Saturday, April 4, 2009

Installing Snort 3.0 (SnortSP) Beta 3 on Ubuntu 8.04 in 3 Steps

Snort 3.0 Beta 3 was released on April 1. You can read an overview of the changes in Snort 3.0 Beta 3 in the mailing list announcement. For more details on the underlying architectural changes in Beta 3, see Marty Roesch's blog. Thanks to Marty and the rest of the Snort 3 Development Team for their hard work in this release!

Installing Snort 3.0 Beta 3 on Ubuntu 8.04 is almost identical to installing Snort 3.0 Beta 2 on Ubuntu 8.04. However, I did have an issue with the Snort 2.8 Detection Engine not compiling correctly. This turned out to be libtool not liking the fact that /bin/sh was symlinked to /bin/dash instead of /bin/bash. The one-line fix was:
rm /bin/sh && ln -s /bin/bash /bin/sh
(Special thanks to Russ Combs of the SnortSP development team for his assistance with this issue.)

Here's the complete install recipe that worked for me:

Step 1: Get root privileges
##########################
sudo -i
##########################
Step 2: Install dependencies
##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################
Step 3: Download, compile, and install Snort 3.0 Beta 3
##########################
rm /bin/sh && ln -s /bin/bash /bin/sh
cd /usr/local/src/
wget http://dl.snort.org/snortsp/\
snortsp-3.0.0b3.tar.gz
tar zxvf snortsp-3.0.0b3.tar.gz
cd snortsp-3.0.0b3/
./configure
make
make install
mkdir /etc/snortsp/
cp etc/* /etc/snortsp/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################

8 comments:

-Andy said...

Thank you for posting the /bin/sh --> /bin/dash symlink fix. I thought I was going crazy just trying to make simple rules to work. Much appreciated!

dolphin said...

thank you for the detailed procedure. steps 1 and 2 worked for me but step 3 doesn't work for me. im running ubuntu karmic koala 9.1

ive tried snort 3 (b2)and snort 3 beta (b3) but both didn't work. can you help me?

Doug Burks said...

Hi Dolphin,

It looks like the download link for Snort 3.0 Beta 3 changed. Here's the new link:
http://dl.snort.org/snortsp/snortsp-3.0.0b3.tar.gz

I've updated the procedure to reflect the new link.

Thanks,
Doug Burks

dolphin said...

thank you for the reply doug!

when i run the wget command,this is the reply

root@dolphin-laptop:/usr/local/src# wget http://dl.snort.org/snortsp/\
> snortsp-3.0.0b3.tar.gz
--2010-02-28 15:54:36-- http://dl.snort.org/snortsp/snortsp-3.0.0b3.tar.gz
Resolving dl.snort.org... 68.177.102.34
Connecting to dl.snort.org|68.177.102.34|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-02-28 15:54:36 ERROR 403: Forbidden.

I'm not sure why the forbidden error arises, I'm executing the commands in root mode!

dolphin said...

I've tried doing that but didn't work for me. instead i tried continuing in the downloads folder itself!

looks like i messed it up entirely. i couldn't run from 'mkdir /etc/snortsp/' step.

do i need to roll back?

thanks,
dolphin

Doug Burks said...

Hello again Dolphin,

The "Forbidden" error is not coming from your local system; it is an HTTP 403 Forbidden error coming from snort.org. The most likely cause is that you exceeded the download limit for snort.org. If you put the address in a browser, you would probably see the full HTTP 403 Forbidden error like the following:

403 Forbidden
You may download this file again in 15 minutes.


Please try your download again today and see if you're successful.

Thanks,
Doug Burks

dolphin said...

thanks for the concern!

i tried today and managed to get till the penultimate step but it replies that no such file or directory exists. also, mkdir /etc/snortsp didn't work directly and I had to use -p option to create the directory.

root@dolphin-laptop:/usr/local/src/snortsp-3.0.0b3/src/analysis/snort# ./configure\
> --with-platform-includes=/usr/local/include\
> --with-platform-libraries=/usr/local/lib
-bash: ./configure--with-platform-includes=/usr/local/include--with-platform-libraries=/usr/local/lib: No such file or directory

Doug Burks said...

Hello again Dolphin,

I'm not sure why "mkdir -p /etc/snortsp" would work when "mkdir /etc/snortsp" wouldn't. You should've already had a /etc directory so the "-p" option should not have been necessary.

The problem with your ./configure command is that you missed the spaces before the backslashes.

Is there some reason in particular you're choosing to compile the unsupported beta version of SnortSP (Snort 3.0) instead of the supported version of Snort 2.8 (currently 2.8.5.3)?

Regards,
Doug Burks