snort installation from source

genmaicha · 07-17-2009, 04:44 AM

So I've downloaded snort-2.8.4.1.tar.gz snortrules-snapshot-2.8.tar.gz (the 'registered user' rules). I extracted snort-2.8.4.1.tar.gz. There's no INSTALL or README or any form of installation instruction in this archive (or the main snort.org website), but a ./configure && make && make install seems to install fine. What do I do with snortrules-snapshot-2.8.tar.gz? Do I extract directly to /usr/local (the ./configure prefix)? And how do I build the rules for my distro?

unSpawn · 07-17-2009, 05:12 AM

Quote:

Originally Posted by genmaicha

There's no INSTALL or README or any form of installation instruction in this archive (or the main snort.org website),

If the tarball doesn't contain a doc/ dir and if snort.org didn't contain a docs/ dir that statement would be true.

Quote:

Originally Posted by genmaicha

but a ./configure && make && make install seems to install fine.

Running './configure --help' gets you a listing of the available options. No need to come back later to say it doesn't work if you didn't bother to read and compile needed options.

Quote:

Originally Posted by genmaicha

What do I do with snortrules-snapshot-2.8.tar.gz? Do I extract directly to /usr/local (the ./configure prefix)?

That depends on your snort.conf settings but usually rules go in /etc/snort/rules.

Quote:

Originally Posted by genmaicha

And how do I build the rules for my distro?

You didn't list any: fill in your details in your control panel.

genmaicha · 07-17-2009, 01:54 PM

Okay, sorry, I should have looked closer. I've got snort installed on my slackware box and it runs fine the the packet sniffer mode. I copied the rules/ directory in the snortrules archive to /etc/snort/rules, edited the snort.conf file to reflect my changes, and it seems to be working (I see alerts in /var/log/snort). However, I'm still wondering what the so_rules directory is-- it contains precompiled libraries for other distros, but cannot figure out how to compile them or where to install them.

unSpawn · 07-18-2009, 06:11 AM

http://vrt-sourcefire.blogspot.com/2...ect-rules.html ?