Installing Snort++ in Ubuntu (Version 3.0 Alpha 4 build 237)
NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 240) in Ubuntu
The instructions below show how to install Snort 3 alpha 4 build 237 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).
Snort 3 Alpha 4 Build 237 was released on July 13, 2017, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake libsqlite3-dev
Install tools required for compiling the source from github:
sudo apt-get install -y libtool git autoconf
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):
cd ~/snort_src wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz tar -xzvf libsafec-10052013.tar.gz cd libsafec-10052013 ./configure make sudo make install
One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.
Install Ragel 6.10 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz tar -xzvf ragel-6.10.tar.gz cd ragel-6.10 ./configure make sudo make install
Download the Boost 1.64 libraries, but do not install:
cd ~/snort_src wget https://dl.bintray.com/boostorg/release/1.64.0/source/boost_1_64_0.tar.gz tar -xvzf boost_1_64_0.tar.gz
Install Hyperscan 4.5.1 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.5.1.tar.gz tar -xvzf v4.5.1.tar.gz mkdir ~/snort_src/hyperscan-4.5.1-build cd hyperscan-4.5.1-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_64_0/ ../hyperscan-4.5.1 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.5.1-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):
cd ~/snort_src wget https://www.snort.org/downloads/snortplus/daq-2.2.1.tar.gz tar -xvzf daq-2.2.1.tar.gz cd daq-2.2.1 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 237, but as the codebase is updated, you’ll get a newer version). If you want to specifically download the version used in this guide, use this URL instead with wget below: https://github.com/snortadmin/snort3/archive/3376324350b3ef6228c4e30799a22779413789c2.tar.gz.
If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://github.com/snortadmin/snort3/archive/master.tar.gz tar -xvzf master.tar.gz cd snort3-master/ autoreconf -isvf ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc" sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.0.0-a4 (Build 237) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 2.2.1
Using libpcap version 1.7.4
Using LuaJIT version 2.0.4
Using PCRE version 8.38 2015-11-23
Using ZLIB version 1.2.8
Using LZMA version 5.1.0alpha
Using OpenSSL 1.0.2g 1 Mar 2016
Using Hyperscan version 4.5.1 2017-07-18
user@snort3:~$
Now let’s test snort with the default configuration file and ruleset:
user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~ Snort++ 3.0.0-a4-237
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
ssh
pop
stream_tcp
gtp_inspect
stream_icmp
ftp_server
stream_udp
ips
http_inspect
wizard
file_id
ftp_data
smtp
back_orifice
port_scan
telnet
ssl
sip
rpc_decode
reputation
classifications
arp_spoof
appid
stream_user
stream_ip
stream
dnp3
ftp_client
references
dns
imap
stream_file
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
total rules loaded: 3974
text rules: 3974
option chains: 3974
chain headers: 187
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 119 31 29 26
src 1685 4 0 0
dst 1927 232 0 0
both 0 1 0 0
total 3731 268 29 26
--------------------------------------------------
flowbits
defined: 124
not checked: 9
not set: 2
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dcerpc: 3 0
drda: 3 0
ftp: 8 2
http: 1161 1553
ident: 1 0
imap: 29 1044
ircd: 1 1
ldap: 5 0
mysql: 29 1
netbios-ns: 4 0
netbios-ssn: 25 7
pop3: 12 1043
rtsp: 2 0
smtp: 550 3
ssl: 5 1
sunrpc: 9 0
telnet: 5 1
vnc-server: 1 3
total: 1853 3659
--------------------------------------------------
service rule counts - udp to-srv to-cli
dcerpc: 2 0
dns: 170 2
kerberos: 4 4
netbios-dgm: 7 7
netbios-ns: 1 1
netbios-ssn: 1 1
ntp: 1 0
snmp: 1 1
ssdp: 8 0
sunrpc: 7 3
tftp: 1 0
total: 203 19
--------------------------------------------------
fast pattern port groups src dst any
packet: 27 125 4
key: 23 107 1
header: 23 107 1
body: 0 2 0
file: 23 107 1
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 29 17
key: 3 0
header: 1 3
body: 1 0
file: 1 4
--------------------------------------------------
search engine
instances: 565
patterns: 24659
pattern chars: 515569
num states: 409078
num match states: 23799
memory scale: MB
total memory: 10.6222
pattern memory: 1.43181
match list memory: 3.91914
transition memory: 5.20227
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration.
o")~ Snort exiting
user@snort3:~$
If you have output similar to the above, then Snort 3.0.0 Alpha 4 is installed and works.
A note on install locations:
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│ ├── snort
│ ├── snort2lua
│ ├── u2boat
│ └── u2spewfoo
├── etc
│ └── snort
│ ├── file_magic.lua
│ ├── sample.rules
│ ├── snort_defaults.lua
│ └── snort.lua
├── include
│ └── snort
│ ├── actions
│ ├── codecs
│ ├── daqs
│ ├── decompress
│ ├── detection
│ ├── events
│ ├── file_api
│ ├── flow
│ ├── framework
│ ├── hash
│ ├── log
│ ├── lua
│ ├── main
│ ├── managers
│ ├── mime
│ ├── packet_io
│ ├── profiler
│ ├── protocols
│ ├── search_engines
│ ├── sfip
│ ├── stream
│ ├── time
│ └── utils
├── lib
│ ├── pkgconfig
│ │ └── snort.pc
│ └── snort
│ └── daqs
└── share
└── doc
└── snort
35 directories, 9 files
The /opt/snort/bin folder contains the following Snort binaries:
- snort : The Snort binary.
- snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
- u2boat : U2boat is a tool for converting unified2 files into different formats.
- u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.
Additionally, the following folders are created / used:
- /opt/snort/bin : Binaries for Snort and supporting software.
- /opt/snort/etc/snort : The configuration files for Snort.
- /opt/snort/include/snort : All include files for Snort.
- /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
- /opt/snort/share/doc/snort : The documentation for the installed version of Snort.
Changing the install location of Snort
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
Where to go from here
If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to work with protocol (layer 7) detection, please see my article on OpenAppID.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.
Comments are Disabled