NOTE: this article is seriously out of date. If you’re trying to install Snort++ on Ubuntu, I highly recommend you use Ubuntu 16. Most of the software below is out of date, and won’t install with newer versions of the Snort Codebase. The latest instructions are here: Installing Snort++ (Snort 3 Alpha 4 build 237) in Ubuntu.
The instructions below show how to install Snort 3 alpha 2 build 177 on Ubuntu. This install has been tested on the x64 version of Ubuntu 12. There is a bug that prevents the x86 version from working.
If you have the choice, I recommend installing Snort++ on Ubuntu 14 (my instructions are here), rather than on Ubuntu 12. I reccomend this due to the fact that some of the software prerequisites have to be installed from source, because the versions available in the Ubuntu 12 repositories is out of date.
The Snort blog post announcing this release is here.
Generic build instructions are available in the online manual here, under the “building” section.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.7.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.7.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev
If you want to build the documentation as well (not really needed, unless you want it):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Install cpputest from source:
cd ~/snort_src sudo apt-get install -y autoconf libtool cd ~/snort_src wget https://github.com/cpputest/cpputest/releases/download/3.7.2/cpputest-3.7.2.tar.gz tar -xvzf cpputest-3.7.2.tar.gz cd cpputest-3.7.2 ./autogen.sh ./configure make make check sudo make install
We need to install a newer version of cmake to install hyperscan. Remove the old version and install the newer version from source:
sudo apt-get remove -y cmake cd ~/snort_src wget https://cmake.org/files/v3.3/cmake-3.3.2.tar.gz --no-check-certificate tar -xvzf cmake-3.3.2.tar.gz cd cmake-3.3.2/ ./bootstrap make sudo make install
One of the Snort recommended prerequisites is Hyperscan 4.0.1. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost 1.5.9 header libraries.
Install Ragel 6.9 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz tar -xzvf ragel-6.9.tar.gz cd ragel-6.9 ./configure make sudo make install
Download the Boost 1.5.9 libraries, but do not install:
cd ~/snort_src wget http://sourceforge.net/projects/boost/files/boost/1.59.0/boost_1_59_0.tar.gz/download -O boost_1_59_0.tar.gz tar -xvzf boost_1_59_0.tar.gz
Hyperscan also requires a newer version of gcc. Rather than compiling gcc from source, we add an Ubuntu ppa repository and install:
sudo apt-get install -y python-software-properties sudo add-apt-repository -y ppa:ubuntu-toolchain-r/test sudo apt-get update sudo apt-get install -y gcc-4.8 g++-4.8
now make the new version of gcc and g++ the default:
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.6 10 sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.8 20 sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.6 10
Install Hyperscan 4.0.1 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.0.1.tar.gz tar -xvzf v4.0.1.tar.gz mkdir ~/snort_src/hyperscan-4.0.1-build cd hyperscan-4.0.1-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_59_0/ ../hyperscan-4.0.1 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.0.1-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the 3.0.0 Alpha 2, build 177 version of Snort. If a newer version is available from the Snort website, make the necessary changes. If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://snort.org/downloads/snortplus/snort-3.0.0-a2-177-auto.tar.gz tar -xvzf snort-3.0.0-a2-177-auto.tar.gz cd snort-3.0.0-a2 ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the /etc/environment file:
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sudo sh -c "echo 'LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> /etc/environment" sudo sh -c "echo 'SNORT_LUA_PATH=/opt/snort/etc/snort' >> /etc/environment"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.0-a2 (Build 177) from 2.9.7-177 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using LuaJIT version 2.0.0-beta9 Using PCRE version 8.12 2011-01-15 Using ZLIB version 1.2.3.4 Using LZMA version 5.1.0alpha Using OpenSSL 1.0.1 14 Mar 2012 user@snort3:~$
Now let’s test snort with the default configuration file and ruleset:
user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules -------------------------------------------------- o")~ Snort++ 3.0.0-a2-177 -------------------------------------------------- Loading /opt/snort/etc/snort/snort.lua: file_id ftp_data ftp_server http_inspect telnet ssl perf_monitor sip rpc_decode port_scan back_orifice ssh smtp pop classifications stream_user arp_spoof stream_file stream_tcp stream_icmp stream_ip stream gtp_inspect ftp_client references stream_udp wizard dns imap Finished /opt/snort/etc/snort/snort.lua. Loading rules: Loading /opt/snort/etc/snort/sample.rules: Finished /opt/snort/etc/snort/sample.rules. Finished rules. -------------------------------------------------- rule counts total rules loaded: 3974 text rules: 3974 option chains: 3974 chain headers: 187 -------------------------------------------------- port rule counts tcp udp icmp ip any 119 31 29 26 src 1685 4 0 0 dst 1927 232 0 0 both 0 1 0 0 slow 1 0 1 0 total 3732 268 30 26 -------------------------------------------------- flowbits defined: 124 not checked: 9 not set: 2 -------------------------------------------------- service rule counts - tcp to-srv to-cli dcerpc: 3 0 drda: 3 0 ftp: 8 2 http: 1161 1553 ident: 1 0 imap: 29 1044 ircd: 1 1 ldap: 5 0 mysql: 29 1 netbios-ns: 4 0 netbios-ssn: 25 7 pop3: 12 1043 rtsp: 2 0 smtp: 550 3 ssl: 5 1 sunrpc: 9 0 telnet: 5 1 vnc-server: 1 3 total: 1853 3659 -------------------------------------------------- service rule counts - udp to-srv to-cli dcerpc: 2 0 dns: 170 2 kerberos: 4 4 netbios-dgm: 7 7 netbios-ns: 1 1 netbios-ssn: 1 1 ntp: 1 0 snmp: 1 1 ssdp: 8 0 sunrpc: 7 3 tftp: 1 0 total: 203 19 -------------------------------------------------- fast pattern port groups src dst any packet: 27 125 4 key: 23 107 1 header: 23 107 1 body: 0 2 0 file: 23 107 1 -------------------------------------------------- fast pattern service groups to-srv to-cli packet: 29 17 key: 3 0 header: 1 3 body: 1 0 file: 1 4 -------------------------------------------------- search engine instances: 566 patterns: 24676 pattern chars: 512201 num states: 407216 num match states: 24009 memory scale: MB total memory: 10.7795 pattern memory: 1.42925 match list memory: 3.948 transition memory: 5.182 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration. o")~ Snort exiting user@snort3:~$
If you have output similar to the above, then Snort 3.0.0 Alpha 2 is installed and works.
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3 /opt/snort ├── bin │ ├── snort │ ├── snort2lua │ ├── u2boat │ └── u2spewfoo ├── etc │ └── snort │ ├── file_magic.lua │ ├── sample.rules │ ├── snort_defaults.lua │ └── snort.lua ├── include │ └── snort │ ├── actions │ ├── codecs │ ├── daqs │ ├── detection │ ├── events │ ├── filters │ ├── flow │ ├── framework │ ├── hash │ ├── log │ ├── lua │ ├── main │ ├── protocols │ ├── search_engines │ ├── sfip │ ├── sfrt │ ├── stream │ ├── time │ └── utils ├── lib │ ├── pkgconfig │ │ └── snort.pc │ └── snort │ └── daqs └── share └── doc └── snort
The /opt/snort/bin folder contains the following Snort binaries:
Additionally, the following folders are created / used:
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
If you want to learn more about how to run the 2.9.8.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.
NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 237) in Ubuntu.
The instructions below show how to install Snort 3 alpha 2 build 177 on Ubuntu. This install has been tested on the x64 version of Ubuntu 14. There is a bug that prevents the x86 version from working. For the Ubuntu 12 version of these instructions, please go here.
The Snort blog post announcing this release is here.
Generic build instructions are available in the online manual here, under the “building” section.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.7.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.7.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake
If you want to build the documentation as well (not really needed, unless you want it):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
One of the Snort recommended prerequisites is Hyperscan 4.0.1. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost 1.5.9 header libraries.
Install Ragel 6.9 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz tar -xzvf ragel-6.9.tar.gz cd ragel-6.9 ./configure make sudo make install
Download the Boost 1.5.9 libraries, but do not install:
cd ~/snort_src wget http://sourceforge.net/projects/boost/files/boost/1.59.0/boost_1_59_0.tar.gz/download -O boost_1_59_0.tar.gz tar -xvzf boost_1_59_0.tar.gz
Install Hyperscan 4.0.1 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.0.1.tar.gz tar -xvzf v4.0.1.tar.gz mkdir ~/snort_src/hyperscan-4.0.1-build cd hyperscan-4.0.1-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_59_0/ ../hyperscan-4.0.1 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.0.1-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the 3.0.0 Alpha 2, build 177 version of Snort. If a newer version is available from the Snort website, make the necessary changes. If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://snort.org/downloads/snortplus/snort-3.0.0-a2-177-auto.tar.gz tar -xvzf snort-3.0.0-a2-177-auto.tar.gz cd snort-3.0.0-a2 ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the /etc/environment file:
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sudo sh -c "echo 'LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> /etc/environment" sudo sh -c "echo 'SNORT_LUA_PATH=/opt/snort/etc/snort' >> /etc/environment"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.0-a2 (Build 177) from 2.9.7-177 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using LuaJIT version 2.0.0-beta9 Using PCRE version 8.12 2011-01-15 Using ZLIB version 1.2.3.4 Using LZMA version 5.1.0alpha Using OpenSSL 1.0.1 14 Mar 2012 user@snort3:~$
Now let’s test snort with the default configuration file and ruleset:
user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules -------------------------------------------------- o")~ Snort++ 3.0.0-a2-177 -------------------------------------------------- Loading /opt/snort/etc/snort/snort.lua: file_id ftp_data ftp_server http_inspect telnet ssl perf_monitor sip rpc_decode port_scan back_orifice ssh smtp pop classifications stream_user arp_spoof stream_file stream_tcp stream_icmp stream_ip stream gtp_inspect ftp_client references stream_udp wizard dns imap Finished /opt/snort/etc/snort/snort.lua. Loading rules: Loading /opt/snort/etc/snort/sample.rules: Finished /opt/snort/etc/snort/sample.rules. Finished rules. -------------------------------------------------- rule counts total rules loaded: 3974 text rules: 3974 option chains: 3974 chain headers: 187 -------------------------------------------------- port rule counts tcp udp icmp ip any 119 31 29 26 src 1685 4 0 0 dst 1927 232 0 0 both 0 1 0 0 slow 1 0 1 0 total 3732 268 30 26 -------------------------------------------------- flowbits defined: 124 not checked: 9 not set: 2 -------------------------------------------------- service rule counts - tcp to-srv to-cli dcerpc: 3 0 drda: 3 0 ftp: 8 2 http: 1161 1553 ident: 1 0 imap: 29 1044 ircd: 1 1 ldap: 5 0 mysql: 29 1 netbios-ns: 4 0 netbios-ssn: 25 7 pop3: 12 1043 rtsp: 2 0 smtp: 550 3 ssl: 5 1 sunrpc: 9 0 telnet: 5 1 vnc-server: 1 3 total: 1853 3659 -------------------------------------------------- service rule counts - udp to-srv to-cli dcerpc: 2 0 dns: 170 2 kerberos: 4 4 netbios-dgm: 7 7 netbios-ns: 1 1 netbios-ssn: 1 1 ntp: 1 0 snmp: 1 1 ssdp: 8 0 sunrpc: 7 3 tftp: 1 0 total: 203 19 -------------------------------------------------- fast pattern port groups src dst any packet: 27 125 4 key: 23 107 1 header: 23 107 1 body: 0 2 0 file: 23 107 1 -------------------------------------------------- fast pattern service groups to-srv to-cli packet: 29 17 key: 3 0 header: 1 3 body: 1 0 file: 1 4 -------------------------------------------------- search engine instances: 566 patterns: 24676 pattern chars: 512201 num states: 407216 num match states: 24009 memory scale: MB total memory: 10.7795 pattern memory: 1.42925 match list memory: 3.948 transition memory: 5.182 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration. o")~ Snort exiting user@snort3:~$
If you have output similar to the above, then Snort 3.0.0 Alpha 2 is installed and works.
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3 /opt/snort ├── bin │ ├── snort │ ├── snort2lua │ ├── u2boat │ └── u2spewfoo ├── etc │ └── snort │ ├── file_magic.lua │ ├── sample.rules │ ├── snort_defaults.lua │ └── snort.lua ├── include │ └── snort │ ├── actions │ ├── codecs │ ├── daqs │ ├── detection │ ├── events │ ├── filters │ ├── flow │ ├── framework │ ├── hash │ ├── log │ ├── lua │ ├── main │ ├── protocols │ ├── search_engines │ ├── sfip │ ├── sfrt │ ├── stream │ ├── time │ └── utils ├── lib │ ├── pkgconfig │ │ └── snort.pc │ └── snort │ └── daqs └── share └── doc └── snort
The /opt/snort/bin folder contains the following Snort binaries:
Additionally, the following folders are created / used:
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
If you want to learn more about how to run the 2.9.8.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.