56 Chapter 2 • Installing Snort and Getting Started
There are many other options which are less frequently used. These options will be discussed in related sections later on. The functionality of some command line
options can be achieved through snort.conf file as well.
2.5 Step-By-Step Procedure to Compile and Install Snort From Source Code
Installing Snort from the RPM package is very easy since you have to use only one command, “
rpm -install snort_file_name.rpm”. However, as you have seen, installing from the source code requires much more work. To summarize the pro-
cess of installing from the source code, here is a step-by-step procedure:
• Download source code file from http:www.snort.org. • Unpack the
tar file using “tar zxvf filename.tar.gz” command. • Run the configure script. Typical command line is something like
“ configure --prefix=optsnort --with-mysql -with-
snmp -with-opnssl”. • Run the
make command. • Run the “
make install” command. • Create a directory
varlogsnort. • Create a directory
optsnortetc. • Create a directory
optsnortrules. • Copy
snort.conf to optsnortetc directory. • Copy
classification.config file to optsnortetc directory. • Copy
reference.config file to optsnortetc directory. • Copy all rule files to
optsnortrules directory. • Create startup script
snortd and copy it to etcinit.d directory. Create its links in
etcrcx directories, where x is a run level number, so that Snort starts at the boot time.
• If you are using MySQL with Snort, it should be started before starting Snort.
2.6 Location of Snort Files
Snort files can be categorized as follows: • The Snort binary files, which is the actual executable.
• The Snort configuration file, which is typically snort.conf.
Location of Snort Files 57
• Other Snort configuration files like classification.config and
reference.config. • Rule files.
• Log files.
If you install Snort from the RPM package, the Snort binary file is usually installed in
usrsbin directory. If you compile Snort yourself, the location of this file can be controlled using the
--prefix
command line option. The main configuration file
snort.conf is installed in etcsnort direc- tory when you used Snort RPM. However, you can save this file in any directory
because you have to specify path to this file on the command line when starting Snort. In the examples used in this book, the file is stored under
optsnortetc direc- tory.
Other configuration files like classification.config and refer-
ence.config are usually stored in the same location as the snort.conf file. The path to the location of these files is found in the
snort.conf file. By changing that path, you can control the location of these files.
Rules files are referenced in the snort.conf file. If you install Snort from the
RPM package, rules files are also installed in etcsnort directory. In the examples
in this book, when you compile Snort yourself, you have installed these rule files under optsnortrules directory. By modifying the snort.conf file, you can select
a different location for the rule files.
The location of Snort log files can be set with the help of snort.conf file or
using command line options. Typically the log files are stored in varlogsnort
directory. If the log directory does not exist, you have to create it manually. When Snort is logging data from different hosts, it can create a directory for each host under
var logsnort for the log files.
For example, to modify the default location of log files to snortlog, use the
following line in snort.conf file:
config logdir: snortlog
You can also change the location of log files using – l command line option when
starting Snort. Chapter 3 contains a more detailed discussion of the snort.conf con-
figuration file.