Snort 2.9.7.x on Ubuntu
UPDATE: Snort 2.9.9.x has been released. Please see the updated version my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire.
The instructions below show how to install Snort 2.9.7.x and 2.9.6.x on both the x86 and x64 architectures for Ubuntu 12, 13, 14, and 15. If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort on Ubuntu. If you want to test the new alpha version of Snort, please see my articles: Installing Snort 3 Alpha in Ubuntu 14, or Ubuntu 12.
So let’s get started. First we need to install all the pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
Disable LRO and GRO for all interfaces. This requires the ethtool program: (notes on this in the The Snort Manual):
sudo apt-get install -y ethtool
Use a text editor with sudo to edit the /etc/network/interfaces file and add the following two lines for each interface Snort will listen on:
spost-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
for example, my /etc/network/interfaces file looks like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Reboot the system and verify that LRO and GRO are off:
user@snortserver:~$ ethtool -k eth0 | grep receive-offload generic-receive-offload: off large-receive-offload: off user@snortserver:~$
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Download and install Data AcQuisition library (DAQ) from the Snort website:
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source:
cd ~/snort_src wget https://www.snort.org/downloads/snort/snort-184.108.40.206.tar.gz tar -xvzf snort-220.127.116.11.tar.gz cd snort-18.104.22.168 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snortserver:~$ snort -V ,,_ -*> Snort! <*- o" )~ Version 22.214.171.124 GRE (Build 285) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 126.96.36.199 user@snortserver:~$
If you have output similar to the above, then Snort is installed and works. If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.