28 Chapter 2 • Installing Snort and Getting Started this directory. In this chapter, you will learn how to install Snort as a standalone prod- uct. Later chapters will focus on other components. Snort is available in both source code and binary forms. Pre-compiled binary packages are fine for most installations. As mentioned earlier, if you want to add or remove certain features of Snort, you need to download the source code version and then compile it yourself. For example, someone may be interested in SMB alerts while another may consider it unsecure. If you want to build Snort without support for SMB alerts, you may want to build it yourself. The same is true of other features like SNMP traps, MySQL and so on. Another reason to compile the source code yourself may be when a new version is released but binaries are not yet available. You may also need to compile the Snort package if you take a snapshot of the code under development. This chapter will provide a step-by-step guide to installing Snort. The basic installation procedure is simple because you have plenty of predefined rules available with Snort that cover most of the known intrusion signatures. However, customization of your installation may require a lot of work. Version 1.9.0 is used in this chapter, but the installation procedure is similar for other versions of the software. After installation, basic information for getting started with Snort is also provided, including basic Snort concepts, logging and alerting and some information about Snort modes of operation.

2.2 Installing Snort

In this section you will learn how to install precompiled version of Snort as well as how to compile and install it by yourself. Installation of the pre-compiled RPM package is very easy and requires only a few steps. However if you get Snort in source code for- mat, the installation process may take some time and understanding.

2.2.1 Installing Snort from the RPM Package

The installation procedure of Snort from the RPM package involves the following steps.

2.2.1.1 Download

Download the latest version from Snort web site http:www.snort.org. At the time of writing this book, the latest binary file is snort-1.9.0-1snort.i386.rpm.

2.2.1.2 Install

Run the following command to install Snort binaries: rpm --install snort-1.9.0-1snort.i386.rpm Installing Snort 29 This command will perform the following actions: • Create a directory etcsnort where all Snort rule files and configuration files are stored. • Create a directory varlogsnort where Snort log files will be stored. • Create a directory usrsharedocsnort-1.9.0 and store Snort documentation files in that directory. You will see files like FAQ Frequently Asked Questions, README and other files in this directory. • Create a file snort-plain in usrsbin directory. This is the Snort daemon. • Create a file etcrc.dinit.dsnortd file which is startup and shutdown script. On RedHat Linux, this is equivalent to etcinit.dsnortd. Basic installation is complete at this point and you can start using Snort. The ver- sion of Snort installed this way is not compiled with database support, so you can use it only for logging to files in the varlogsnort directory.

2.2.1.3 Starting, Stopping and Restarting Snort

To run Snort manually, use the following command: etcinit.dsnortd start This command will start Snort and you can run the Snort daemon using the “ps –ef” command. You should see a line like the following in the output of this com- mand: root 15999 1 0 18:31 ? 00:00:01 usrsbin snort -A fast -b -l varlogsnort -d -D -i eth0 -c etc snortsnort.conf Note that you have to start Snort manually each time you reboot the machine. You can automate this process by creating links to this file, which will be explained later in this chapter. To stop Snort, use the following command: etcinit.dsnortd stop To restart Snort, use this command: etcinit.dsnortd restart

2.2.2 Installing Snort from Source Code

To install Snort from the source code, you have to build it first. You can build the executable snort file using the procedure explained in this section. First, download 30 Chapter 2 • Installing Snort and Getting Started