl
loading cache ./config.cache
checking for a BSD-compatible install (cached) /usr/bin/install -c
checking whether the build environment is sane yes
checking whether make sets ${MAKE} (cached) yes
checking for working aclocal found
checking for working autoconf found
checking for working automake found
checking for working autoheader found
checking for working makeinfo found
checking for gcc (cached) gcc
checking whether the C compiler (gcc) works yes
checking whether the C compiler (gcc) is a cross-compiler no
checking whether we are using GNU C (cached) yes
checking whether gcc accepts -g (cached) yes
checking for gcc option to accept ANSI C (cached) none needed
checking for ranlib (cached) ranlib
The output has been truncated because the `configure` command generates a large amount of information. The `–prefix` option specifies the final installation location for the program. Other options enable the following Snort components:
– Support for MySQL databases
– Support for SNMP trap messages
– Support for SMB alerts, which send pop-up alerts to Windows systems.
– Support for FlexResp, which terminates network sessions in real time. FlexResp requires that `libnet` be installed on your system. You can download `libnet` from [SecurityFocus](http://www.securityfocus.net). For this installation, version 1.0.2a was used.
After completing the configuration script, you can compile and install Snort using the following commands:
make
make install
These commands may take some time to complete depending on your computer’s performance. After the second command finishes, the files will be installed in their appropriate directories. Since the `–prefix=/opt/snort` option was used when running the `configure` script, the `make install` command will install Snort’s binary files in the `/opt/snort` directory.
Table 2-1: Parameters for the configure Script
| Parameter | Description |
|–|-|
| `–with-mysql` | Adds support for MySQL in Snort |
| `–with-snmp` | Adds support for SNMP (requires `–with-openssl`) |
| `–with-openssl` | Adds support for OpenSSL. Mandatory when `–with-snmp` is selected. |
| `–with-oracle` | Adds support for Oracle databases |
| `–with-odbc` | Adds support for ODBC |
| `–enable-flexresp` | Enables FlexResp, allowing Snort to terminate malicious connections. Currently experimental (see the `README.FLEXRESP` file).|
| `–enable-smbalerts` | Sends SMB alerts. Note: Each alert occupies client user space.|
| `–prefix=DIR` | Specifies the directory where Snort files will be installed.|
Before running the `make install` command, you may also execute the `make check` command to verify that Snort was built properly.
After installation, test Snort to ensure that the executable file is functional. Upon completing the previous steps, Snort’s binary files should be located in the `/opt/snort/bin` directory. Run the following command to display basic help information and command-line options for the newly installed Snort:
[root@conformix snort]# /opt/snort/bin/snort -?
Tasks After Installation
Once you have successfully installed Snort’s binary files, there are a few additional steps you need to complete:
1. Create the `/var/log/snort` directory to store log files.
2. Create a directory for configuration files. For this example, the directory `/opt/snort/etc` is used, but you are free to choose a different path.
3. Create or copy configuration files into the `/opt/snort/etc` directory.
4. Create the `/opt/snort/rules` directory and copy the default rule files into it. This directory will be referenced in the `snort.conf` file. You may choose a different directory name if desired.
# Creating the Required Directories and Copying Files
Start by creating the `/var/log/snort` directory for Snort to store log files. While it is possible to use a different directory, `/var/log/snort` is the conventionally used location. If you opt for another directory, you will need to use the `-l` option when starting Snort to specify the path.
Next, prepare the Snort configuration file. When Snort starts, it attempts to read the `snort.conf` file from the current directory or the `.snortrc` file from the user’s home directory. If the file resides elsewhere, specify its path using the `-c` option when running Snort.
Initially, you can copy the provided `snort.conf` file from the Snort source code directory into the created `/opt/snort/etc` directory. Also, ensure that you copy `classification.config` and `reference.config` into the same directory, as these files are referenced by `snort.conf`. Additionally, copy all files from the `rules` directory in the Snort source code to the `/opt/snort/rules` directory. Use the following commands to accomplish this:
mkdir /opt/snort/etc
cp /opt/snort-1.9.0/etc/snort.conf /opt/snort/etc
cp /opt/snort-1.9.0/etc/classification.config /opt/snort/etc
cp /opt/snort-1.9.0/etc/reference.config /opt/snort/etc
mkdir /opt/snort/rules
cp /opt/snort-1.9.0/rules/* /opt/snort/rules
Files in the `rules` directory with the `.rules` extension contain various detection rules and are referenced in the `snort.conf` file. The location of these `.rules` files is determined by the `RULE_PATH` variable in the `snort.conf` file, which is typically defined as:
var RULE_PATH ../rules
This indicates that the `.rules` folder is contained in a directory named `rules`. For example:
– If `snort.conf` is located in `/opt/snort/etc`, then `.rules` files must be in `/opt/snort/rules`.
– If `snort.conf` is in `/var/snort`, then `.rules` files must be in `/var/rules`.
Alternatively, you can place `snort.conf` in the same directory as the `.rules` files and update the `RULE_PATH` variable in `snort.conf` to point to the current directory:
var RULE_PATH ./
In the next chapter, you will learn more about Snort rules, including how to define your own detection rules. Additionally, the `classification.config` file includes detailed categorization information for Snort rules, which will also be explored further in the next chapter.
For this book’s examples, Snort’s source files are in `/opt/snort-1.9.0`. If you are using a different Snort version, directory paths may vary accordingly.
The `reference.config` file lists URLs for references related to alert types. These references will be cited in Snort rules. You will learn more about this in the next chapter. A typical `reference.config` file looks as follows: