Monthly Archives: November 2015

Installing Snort++ in Ubuntu 12 (Version 3.0 Alpha 2)

The instructions below show how to install Snort 3 alpha 2 build 177 on Ubuntu. This install has been tested on the x64 version of Ubuntu 12. There is a bug that prevents the x86 version from working.

If you have the choice, I recommend installing Snort++ on Ubuntu 14 (my instructions are here), rather than on Ubuntu 12. I reccomend this due to the fact that some of the software prerequisites have to be installed from source, because the versions available in the Ubuntu 12 repositories is out of date.

The Snort blog post announcing this release is here.
Generic build instructions are available in the online manual here, under the “building” section.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.7.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.7.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev

If you want to build the documentation as well (not really needed, unless you want it):

sudo apt-get install -y asciidoc dblatex source-highlight

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

Install cpputest from source:

cd ~/snort_src
sudo apt-get install -y autoconf libtool
cd ~/snort_src
wget https://github.com/cpputest/cpputest/releases/download/3.7.2/cpputest-3.7.2.tar.gz
tar -xvzf cpputest-3.7.2.tar.gz
cd cpputest-3.7.2
./autogen.sh
./configure
make 
make check
sudo make install

We need to install a newer version of cmake to install hyperscan. Remove the old version and install the newer version from source:

sudo apt-get remove -y cmake
cd ~/snort_src
wget https://cmake.org/files/v3.3/cmake-3.3.2.tar.gz --no-check-certificate
tar -xvzf cmake-3.3.2.tar.gz
cd cmake-3.3.2/
./bootstrap
make      
sudo make install

One of the Snort recommended prerequisites is Hyperscan 4.0.1. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost 1.5.9 header libraries.

Install Ragel 6.9 from source:

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz
tar -xzvf ragel-6.9.tar.gz
cd ragel-6.9
./configure
make
sudo make install

Download the Boost 1.5.9 libraries, but do not install:

cd ~/snort_src
wget http://sourceforge.net/projects/boost/files/boost/1.59.0/boost_1_59_0.tar.gz/download -O boost_1_59_0.tar.gz
tar -xvzf boost_1_59_0.tar.gz

Hyperscan also requires a newer version of gcc. Rather than compiling gcc from source, we add an Ubuntu ppa repository and install:

sudo apt-get install -y python-software-properties
sudo add-apt-repository -y ppa:ubuntu-toolchain-r/test

sudo apt-get update
sudo apt-get install -y gcc-4.8 g++-4.8

now make the new version of gcc and g++ the default:

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.6 10

sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.8 20
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.6 10

Install Hyperscan 4.0.1 from source, referencing the location of the Boost source directory:

cd ~/snort_src
wget https://github.com/01org/hyperscan/archive/v4.0.1.tar.gz
tar -xvzf v4.0.1.tar.gz
mkdir ~/snort_src/hyperscan-4.0.1-build
cd hyperscan-4.0.1-build/
	 
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_59_0/ ../hyperscan-4.0.1

make  
sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.0.1-build/
./bin/unit-hyperscan

The unit tests will run (this takes a few minutes).

Download and install Data AcQuisition library (DAQ) from the Snort website:

cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz	
cd daq-2.0.6
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the 3.0.0 Alpha 2, build 177 version of Snort. If a newer version is available from the Snort website, make the necessary changes. If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:

cd ~/snort_src
wget https://snort.org/downloads/snortplus/snort-3.0.0-a2-177-auto.tar.gz
tar -xvzf snort-3.0.0-a2-177-auto.tar.gz
cd snort-3.0.0-a2
./configure --prefix=/opt/snort
make
sudo make install

Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /opt/snort/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the /etc/environment file:

export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/opt/snort/etc/snort

sudo sh -c "echo 'LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> /etc/environment"
sudo sh -c "echo 'SNORT_LUA_PATH=/opt/snort/etc/snort' >> /etc/environment"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a2 (Build 177) from 2.9.7-177
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using LuaJIT version 2.0.0-beta9
           Using PCRE version 8.12 2011-01-15
           Using ZLIB version 1.2.3.4
           Using LZMA version 5.1.0alpha
           Using OpenSSL 1.0.1 14 Mar 2012

user@snort3:~$

Now let’s test snort with the default configuration file and ruleset:

user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~   Snort++ 3.0.0-a2-177
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
	file_id
	ftp_data
	ftp_server
	http_inspect
	telnet
	ssl
	perf_monitor
	sip
	rpc_decode
	port_scan
	back_orifice
	ssh
	smtp
	pop
	classifications
	stream_user
	arp_spoof
	stream_file
	stream_tcp
	stream_icmp
	stream_ip
	stream
	gtp_inspect
	ftp_client
	references
	stream_udp
	wizard
	dns
	imap
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 3974
               text rules: 3974
            option chains: 3974
            chain headers: 187
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     119      31      29      26
     src    1685       4       0       0
     dst    1927     232       0       0
    both       0       1       0       0
    slow       1       0       1       0
   total    3732     268      30      26
--------------------------------------------------
flowbits
                  defined: 124
              not checked: 9
                  not set: 2
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                   dcerpc:        3       0
                     drda:        3       0
                      ftp:        8       2
                     http:     1161    1553
                    ident:        1       0
                     imap:       29    1044
                     ircd:        1       1
                     ldap:        5       0
                    mysql:       29       1
               netbios-ns:        4       0
              netbios-ssn:       25       7
                     pop3:       12    1043
                     rtsp:        2       0
                     smtp:      550       3
                      ssl:        5       1
                   sunrpc:        9       0
                   telnet:        5       1
               vnc-server:        1       3
                    total:     1853    3659
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                   dcerpc:        2       0
                      dns:      170       2
                 kerberos:        4       4
              netbios-dgm:        7       7
               netbios-ns:        1       1
              netbios-ssn:        1       1
                      ntp:        1       0
                     snmp:        1       1
                     ssdp:        8       0
                   sunrpc:        7       3
                     tftp:        1       0
                    total:      203      19
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       27     125       4
                      key:       23     107       1
                   header:       23     107       1
                     body:        0       2       0
                     file:       23     107       1
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       29      17
                      key:        3       0
                   header:        1       3
                     body:        1       0
                     file:        1       4
--------------------------------------------------
search engine
                instances: 566
                 patterns: 24676
            pattern chars: 512201
               num states: 407216
         num match states: 24009
             memory scale: MB
             total memory: 10.7795
           pattern memory: 1.42925
        match list memory: 3.948
        transition memory: 5.182
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration.
o")~   Snort exiting
user@snort3:~$ 

If you have output similar to the above, then Snort 3.0.0 Alpha 2 is installed and works.

A note on install locations:

When you install snort to /opt/snort, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── sample.rules
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── detection
│       ├── events
│       ├── filters
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── protocols
│       ├── search_engines
│       ├── sfip
│       ├── sfrt
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

The /opt/snort/bin folder contains the following Snort binaries:

  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.7.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Where to go from here

If you want to learn more about how to run the 2.9.8.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Installing Snort++ in Ubuntu 14 (Version 3.0 Alpha 2)

The instructions below show how to install Snort 3 alpha 2 build 177 on Ubuntu. This install has been tested on the x64 version of Ubuntu 14. There is a bug that prevents the x86 version from working. For the Ubuntu 12 version of these instructions, please go here.

The Snort blog post announcing this release is here.
Generic build instructions are available in the online manual here, under the “building” section.

If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.7.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.7.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config

Install the DAQ pre-requisites:

sudo apt-get install -y bison flex

Install the optional (recommended) software:

sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake

If you want to build the documentation as well (not really needed, unless you want it):

sudo apt-get install -y asciidoc dblatex source-highlight

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

One of the Snort recommended prerequisites is Hyperscan 4.0.1. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost 1.5.9 header libraries.

Install Ragel 6.9 from source:

cd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz
tar -xzvf ragel-6.9.tar.gz
cd ragel-6.9
./configure
make
sudo make install

Download the Boost 1.5.9 libraries, but do not install:

cd ~/snort_src
wget http://sourceforge.net/projects/boost/files/boost/1.59.0/boost_1_59_0.tar.gz/download -O boost_1_59_0.tar.gz
tar -xvzf boost_1_59_0.tar.gz

Install Hyperscan 4.0.1 from source, referencing the location of the Boost source directory:

cd ~/snort_src
wget https://github.com/01org/hyperscan/archive/v4.0.1.tar.gz
tar -xvzf v4.0.1.tar.gz
mkdir ~/snort_src/hyperscan-4.0.1-build
cd hyperscan-4.0.1-build/
	 
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_59_0/ ../hyperscan-4.0.1

make  
sudo make install

If you want to test that Hyperscan works, from the build directory, run:

cd ~/snort_src/hyperscan-4.0.1-build/
./bin/unit-hyperscan

The unit tests will run (this takes a few minutes).

Download and install Data AcQuisition library (DAQ) from the Snort website:

cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz	
cd daq-2.0.6
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the 3.0.0 Alpha 2, build 177 version of Snort. If a newer version is available from the Snort website, make the necessary changes. If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:

cd ~/snort_src
wget https://snort.org/downloads/snortplus/snort-3.0.0-a2-177-auto.tar.gz
tar -xvzf snort-3.0.0-a2-177-auto.tar.gz
cd snort-3.0.0-a2
./configure --prefix=/opt/snort
make
sudo make install

Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /opt/snort/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the /etc/environment file:

export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/opt/snort/etc/snort

sudo sh -c "echo 'LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> /etc/environment"
sudo sh -c "echo 'SNORT_LUA_PATH=/opt/snort/etc/snort' >> /etc/environment"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a2 (Build 177) from 2.9.7-177
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using LuaJIT version 2.0.0-beta9
           Using PCRE version 8.12 2011-01-15
           Using ZLIB version 1.2.3.4
           Using LZMA version 5.1.0alpha
           Using OpenSSL 1.0.1 14 Mar 2012

user@snort3:~$

Now let’s test snort with the default configuration file and ruleset:

user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~   Snort++ 3.0.0-a2-177
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
	file_id
	ftp_data
	ftp_server
	http_inspect
	telnet
	ssl
	perf_monitor
	sip
	rpc_decode
	port_scan
	back_orifice
	ssh
	smtp
	pop
	classifications
	stream_user
	arp_spoof
	stream_file
	stream_tcp
	stream_icmp
	stream_ip
	stream
	gtp_inspect
	ftp_client
	references
	stream_udp
	wizard
	dns
	imap
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 3974
               text rules: 3974
            option chains: 3974
            chain headers: 187
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     119      31      29      26
     src    1685       4       0       0
     dst    1927     232       0       0
    both       0       1       0       0
    slow       1       0       1       0
   total    3732     268      30      26
--------------------------------------------------
flowbits
                  defined: 124
              not checked: 9
                  not set: 2
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                   dcerpc:        3       0
                     drda:        3       0
                      ftp:        8       2
                     http:     1161    1553
                    ident:        1       0
                     imap:       29    1044
                     ircd:        1       1
                     ldap:        5       0
                    mysql:       29       1
               netbios-ns:        4       0
              netbios-ssn:       25       7
                     pop3:       12    1043
                     rtsp:        2       0
                     smtp:      550       3
                      ssl:        5       1
                   sunrpc:        9       0
                   telnet:        5       1
               vnc-server:        1       3
                    total:     1853    3659
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                   dcerpc:        2       0
                      dns:      170       2
                 kerberos:        4       4
              netbios-dgm:        7       7
               netbios-ns:        1       1
              netbios-ssn:        1       1
                      ntp:        1       0
                     snmp:        1       1
                     ssdp:        8       0
                   sunrpc:        7       3
                     tftp:        1       0
                    total:      203      19
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       27     125       4
                      key:       23     107       1
                   header:       23     107       1
                     body:        0       2       0
                     file:       23     107       1
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       29      17
                      key:        3       0
                   header:        1       3
                     body:        1       0
                     file:        1       4
--------------------------------------------------
search engine
                instances: 566
                 patterns: 24676
            pattern chars: 512201
               num states: 407216
         num match states: 24009
             memory scale: MB
             total memory: 10.7795
           pattern memory: 1.42925
        match list memory: 3.948
        transition memory: 5.182
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration.
o")~   Snort exiting
user@snort3:~$ 

If you have output similar to the above, then Snort 3.0.0 Alpha 2 is installed and works.

A note on install locations:

When you install snort to /opt/snort, you get the following folder structure:

user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│   ├── snort
│   ├── snort2lua
│   ├── u2boat
│   └── u2spewfoo
├── etc
│   └── snort
│       ├── file_magic.lua
│       ├── sample.rules
│       ├── snort_defaults.lua
│       └── snort.lua
├── include
│   └── snort
│       ├── actions
│       ├── codecs
│       ├── daqs
│       ├── detection
│       ├── events
│       ├── filters
│       ├── flow
│       ├── framework
│       ├── hash
│       ├── log
│       ├── lua
│       ├── main
│       ├── protocols
│       ├── search_engines
│       ├── sfip
│       ├── sfrt
│       ├── stream
│       ├── time
│       └── utils
├── lib
│   ├── pkgconfig
│   │   └── snort.pc
│   └── snort
│       └── daqs
└── share
    └── doc
        └── snort

The /opt/snort/bin folder contains the following Snort binaries:

  • snort : The Snort binary.
  • snort2lua : Tool to convert a Snort 2.9.7.x configuration file into a 3.x configuration file. More notes here.
  • u2boat : U2boat is a tool for converting unified2 files into different formats.
  • u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

  • /opt/snort/bin : Binaries for Snort and supporting software.
  • /opt/snort/etc/snort : The configuration files for Snort.
  • /opt/snort/include/snort : All include files for Snort.
  • /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
  • /opt/snort/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Where to go from here

If you want to learn more about how to run the 2.9.8.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.