Security Onion: Installing Snort 3.0 (SnortSP) Beta 3 on Ubuntu 8.04 in 3 Steps

Saturday, April 4, 2009

Installing Snort 3.0 (SnortSP) Beta 3 on Ubuntu 8.04 in 3 Steps

Snort 3.0 Beta 3 was released on April 1. You can read an overview of the changes in Snort 3.0 Beta 3 in the mailing list announcement. For more details on the underlying architectural changes in Beta 3, see Marty Roesch's blog. Thanks to Marty and the rest of the Snort 3 Development Team for their hard work in this release!

Installing Snort 3.0 Beta 3 on Ubuntu 8.04 is almost identical to installing Snort 3.0 Beta 2 on Ubuntu 8.04. However, I did have an issue with the Snort 2.8 Detection Engine not compiling correctly. This turned out to be libtool not liking the fact that /bin/sh was symlinked to /bin/dash instead of /bin/bash. The one-line fix was:

rm /bin/sh && ln -s /bin/bash /bin/sh

(Special thanks to Russ Combs of the SnortSP development team for his assistance with this issue.)

Here's the complete install recipe that worked for me:

Step 1: Get root privileges

##########################
sudo -i
##########################

Step 2: Install dependencies

##########################
aptitude update
aptitude -y install build-essential \
libdumbnet1 libdumbnet-dev \
uuid uuid-dev \
libncurses5 libncurses5-dev \
libreadline5 libreadline5-dev \
libpcap0.8 libpcap0.8-dev \
libpcre3 libpcre3-dev \
liblua5.1-0 liblua5.1-0-dev \
flex bison
##########################

Step 3: Download, compile, and install Snort 3.0 Beta 3

##########################
rm /bin/sh && ln -s /bin/bash /bin/sh
cd /usr/local/src/
wget http://dl.snort.org/snortsp/\
snortsp-3.0.0b3.tar.gz
tar zxvf snortsp-3.0.0b3.tar.gz
cd snortsp-3.0.0b3/
./configure
make
make install
mkdir /etc/snortsp/
cp etc/* /etc/snortsp/
cd src/analysis/snort/
./configure \
--with-platform-includes=/usr/local/include \
--with-platform-libraries=/usr/local/lib
make
make install
ldconfig
##########################

8 comments:

-Andy said...: Thank you for posting the /bin/sh --> /bin/dash symlink fix. I thought I was going crazy just trying to make simple rules to work. Much appreciated!; May 30, 2009 at 12:35 PM
author_number_2 said...: thank you for the detailed procedure. steps 1 and 2 worked for me but step 3 doesn't work for me. im running ubuntu karmic koala 9.1

ive tried snort 3 (b2)and snort 3 beta (b3) but both didn't work. can you help me?; February 28, 2010 at 3:53 AM
Doug Burks said...: Hi Dolphin,

It looks like the download link for Snort 3.0 Beta 3 changed. Here's the new link:
http://dl.snort.org/snortsp/snortsp-3.0.0b3.tar.gz

I've updated the procedure to reflect the new link.

Thanks,
Doug Burks; February 28, 2010 at 4:06 PM
author_number_2 said...: thank you for the reply doug!

when i run the wget command,this is the reply

root@dolphin-laptop:/usr/local/src# wget http://dl.snort.org/snortsp/\
> snortsp-3.0.0b3.tar.gz
--2010-02-28 15:54:36-- http://dl.snort.org/snortsp/snortsp-3.0.0b3.tar.gz
Resolving dl.snort.org... 68.177.102.34
Connecting to dl.snort.org|68.177.102.34|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-02-28 15:54:36 ERROR 403: Forbidden.

I'm not sure why the forbidden error arises, I'm executing the commands in root mode!; February 28, 2010 at 4:57 PM
author_number_2 said...: I've tried doing that but didn't work for me. instead i tried continuing in the downloads folder itself!

looks like i messed it up entirely. i couldn't run from 'mkdir /etc/snortsp/' step.

do i need to roll back?

thanks,
dolphin; February 28, 2010 at 5:14 PM
Doug Burks said...: Hello again Dolphin,

The "Forbidden" error is not coming from your local system; it is an HTTP 403 Forbidden error coming from snort.org. The most likely cause is that you exceeded the download limit for snort.org. If you put the address in a browser, you would probably see the full HTTP 403 Forbidden error like the following:

403 Forbidden
You may download this file again in 15 minutes.

Please try your download again today and see if you're successful.

Thanks,
Doug Burks; March 1, 2010 at 6:17 AM
author_number_2 said...: thanks for the concern!

i tried today and managed to get till the penultimate step but it replies that no such file or directory exists. also, mkdir /etc/snortsp didn't work directly and I had to use -p option to create the directory.

root@dolphin-laptop:/usr/local/src/snortsp-3.0.0b3/src/analysis/snort# ./configure\
> --with-platform-includes=/usr/local/include\
> --with-platform-libraries=/usr/local/lib
-bash: ./configure--with-platform-includes=/usr/local/include--with-platform-libraries=/usr/local/lib: No such file or directory; March 1, 2010 at 12:24 PM
Doug Burks said...: Hello again Dolphin,

I'm not sure why "mkdir -p /etc/snortsp" would work when "mkdir /etc/snortsp" wouldn't. You should've already had a /etc directory so the "-p" option should not have been necessary.

The problem with your ./configure command is that you missed the spaces before the backslashes.

Is there some reason in particular you're choosing to compile the unsupported beta version of SnortSP (Snort 3.0) instead of the supported version of Snort 2.8 (currently 2.8.5.3)?

Regards,
Doug Burks; March 1, 2010 at 6:58 PM

Security Onion

Saturday, April 4, 2009

Installing Snort 3.0 (SnortSP) Beta 3 on Ubuntu 8.04 in 3 Steps

8 comments:

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Popular Posts

Blog Archive