Step 1: Get root privileges
##########################Step 2: Install dependencies
sudo -i
##########################
##########################Step 3: Download, compile, and install the Snort 3.0 Architecture
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################
##########################
cd /usr/local/src/
wget http://www.snort.org/dl/prerelease\
/3.0.0-b2/snortsp-3.0.0b2.tar.gz
tar zxvf snortsp-3.0.0b2.tar.gz
cd snortsp-3.0.0b2/
./configure
make
make install
mkdir /etc/SnortSP/
cp etc/* /etc/SnortSP/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include/snortsp \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################
Future posts will cover where to go from here.
This is a really helpful and straight forward how-to! For anyone who might be following this tutorial verbatim, you will need to change the wget line as Snort has moved things around a bit.
ReplyDeleteUnder step #3, change the third line to:
wget http://www.snort.org/dl/prerelease/3.0.0-b2/snortsp-3.0.0b2.tar.gz
Hi Steve,
ReplyDeleteThanks for trying the tutorial and for your feedback.
I compared your URL to the URL in the tutorial and they appear to be identical. My guess is that line-wrapping is to blame. I've manually broken that line into two pieces and included a backslash at the end of the first line to allow copy/pasting into a bash terminal. If you get a chance, please try it again and let me know whether or not that works for you.
Also, have you tried my follow-on tutorials? I would appreciate any and all feedback.
Thanks,
Doug Burks
http://securityonion.blogspot.com
Hey Doug,
ReplyDeleteI think that was a case of a user (me) not following directions correctly. :-) Later, I ran through this routine using a line by line copy off your posting as a shell script. Naturally, it ran fine. Nothing has been moved around. Now I don't know what I was doing to *not* get the file. Anyway - please disregard.
A problem I did run into was trying to run this same process on Ubuntu 8.10 (Intrepid). I failed miserably. After much Googling I didn't find any solutions, but rather I found a handful of people in the same boat as me who were seeing the same error messages. I was able to compile Snort 3.0.0 just fine, but the analysis piece kept crashing out.
So I started over last evening with a clean installation of 8.04 server. Everything went off without a hitch. I just now (as in 10 minutes ago) ran through part II of this project to get the inline bridging mode enabled. It *seems* to work. However, I don't know where to look for a log file now. It looks like I have some reading to do. :-)
Thanks again for posting these how-to's. They are very, very helpful.
Steve,
ReplyDeleteThanks again for the feedback. I'm glad you're finding the tutorials helpful.
As far as the inline bridging mode, if you can see the packets displayed in your terminal, then it is working. SnortSP doesn't create a log file currently. If you enable the Snort 2.8.2 Detection Engine, then it can log in unified2 format (which can be read with barnyard2). Please take a look at my SnortSP/Sguil tutorial for further information.
Thanks,
Doug Burks
http://securityonion.blogspot.com
Thank you for this i am going to try it. i have installed ubuntu 8.04 on a desktop machine. does this work with that OS? do i need to update to the latest?
ReplyDeleteJTB,
ReplyDeleteYes, these steps will work on Ubuntu 8.04. And yes, please make sure that all updates have been applied.
Please let me know if you have any further questions or problems.
Thanks,
Doug Burks
http://securityonion.blogspot.com
Thank you for your prompt reply. did u mean install the latest verion 9? of ubuntu or just latest security and patch updates? oh the other thing was with 3.0 where is it i can not find it on snorts website?
ReplyDeleteJTB,
ReplyDeleteSorry for the confusion. You don't have to upgrade to Ubuntu 9.04. Just make sure that all patches have been applied to Ubuntu 8.04.
Snort 3.0 Beta 3 can be downloaded from the following page on snort.org:
http://snort.org/dl/snortsp/Also, make sure you are using the latest version of my HOWTO, which can be found here:
http://securityonion.blogspot.com/2009/04/installing-snort-30-snortsp-beta-3-on.html
thank you for that! one more question i have seen guides around and i have tried them with failure, some of the guides install mysql, Base, apache and OSSEC are these really needed. I do though want to log the packets that are sniffed to mysql and also does snort have a Gui or web interface?
ReplyDeleteJTB,
ReplyDeleteNSMnow is the answer to all your questions. It will automatically install and configure Snort, Barnyard2, MySQL, Sguil, Sancp, and everything else necessary to give you a database backend and a highly-functional GUI frontend.
You can find NSMnow at:
http://www.securixlive.com/nsmnow/index.phpRead more about using NSMnow with Snort 3.0 Beta 3 here:
http://securityonion.blogspot.com/2009/04/integrating-snort-30-beta-3-and-sguil.html
Doug, with NSMnow should i just follow the manual to install? step by step thanks
ReplyDeleteTamara,
ReplyDeleteI usually execute NSMnow like this:
./NSMnow -i -y
This puts NSMnow on "autopilot", accepting all defaults and doing a fairly automated installation. The only thing you should have to do is enter a password for MySQL when prompted.
Please let me know if you have any further questions or problems.
Thanks,
Doug