Compiling and installing
In case you want to rebuild them, the process is now almost without any problems. In the following text I'll assume that you started with a minimal CentOS installation with the following packages installed (and their dependencies, of course): gcc, make, bison, flex, autoconf, automake, rpmbuild.
First, download daq source rpm file. Before rebuilding it, you should install pcap-devel. This is actually something rpmbuild tool will warn you that you have to install. When you installed it, rebuild daq:
rpmbuild --rebuild daqthen, install it:
yum localinstall ~/rpmbuild/RPMS/x86_64/daq-2.0.2-1.x86_64.rpmNext, for snort you'll need libdnet library which is in EPEL. So, first install EPEL:
yum install http://mirrors.neterra.net/epel/6/i386/epel-release-6-8.noarch.rpmThen, install necessary packages:
yum install libdnet-devel zlib-develThose two aren't listed as dependencies in Snort's SRPM file, so you'll get some cryptic error message. Now, download Snort's srpm file and rebuild it using:
rpmbuild --rebuild snort-2.9.6.0-1.src.rpmNow, install it using:
yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpmThat's all there is for installation.
Configuring and running
I'll assume that you are installing a fresh instance, i.e. no previous configuration. In case there is previous installation be careful not to overwrite existing configuration. To configure snort you'll have to download snortrules archive. Then, unpack it:
mkdir ~/snortNext you have to move files in their place. First, move basic configuration file:
tar xzf snortrules-snapshot-2960.tar.gz -C ~/snort
chown root.root ~/snort
mv -f snort/etc/* /etc/snort/Note that I'm using force option of move command to overwrite existing files. Next, move rules to their place:
mv -i snort/rules snort/preproc_rules snort/so_rules /etc/snort/Now, if you are using SELinux you should change context of the files you moved to /etc/snort directory. Do it using the following commands:
chcon -R system_u:object_r:snort_etc_t:s0 /etc/snort
chcon -R system_u:object_r:lib_t:s0 /etc/snort/so_rules/precompiled/RHEL-6-0/
You should now modify configuration file. Here is a diff of the changes I made:
Finally, create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules.
Now, you should be able to start Snort, i.e.
--- snort.conf.orig 2014-03-13 11:25:53.889609831 +0100
+++ snort.conf 2014-03-13 11:37:32.419292894 +0100
@@ -42,16 +42,16 @@
###################################################
# Setup the network addresses you are protecting
-ipvar HOME_NET any
+ipvar HOME_NET 192.168.1.0/24
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# List of DNS servers on your network
-ipvar DNS_SERVERS $HOME_NET
+ipvar DNS_SERVERS 192.168.1.8,192.168.1.9
# List of SMTP servers on your network
-ipvar SMTP_SERVERS $HOME_NET
+ipvar SMTP_SERVERS 192.168.1.20
# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET
@@ -101,13 +101,13 @@
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH rules
+var SO_RULE_PATH so_rules
+var PREPROC_RULE_PATH preproc_rules
# If you are using reputation preprocessor set these
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH rules
+var BLACK_LIST_PATH rules
###################################################
# Step #2: Configure the decoder. For more information, see README.decode
@@ -240,13 +240,13 @@
###################################################
# path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/lib64/snort-2.9.6.0_dynamicpreprocessor/
# path to base preprocessor engine
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+dynamicengine /usr/lib64/snort-2.9.6.0_dynamicengine/libsf_engine.so.0
# path to dynamic rules libraries
-dynamicdetection directory /usr/local/lib/snort_dynamicrules
+dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0/
###################################################
# Step #5: Configure preprocessors
And you can download the complete snort.conf file that worked for me. Be careful, you need to change IP addresses in the configuration file to match your environment.
Finally, create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules.
Now, you should be able to start Snort, i.e.
# /etc/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 1904 lives...
Daemon parent exiting (0) [ OK ]
8 comments:
I am still getting this error, after I install epel-release-6-8.noarch.rpm, then do, rpmbuild --rebuild snort-2.9.6.0-1.src.rpm
Any idea on how I can get past this?
Error: Package: 1:snort-2.9.6.0-1.x86_64 (/snort-2.9.6.0-1.x86_64)
Requires: libdnet.1()(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
also, you have a typo, the install should be:
yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpm
not,
yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.src.rpm
That's strange, as if you are trying to install RPM package from the Snort's download page, not the one you compiled?
Maybe you compiled it on one machine, and then you are trying to install it on another on which you didn't configure EPEL repository?
And thanks for the typo, I corrected it.
I am making the RPM from source as you have defined above.
I can compile and install snort-2.9.4.6 from source just fine. after testing if that worked, I did:"make uninstall" from the snort-2.9.4.6 source directory.
the problem is when I rebuild snort-2.9.6.0-1.src.rpm and try to install the new RPM, is when I keep getting the error:
Error: Package: 1:snort-2.9.6.0-1.x86_64 (/snort-2.9.6.0-1.x86_64)
Requires: libdnet.1()(64bit)
I am on a clean+updated OS build of CentOS 6.5
That's strange. Have you managed to solve that? Have you checked that you have libdnet installed on the system? It might be installed, but not recorded in RPM database.
Check snort binary if it depends on libdnet using ldd (either unpack rpm using rpm2cpio or stop build process before packaging using -bb option to rpmbuild).
Also, you can try with rpm tool using option --nodeps. And then see if it works.
If you want, I can put my RPM package on the Internet so that you can try to install it?
hello guys,
maybe you should try to downgrade libnet to version 1.11.
you could download libnet package from this url: http://pkgs.org/centos-6/repoforge-x86_64/libdnet-1.11-1.2.el6.rf.x86_64.rpm.html
i still can not explain this, but it works for me. my snort is running well.
here's the details of my env:
- CentOS release 6.5 (Final)
- kernel 2.6.32-431.el6.x86_64
- snort-2.9.6.0-1.x86_64
- libdnet-1.11-1.2.el6.rf.x86_64
- daq-2.0.2-1.x86_64
hope this helpful.
I found a workaround.
If you have @epel AND @rpmforge in your repository
you can do yum downgrade libdnet.
It will remove the @epel 1.2 version and install the @rpmforge 1.1 version.
Installation with the Centos6 64bit prebuilt rpm works after that.
Hi, I have a trouble with the installation. I have this error while run rpmbuild --rebuild snort-2.9.6.0-1.src.rpm
checking for pcre_compile in -lpcre... no
ERROR! Libpcre library not found.
Get it from http://www.pcre.org
error: Bad exit status from /var/tmp/rpm-tmp.jzQ6zv (%build)
Do you have any idea? I installed the pcre packet from that website but the problem still the same.
Thank you
When installing something avoid "manual installation" and try to use yum/rpm as much as possible. In this particular case, try:
yum install pcre-devel
Post a Comment