Aug 25, 2011


Here are the steps to install Snort:
  1. yum clean all
  2. yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2-devel
  3. yum install pcre pcre-devel php php-common php-gd gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel mysql mysql-devel mysql-bench mysql-server glib2-devel
  4. Make sure libpcap (version 1.0.0) is installed. If a version less than 1 is installed, it won’t work. If you need to, you can download using the following commands:
    1. wget
    2. tar -xzf libpcap-1.0.0.tar.gz
    3. cd libpcap-1.0.0
    4. ./configure –prefix=/usr
    5. make
    6. make install
  5. wget
  6. Download libnet-1.0.2a.tar.gz (not .tgz file and not a later version) from
  7. Download the latest Snort binary from
  8. Download the latest daq from
  9. Download base-1.4.5.tar.gz from
    Command: wget
  10. Download ADOdb from
  11. Download Barnyard2:
  12. Install libdnet:
    1. cd libdnet-1.12
    2. ./configure
    3. make
    4. make install
  13. Install daq:
    1. tar -xf daq-0.5.tar
    2. cd daq-0.5.tar
    3. ./configure         <– Make sure you installed libpcap = 1.0.0 (as mentioned above) otherwise this will fail
    4. make
    5. make install
  14. Install barnyard2
    1. tar -xzf barnyard2-1.9.tar.gz
    2. cd barnyard2-1.9
    3. ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql/
    4. make
    5. make install
  15. Install snort:
    1. tar -xf snort-
    2. cd snort-
    3. ./configure -with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin
    4. make
    5. make install
    6. groupadd snort
    7. useradd -g snort snort -s /sbin/nologin
    8. mkdir /etc/snort
    9. mkdir /etc/snort/rules
    10. mkdir /etc/snort/so_rules
    11. mkdir /var/log/snort
    12. chown snort:snort /var/log/snort
    13. cd /root/Snort/snort-
    14. cp * /etc/snort/
    15. Download latest Snort rules file from and install:
      1. Register an account at to get your Oinkcode
      2. wget -O snortrules-snapshot-2902.tar.gz
        NOTE: To get the right version for that URL, look at what is available on the site under VRT Releases
      3. mkdir snortrules ; tar -xf snortrules-snapshot-2902.tar ; cd snortrules
      4. cp rules/* /etc/snort/rules
  16. Install ADOdb and base:
    1. cd /var/www/html
    2. cp ADODB4991.tar /var/www/html/
    3. cp base-1.4.5.tar.gz /var/www/html/
    4. tar -xf ADODB4991.tar
    5. tar -xzf base-1.4.5.tar.gz
    6. chown -R root:root base-1.4.5
    7. chmod 777 base-1.4.5
    8. vim /etc/php.ini and set the following line to be: error_reporting  =  E_ALL & ~E_NOTICE
    9. service httpd restart
Installation References:
Snort can run in one of 3 modes:
  1. Sniffer Mode: Captures packets on the wire and dumps them to your screen (console)
    1. Command (shows only TCP and IP headers): ./snort -v
    2. Command (shows data as well): ./snort -vd
    3. Command (shows data link layer headers as well): ./snort -vde
  2. Packet Logger Mode: Captures packets and logs them to a disk file
    1. Command: ./snort -dev -l /var/log/snort/
    2. Command (log in binary mode – faster): ./snort -dev -l /var/log/snort -b
    3. Command (to replay saved data): ./snort -dvr /var/log/snort/packet.log
      1. NOTE: You can also use something like tcpdump or Ethereal to replay saved file
  3. Network Intrusion Detection System (NIDS) Mode:
Additional Notes:
I tried these steps to install Snort via yum, worked fine, but had issues with rules after that (since the version provided by yum and version of rules don’t match):
  1. Verify requirements are met:
    1. libpcap installed
    2. PCRE installed
    3. libnet installed
    4. Barnyard installed
  2. wget
  3. rpm -ivh
  4. yum clean all
  5. yum install snort

No comments:

Post a Comment