Previous Section  < Day Day Up >  Next Section

3.2 Installing Snort

Not much needs to be said about installing Snort. It downloads and installs on nearly all platforms. The commands for configuring Snort are much the same as for other source code or RPM builds. The source is freely available for download in the event users wish to stay current with the latest releases. I strongly recommend downloading and compiling the Snort source code rather than installing a binary release; you are assured pristine code that has not been modified by any third party. You may also configure Snort with additional options, such as MySQL support. The most recent Snort release appears as source code before it comes out in RPM format. For the most up-to-date code, use the source.

The latest version of Snort as of this writing is snort-2.1.x. The developers attempt to keep abreast of the latest developments, patch submissions, and vulnerabilities, while also incorporating new features into their releases. Unlike the Linux kernel numbering scheme, the Snort minor number is not indicative of a stable or developmental release. Stables releases use odd as well as even release numbers.

3.2.1 Source Code Installation

Building Snort is fairly easy. There are a lot of options that you can request; the most important configure Snort to use various databases for storage. However, at this point, I'll show you how to do a quick and dirty build for some simple experimentation. In Chapter 6, when I talk about deploying a full-blown network IDS, I'll get into issues like database support.

Once you've downloaded and uncompressed the source distribution from, building it is easy. I create a directory in /usr/local/src called snort. I move the downloaded gzipped tarball to that directory and perform the following commands:

$ tar xvft snort-2.1.x.tar.gz

$ cd snort-2.1.x

$ ./configure

$ make

# make install

The last command must be run as root. It installs the Snort binary in /usr/local/bin. Any user can run it, although you need to be root to place network interfaces in promiscuous mode.

If that works, fine. If it doesn't work, the configure command will tell you what's missing. The problem is almost certainly that one of two libraries is missing: libpcap (discussed in the previous chapter; it's available from or PCRE. PCRE stands for "Perl-Compatible Regular Expressions," and it's available from Download the library (or libraries) you need, uncompress the file, and build it using ./configure, make, and make install. Build-time options

If you want to see all the build-time options, use the command ./configure --help. One option worth noting is flexible response or session sniping. This option gives Snort the ability to terminate connections that appear malicious. Session sniping is enabled by adding --enable-flexresp to the configure command. In Chapter 8, as we cover advanced uses for Snort, we'll see that nondefault configuration details such as --enable-flexresp can be used with the react option, which blocks access to certain URLs or warns users. This is a feature added in Snort release 2.0.

You may also want to enable support for one of several databases, allowing your Snort sensor to log alerts to a database. This will allow other programs to use the data (like the console application ACID, discussed in Chapter 10). For example, you can use --with-mysql to enable Snort to log to a MySQL database.

Additional libraries may be required as you enable more options. For example, libnet is needed when compiling Snort with the flexresp option. libnet is available from If you plan on using the flexible response features, download the source and install the libnet packet assembly library prior to compiling Snort. libnet is a high-level API toolkit that allows the application programmer to construct and inject network packets. Discussion of libnet could take up an entire chapter—it provides a portable and simplified interface for low-level network packet shaping, handling and injection. It also features portable packet creation interfaces at the IP layer and link layer. libnet can help you whip up quick and simple packet assembly applications.

3.2.2 Windows Installations

If you want to run Snort on Windows, download and install the WinPcap library for Windows from Once WinPcap is installed, grab the binary version of Snort (snort.exe). The Win32 version is available at Snort is run under Windows from a command prompt.

Another version of Snort configured for Windows users is available at This is an offshoot of the regular Snort code and is supported exclusively by Michael E. Steele. It, too, is free, although the author does require users to register in order to download the files. This version of Snort for Windows operates well with the Microsoft SQL server and has a wizard-driven installation that makes things easier. There are also several documents that explain how to configure this Snort release under a variety of platforms and using several different databases, all on a Windows server.

There has been a great deal of discussion about which operating system provides the best performance. There was quite a stir a short while ago when someone on the Snort user's mailing list revealed some benchmarks that showed that the Windows version was actually faster than the Linux or BSD. There were some flaws in the benchmark, so the results were tainted.

The general wisdom is that FreeBSD has blazing fast networking components, newer versions of the Linux kernel provide very efficient use of threads and memory management, and Windows makes up ground with how it uses the filesystem. Choose the operating system you are most familiar with. The performance levels of any of the modern operating systems should be adequate from most applications. When you are trying to use an NIDS in a very high-demand environment, visit Chapter 13.

3.2.3 Staying Current

While support for the Windows-based version of Snort is rather limited, you can always download the cutting-edge (if not bleeding-edge) version of Snort on your Linux machine. To stay current with the most recent build, download the Snort source code from This can give you the access to the very latest features and bug fixes. The only problem is there may be some stability or performance issues—not uncommon when riding the bleeding edge.

Though the instructions presented here are fairly complete, the Snort web page remains the most comprehensive site and source of information. There are various README documents and man pages, instructions for writing Snort Rules, and a Snort mailing list. Sign up for the mailing list at Also, consult the Snort newsgroup at dfi.lists.snort-users, a Usenet posting of this same mailing list, or use the archives posted within the newsgroups hosted by Google, The newsgroup name is mailing.unix.snort. The direct link to the Snort mailing list on the Google newsgroup site is

Exercise proper list etiquette before posting to the mailing list. Remember to check the mailing list archives, "lurk" or monitor other posts (chances are someone has posted or will post a similar query), and, of course, read the manpages, FAQ, or documentation pages, also known as RTFM, before posting questions already answered elsewhere.

    Previous Section  < Day Day Up >  Next Section