NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 237) in Ubuntu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The instructions below show how to install Snort 3 alpha build 144 on Ubuntu. This install has been tested on the x64 version of Ubuntu 14 (but will probably also work on the x86 version, as well as Ubuntu 12 and 13, although I haven’t tested those systems and architectures yet). If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality for the 2.9.7.x version of Snort, see my series on installing Snort 2.9.7.x on Ubuntu.

So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

Install the Snort pre-requisites that are new for the 3.0 version of Snort:

sudo apt-get install -y libluajit-5.1-dev pkg-config

Disable LRO and GRO for the network interface that Snort will listen on (notes on this in the The Snort Manual):

sudo ethtool -K eth0 gro off
sudo ethtool -K eth0 lro off

Next we will create a directory to save the downloaded tarball files:

mkdir ~/snort_src
cd ~/snort_src

Download and install Data AcQuisition library (DAQ) from the Snort website:

cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
tar -xvzf daq-2.0.4.tar.gz	
cd daq-2.0.4
./configure
make
sudo make install

Run the following command to update shared libraries:

sudo ldconfig

Now we are ready to install Snort from source. This command downloads and installs the 3.0.0 Alpha 1, build 144 version of Snort. If a newer version is available from the Snort website, make the necessary changes. If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. To install as normal:

cd ~/snort_src
wget https://www.snort.org/downloads/snortplus/snort-3.0.0-a1-144-auto.tar.gz
tar -xvzf snort-3.0.0-a1-144-auto.tar.gz
cd snort-3.0.0-a1
./configure
make -j 8
sudo make install

Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the /etc/environment file:

export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=/usr/local/etc/snort

sudo sh -c "echo 'LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> /etc/environment"
sudo sh -c "echo 'SNORT_LUA_PATH=/usr/local/etc/snort' >> /etc/environment"

to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:

sudo visudo

in the editor, add the following to to the bottom of the file:

Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"

use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).

The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:

user@snort3:~$ snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a1 (Build 144) from 2.9.6-9
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using LuaJIT version 2.0.2
           Using PCRE version 8.31 2012-07-06
           Using ZLIB version 1.2.8


user@snort3:~$

Now let’s test snort with the default configuration file and ruleset:

user@snort3:~$ /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/sample.rules
--------------------------------------------------
o")~   Snort++ 3.0.0-a1-144
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
	back_orifice
	ssh
	classifications
	ftp_data
	ftp_server
	stream_tcp
	http_inspect
	telnet
	rpc_decode
	port_scan
	perf_monitor
	arp_spoof
	stream_icmp
	stream_ip
	stream
	ftp_client
	references
	stream_udp
	wizard
	dns
Finished /usr/local/etc/snort/snort.lua.
Loading rules:
Loading /usr/local/etc/snort/sample.rules:
Finished /usr/local/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 3974
               text rules: 3974
            option chains: 3974
            chain headers: 187
--------------------------------------------------
rule port counts
             tcp     udp    icmp      ip
     src    1685       4       0       0
     dst    1927     232       0       0
     any     118      30      28      26
      nc       1       0       1       0
     s+d       0       1       0       0
--------------------------------------------------
flowbits
                available: 1024
                     used: 124
              not checked: 9
                  not set: 2
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration.
o")~   Snort exiting
user@snort3:~$ 

If you have output similar to the above, then Snort 3.0.0 Alpha is installed and works.

A note on install locations:

When Snort is installed as above, a few binaries are installed to /usr/local/bin:

• snort : The Snort binary.
• snort2lua : Tool to convert a Snort 2.9.7.x configuration file into a 3.x configuration file. More notes here.
• u2boat : U2boat is a tool for converting unified2 files into different formats.
• u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.

Additionally, the following folders are created / used:

• /usr/local/bin : Binaries for Snort and supporting software.
• /usr/local/etc/snort : The configuration files for Snort.
• /usr/local/include/snort : All include files for Snort.
• /usr/local/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
• /usr/local/share/doc/snort : The documentation for the installed version of Snort.

Changing the install location of Snort

If you would rather have all these folders under one folder, add ‑‑prefix=/usr/local/bin/snort to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.

Where to go from here

If you want to learn more about how to run the 2.9.7.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.

I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.