Install Snort 3.0/Snort++

You will  need dnet, daq, and hwloc, pcap, libpcre..... otherise "CMake Error"

$ git clone git://github.com/snortadmin/snort3.git
$ sudo apt-get install libdaq-dev libdnet-dev cmake libhwloc5
$ sudo apt-get install libdumbnet-dev libhwloc-dev luajit lua5.1 libpcap-dev libluajit-5.1-dev libpcre3-dev libpcre3
$ ./configure_cmake.sh --prefix=/home/rayx/snort3/
$ cd build
$ make -j4

(Note: cmake 3.4 or higher required)

Still when I trying to make got a error:

/home/ubuntu/snort3/src/packet_io/sfdaq.h:68:51: error: 'DAQ_QueryFlow_t' has not been declared

The github says:  

You must use LibDAQ 2.2.2 from the Snort 3.0 section on https://snort.org/downloads.

The follow URL from snort... daq-2.2.2.tar

To build daq 2.2.2

$ sudo apt-get install bison flex
$ make -j4
$ sudo make install

After that rebuild snort3:

$ ./configure_cmake.sh --prefix=/home/rayx/snort3/
$ cd build
$ make -j4
$ make install

This will install snort3 to folder: /home/rayx/snort3

Get snort rules snort3-community-rules.tar.gz  and AppID snort-openappid.tar.gz:

$ wget https://snort.org/downloads/community/snort3-community-rules.tar.gz

I am install snort to /home/rayx/snort3

so :

$ wget https://snort.org/downloads/community/snort3-community-rules.tar.gz
$ mkdir /home/rayx/snort3/etc/snort/rules
$ tar -xvzf snort3-community-rules.tar.gz -C /home/rayx/snort/etc/snort/rules

Setup the environment variables:

export SNORT_LUA_PATH=/home/rayx/snort
export SNORT_LUA_PATH=/home/rayx/snort/etc/snort
export LUA_PATH=/home/ray/snort/include/snort/lua/\?.lua\;\;

Now we can try to start the snort:

$ sudo -E ./bin/snort \
-c ./etc/snort/snort.lua \
-R ./rules/snort3-community.rules \
--plugin-path ./lib \
-i eth0 \
-A json -y -q > alerts.json

Last. Import alerts.json with logstash/filebeat

Current rating: 2
  • Share

Comments

There are currently no comments

New Comment

* Please fill all required form field, thanks!