Saturday, January 24, 2009

Installing Snort 3.0 (SnortSP) on Ubuntu in 3 Steps

Here's a really quick recipe for installing the Snort 3.0 Architecture on Ubuntu 8.04. Note that the Snort 3.0 Architecture consists of the SnortSP framework and the Snort 2.8.2 Detection Engine. You should be able to open a terminal and then copy/paste each of the three blocks of commands.

Step 1: Get root privileges
##########################
sudo -i
##########################
Step 2: Install dependencies
##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################
Step 3: Download, compile, and install the Snort 3.0 Architecture
##########################
cd /usr/local/src/
wget http://www.snort.org/dl/prerelease\
/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar zxvf snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2/
./configure
make
make install
mkdir /etc/SnortSP/
cp etc/* /etc/SnortSP/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include/snortsp \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################


Future posts will cover where to go from here.

12 comments:

Steve Ballantyne said...

This is a really helpful and straight forward how-to! For anyone who might be following this tutorial verbatim, you will need to change the wget line as Snort has moved things around a bit.

Under step #3, change the third line to:
wget http://www.snort.org/dl/prerelease/3.0.0-b2/snortsp-3.0.0b2.tar.gz

Doug Burks said...

Hi Steve,

Thanks for trying the tutorial and for your feedback.

I compared your URL to the URL in the tutorial and they appear to be identical. My guess is that line-wrapping is to blame. I've manually broken that line into two pieces and included a backslash at the end of the first line to allow copy/pasting into a bash terminal. If you get a chance, please try it again and let me know whether or not that works for you.

Also, have you tried my follow-on tutorials? I would appreciate any and all feedback.

Thanks,
Doug Burks
http://securityonion.blogspot.com

Steve Ballantyne said...

Hey Doug,

I think that was a case of a user (me) not following directions correctly. :-) Later, I ran through this routine using a line by line copy off your posting as a shell script. Naturally, it ran fine. Nothing has been moved around. Now I don't know what I was doing to *not* get the file. Anyway - please disregard.

A problem I did run into was trying to run this same process on Ubuntu 8.10 (Intrepid). I failed miserably. After much Googling I didn't find any solutions, but rather I found a handful of people in the same boat as me who were seeing the same error messages. I was able to compile Snort 3.0.0 just fine, but the analysis piece kept crashing out.

So I started over last evening with a clean installation of 8.04 server. Everything went off without a hitch. I just now (as in 10 minutes ago) ran through part II of this project to get the inline bridging mode enabled. It *seems* to work. However, I don't know where to look for a log file now. It looks like I have some reading to do. :-)

Thanks again for posting these how-to's. They are very, very helpful.

Doug Burks said...

Steve,

Thanks again for the feedback. I'm glad you're finding the tutorials helpful.

As far as the inline bridging mode, if you can see the packets displayed in your terminal, then it is working. SnortSP doesn't create a log file currently. If you enable the Snort 2.8.2 Detection Engine, then it can log in unified2 format (which can be read with barnyard2). Please take a look at my SnortSP/Sguil tutorial for further information.

Thanks,
Doug Burks
http://securityonion.blogspot.com

JTB said...

Thank you for this i am going to try it. i have installed ubuntu 8.04 on a desktop machine. does this work with that OS? do i need to update to the latest?

Doug Burks said...

JTB,

Yes, these steps will work on Ubuntu 8.04. And yes, please make sure that all updates have been applied.

Please let me know if you have any further questions or problems.

Thanks,
Doug Burks
http://securityonion.blogspot.com

JTB said...

Thank you for your prompt reply. did u mean install the latest verion 9? of ubuntu or just latest security and patch updates? oh the other thing was with 3.0 where is it i can not find it on snorts website?

Doug Burks said...

JTB,

Sorry for the confusion. You don't have to upgrade to Ubuntu 9.04. Just make sure that all patches have been applied to Ubuntu 8.04.

Snort 3.0 Beta 3 can be downloaded from the following page on snort.org:
http://snort.org/dl/snortsp/Also, make sure you are using the latest version of my HOWTO, which can be found here:
http://securityonion.blogspot.com/2009/04/installing-snort-30-snortsp-beta-3-on.html

JTB said...

thank you for that! one more question i have seen guides around and i have tried them with failure, some of the guides install mysql, Base, apache and OSSEC are these really needed. I do though want to log the packets that are sniffed to mysql and also does snort have a Gui or web interface?

Doug Burks said...

JTB,

NSMnow is the answer to all your questions. It will automatically install and configure Snort, Barnyard2, MySQL, Sguil, Sancp, and everything else necessary to give you a database backend and a highly-functional GUI frontend.

You can find NSMnow at:
http://www.securixlive.com/nsmnow/index.phpRead more about using NSMnow with Snort 3.0 Beta 3 here:
http://securityonion.blogspot.com/2009/04/integrating-snort-30-beta-3-and-sguil.html

tamara said...

Doug, with NSMnow should i just follow the manual to install? step by step thanks

Doug Burks said...

Tamara,

I usually execute NSMnow like this:
./NSMnow -i -y

This puts NSMnow on "autopilot", accepting all defaults and doing a fairly automated installation. The only thing you should have to do is enter a password for MySQL when prompted.

Please let me know if you have any further questions or problems.

Thanks,
Doug