Running Snort on Multiple Network Interfaces

56 Chapter 2 • Installing Snort and Getting Started There are many other options which are less frequently used. These options will be discussed in related sections later on. The functionality of some command line options can be achieved through snort.conf file as well.

2.5 Step-By-Step Procedure to Compile and Install Snort From Source Code

Installing Snort from the RPM package is very easy since you have to use only one command, “ rpm -install snort_file_name.rpm”. However, as you have seen, installing from the source code requires much more work. To summarize the pro- cess of installing from the source code, here is a step-by-step procedure: • Download source code file from http:www.snort.org. • Unpack the tar file using “tar zxvf filename.tar.gz” command. • Run the configure script. Typical command line is something like “ configure --prefix=optsnort --with-mysql -with- snmp -with-opnssl”. • Run the make command. • Run the “ make install” command. • Create a directory varlogsnort. • Create a directory optsnortetc. • Create a directory optsnortrules. • Copy snort.conf to optsnortetc directory. • Copy classification.config file to optsnortetc directory. • Copy reference.config file to optsnortetc directory. • Copy all rule files to optsnortrules directory. • Create startup script snortd and copy it to etcinit.d directory. Create its links in etcrcx directories, where x is a run level number, so that Snort starts at the boot time. • If you are using MySQL with Snort, it should be started before starting Snort.

2.6 Location of Snort Files

Snort files can be categorized as follows: • The Snort binary files, which is the actual executable. • The Snort configuration file, which is typically snort.conf. Location of Snort Files 57 • Other Snort configuration files like classification.config and reference.config. • Rule files. • Log files. If you install Snort from the RPM package, the Snort binary file is usually installed in usrsbin directory. If you compile Snort yourself, the location of this file can be controlled using the --prefix command line option. The main configuration file snort.conf is installed in etcsnort direc- tory when you used Snort RPM. However, you can save this file in any directory because you have to specify path to this file on the command line when starting Snort. In the examples used in this book, the file is stored under optsnortetc direc- tory. Other configuration files like classification.config and refer- ence.config are usually stored in the same location as the snort.conf file. The path to the location of these files is found in the snort.conf file. By changing that path, you can control the location of these files. Rules files are referenced in the snort.conf file. If you install Snort from the RPM package, rules files are also installed in etcsnort directory. In the examples in this book, when you compile Snort yourself, you have installed these rule files under optsnortrules directory. By modifying the snort.conf file, you can select a different location for the rule files. The location of Snort log files can be set with the help of snort.conf file or using command line options. Typically the log files are stored in varlogsnort directory. If the log directory does not exist, you have to create it manually. When Snort is logging data from different hosts, it can create a directory for each host under var logsnort for the log files. For example, to modify the default location of log files to snortlog, use the following line in snort.conf file: config logdir: snortlog You can also change the location of log files using – l command line option when starting Snort. Chapter 3 contains a more detailed discussion of the snort.conf con- figuration file.