In this post I will be going over the steps required to setup snort on an openSUSE 13.2 server. I found that there was very little documentation for opensuse except this very useful pdf. I decided to make a post going over the steps mentioned in this documents so that I have it for my own reference and so that it may help people that stumble across this post on a search engine.
You will need to install all the required development packages so that we can compile snort and daq.
Install Base Development pattern (this will pull in make, gcc, and more):
zypper install -t pattern devel_basis
zypper in libpcap-devel
zypper in libdnet-devel
2. Download and untar:
Visit https://snort.org/#get-started to find the links to the source files for snort and daq. Once you have them, follow the steps below:
mkdir snort-files cd snort-files wget https://snort.org/downloads/snort/daq-[version].tar.gz wget https://snort.org/downloads/snort/snort-[version].tar.gz tar zxf daq-[version].tar.gz tar zxf snort-[version].tar.gz
We will now build daq, note that you need to have installed libpcap-devel in step 1 as daq cannot build without it. Another thing to note is that when running make we can use the -j flag to “set the number of jobs (commands) to run simultaneously”. This means that we can drastically increase our compile speed by simply setting this number higher than 1.
It is recommended that you set this to n+1 where n is the number of CPU cores in your system. Beware that if you set this too high, you will become bottle necked and actually experience speeds slower than a lower amount, say “-j 25 versus -j 2”. This is mostly due to the fact that while the CPU is a bottle neck in compiling, it is not the only bottle neck and thus you will be throttled by your disk I/O speeds. In the commands below, I have left it as “x” so you will have to replace it for your system:
cd daq-[version] ./configure; make -j x ; su -c "make install -j x" ldconfig -v /usr/local/lib ldconfig -v /usr/local/lib64 cd ../snort-[version]/ ./configure --enable-sourcefire; make -j x; su -c "make install -j x" ldconfig -v /usr/local/lib ldconfig -v /usr/local/lib64
Now we just need to copy all the snort configuration files into our systems /etc/ directory.
cp -R /path/to/snort-files/snort-[version]/etc/ /etc/snort/ cd /etc/snort
3. Getting Snort Rules
Now we will need to download the latest snort rules from the snort website. Visit https://snort.org/ and create an account (its free), then once you have confirmed your email, log in, click your email on the top right and then select “Oinkcode” in the menu.
Now you just need to supply your oinkcode when attempting to download the rules. Note that when supplying the version, if for example you used snort version 220.127.116.11 then it will be set as 2976 for the rules URL.
wget https://snort.org/rules/snortrules-snapshot-[version].tar.gz?oinkcode=[oinkcode] -O snortrules.tar.gz tar zxf snortrules.tar.gz touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
Once that is done, we want to make sure that snort will only run as a non privileged user who is unable to login to a shell. We can do this with the following commands:
useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS groupadd snort cd /etc/snort &amp;amp;&amp;amp; chown -R snort:snort *
On 32-bit installs, the library files are installed in /usr/local/lib, therefore you must remember to use lib and not lib64 when dealing with libraries in the config files, or else you will get errors regarding missing libs!
4. Finishing The File Configuration
In the next steps we will be changing the file permissions so that only snort and root can access these files. Please note that if you are on a 32 bit system you will need to replace lib64 with lib.
mkdir /var/log/snort; chmod 700 /var/log/snort; chown snort:snort /var/log/snort chown -R snort:snort /usr/local/lib64/snort* mkdir /usr/local/lib64/snort_dynamicrules chown -R snort:snort /usr/local/lib64/snort_* chown -R snort:snort /usr/local/lib64/pkgconfig chmod -R 700 /usr/local/lib64/snort* chmod -R 700 /usr/local/lib64/pkgconfig chown -R snort:snort /usr/local/bin/daq-modules-config chown -R snort:snort /usr/local/bin/u2* chmod 700 /usr/local/bin/u2* chown -R snort:snort /etc/snort chmod -R 700 /etc/snort
If you are on a 64 bit system, open /etc/snort/snort.conf and change “lib” to “lib64” in the following lines:
... dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ ... dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ... dynamicdetection directory /usr/local/lib/snort_dynamicrules
Now that we have finished configuring snort, its time to test it! Run the following command to run snort in testing mode, it will tell you if all the configuration is correct:
/usr/local/bin/snort -T -i [INTERFACE] -u snort -g snort -c /etc/snort/snort.conf
You should see the following output:
... Snort successfully validated the configuration! Snort exiting
If you have issues with trying to figure out how to solve an error about “Could not stat dynamic module path..” try using the locate command to determine where the library is located, it may be that you just need to change lib to lib64 in the /etc/snort/snort.conf file or vice versa.
With that we have confirmed that snort is able to run without issues.