30 Chapter 2 • Installing Snort and Getting Started the latest version of Snort from its web site http:www.snort.org. Just look for the “download” link and grab the latest version of the software. At the time of writing this book, the latest version was 1.9.0. The downloadable file name is snort- 1.9.0.tar.gz, which can be saved in the opt directory on the Linux box. Note that the installation method is similar for other versions which may be available by the time you read this book. N O T E You must have libpcap installed on your UNIX machine or WinPcap if you are using Microsoft Windows. You can get WinPcap from http:winpcap.polito.it. Lib- pcap is available from http:www-nrg.ee.lbl.gov.

2.2.2.1 Unpacking

The first step after downloading is unpacking the source code. Use the following command to unpack it: tar zxvf snort-1.9.0.tar.gz This will create a directory optsnort-1.9.0, assuming that you have downloaded the file in opt directory and have run the tar command in this directory. In case of other versions of Snort, the directory name will be different and will reflect the ver- sion number. After unpacking you can see the directory tree created by the tar com- mand using the tree command. The following is a snapshot of directories present under optsnort-1.9.0 directory. [rootconformix opt] tree -d snort-1.9.0 snort-1.9.0 |-- contrib |-- doc |-- etc |-- rules |-- src | |-- detection-plugins | |-- output-plugins | |-- preprocessors | `-- win32 | |-- WIN32-Code | |-- WIN32-Includes | | |-- NET | | |-- NETINET | | |-- libnet | | |-- mysql | | `-- rpc | |-- WIN32-Libraries | | |-- libnet Installing Snort 31 | | `-- mysql | `-- WIN32-Prj `-- templates 21 directories [rootconformix opt] A brief list of the contents of these directories is listed below: • The contrib directory contains utilities which are not strictly part of Snort itself. These utilities include ACID, MySQL database creation scripts and other things. • The doc directory contains documentation files, as is evident from the name of the directory. • The etc directory contains configuration files. • The rules directory contains predefined rule files. • All source code is present under the src directory. • The templates directory is useful only for people who want to write their own plug-ins. It has no significance for general Snort users.

2.2.2.2 Compiling and Installation

The compilation and installation process consists of three steps as listed below:

1. Running the configure script.

2. Running the

make command.

3. Running the make install command.

To start the compilation process of Snort, go to optsnort-1.9.0 directory and run the configure script. If you are new to GNU style software, the config- ure script is a common utility with open source packages. It is used to set some param- eters, create makefiles, and detect development tools and libraries available on your system. Many command line options can be used with the configure script. These options determine which Snort components will be compiled with Snort. For example, using these options, you can build support of SNMP, MySQL or SMB alerts, in addition to many other things. You can also determine the directory in which the final Snort files will be installed. Available command line options with the configure script can be listed using the “ .configure –help” command as shown below: