Introduction
Installing Snort can be quite challenging. After multiple attempts on four different systems, I finally succeeded in getting it to run on a cloud server with Ubuntu 18, following a proper software repository update.
Main Reasons for Installation Failures
- Unstable network connection (this is a major cause of many subsequent issues);
- Incomplete installation of dependencies;
Main Reasons for Configuration Failures
- Version mismatch between Snort and its rule library;
- Improper modifications to configuration files, leading to file-not-found errors;
Snort Installation and Configuration
Always update your software repository first. This is a common oversight among beginners, who then wonder why their software wonât install, especially with poor network conditions.
sudo apt-get install update
Dependencies to Install Before DAQ
sudo apt-get install flex -y
sudo apt-get install bison -y
sudo apt-get install aptitude -y
sudo aptitude install libpcap-dev -y
Installing DAQ
This step can be found on the official homepage. Make sure to download the version specified on the current official website. As of 2021.11.28, the DAQ package version is daq-2.0.7.tar.gz.
# 1. Download the DAQ package
sudo wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
# 2. Extract
sudo tar xvfz daq-2.0.7.tar.gz
# 3. Change directory
cd daq-2.0.7
# 4. Configure, compile, and install
./configure && sudo make && sudo make install
# 5. Return to the parent directory (Many beginners get confused about which directory to execute commands in)
cd ..
Dependencies Required Before Installing Snort
sudo aptitude install libpcre3-dev -y
sudo aptitude install libdumbnet-dev -y
sudo aptitude install zlib1g-dev -y
sudo apt-get install openssl -y
sudo apt-get install libssl-dev -y
# LuaJIT library (Iâm not entirely sure what this is for, but not installing it results in errors)
sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install && cd ..
Installing Snort
Important
As with DAQ, ensure you download the current version from the official homepage. As of 2021.11.28, the Snort package version is snort-2.9.18.1.tar.gz. Otherwise, you may not be able to download it from the official website.
sudo wget https://www.snort.org/downloads/snort/snort-2.9.18.1.tar.gz
sudo tar xvfz snort-2.9.18.1.tar.gz
cd snort-2.9.18.1
./configure --enable-sourcefire && make && sudo make install
Encountering a Minor Error
The error indicates that the <rpc/rpc.h> header file is missing.
Solution
First, run:
sudo apt install libntirpc-dev
Check if the issue is resolved. However, in my case, it wasnât, so I continued troubleshooting.
apt-file search rpc/rpc.h
I found that the header file exists in the ntirpc directory. My solution was to copy all files from the ntirpc directory to /usr/include/, which resolved the issue:
sudo cp /usr/include/ntirpc/* /usr/include/ -r
Configuration
Creating Directories
# Snort installation directories
sudo mkdir -p /etc/snort/rules/iplists
sudo mkdir -p /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Files for storing filtering rules and server black/whitelists
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/so_rules
# Log directories
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/rules/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
Copying Files
sudo cp /home/kali/snort-2.9.18.1/etc/*.conf* /etc/snort
sudo cp /home/kali/snort-2.9.18.1/etc/*.map /etc/snort
sudo cp /home/kali/snort-2.9.18.1/etc/*.dtd /etc/snort
sudo cp /home/kali/snort-2.9.18.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
Modifying Configuration Files
# Open the configuration file
sudo vim /etc/snort/snort.conf
# Modify paths as needed
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
whitelist $WHITE_LIST_PATH/default.whitelist, \
blacklist $BLACK_LIST_PATH/default.blacklist
Downloading Rules Matching Snort Version
# 1. Download
wget https://www.snort.org/downloads/registered/snortrules-snapshot-29181.tar.gz
# 2. Extract
sudo tar zxvf snortrules-snapshot-29181.tar.gz -C /etc/snort
# 3. Copy (choose based on your system (RHEL should correspond to Kali) and installed package (2.9.18.1, usually only one folder))
sudo cp /etc/snort/so_rules/precompiled/RHEL-8/x86-64/2.9.18.1/* /usr/local/lib/snort_dynamicrules/
Testing
The results appear normal.
sudo snort -T -c /etc/snort/snort.conf
