So after quite a few hours of screwing around, I got a simple install of Snort running with BASE on Ubuntu Server 9.1.  So here’s what I used …

  1. This is 98% of what you need …
  2. You’ll need to download a current copy of the VRT rules .. … decompress and install into /etc/snort/rules
  3. To avoid this error …snort: error while loading shared libraries: cannot open shared object file: No such file or directoryAfter you compiling and installing the newest libpcre you’ll need to do this …

    cp /usr/local/lib/ /usr/lib

    (found that here  ..

  4. To configure auto updating of the VRT rules you’ll need to get your own Oinkcode … … with your code in hand do this …apt-get install oinkmaster

    Edit /etc/oinkmaster.conf and replace the default Oinkcode with your Oinkcode. Then run …

    oinkmaster -o /etc/snort/rules

    Create a cronjob to run the above command as often as you’d like, once every 24 hours?

  5. Don’t forget to do this for BASE …pear install Mail
    pear install Mail_Mime
  6. Lastly, you’ll probably want a startup script for Snort, so look here …

I hope this helps somebody out there.

  1. enhanced says:


    Snort is fairly simple to install and often a simple google search will provide a ton of resources that describe (in step-by-step detail) exactly how to install snort with snorby, BASE, sguil or a number of different event viewing tools!

    Also, it’s typically best to install everything from source, tends to be more up-to-date, as the individuals maintaining the repo’s tend to be ridiculously behind .

    try pulledpork for rule management, more features!


  2. peet says:

    Yeah, if you notice, that’s what I detailed here, but those step-by-step instructions are not exactly always complete. Hence my nasty hodgepodge of info that aparently works pretty well.

    Thanks taking the time to reply,

