Nov 14

So after quite a few hours of screwing around, I got a simple install of Snort running with BASE on Ubuntu Server 9.1.  So here’s what I used …

  1. This is 98% of what you need … http://www.howtoforge.com/intrusion_detection_base_snort_p4
  2. You’ll need to download a current copy of the VRT rules .. http://www.snort.org/snort-rules/?#rules … decompress and install into /etc/snort/rules
  3. To avoid this error …snort: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directoryAfter you compiling and installing the newest libpcre you’ll need to do this …

    cp /usr/local/lib/libpcre.so.0 /usr/lib

    (found that here  .. http://ubuntuforums.org/archive/index.php/t-107197.html)

  4. To configure auto updating of the VRT rules you’ll need to get your own Oinkcode … http://www.snort.org/account/oinkcode … with your code in hand do this …apt-get install oinkmaster

    Edit /etc/oinkmaster.conf and replace the default Oinkcode with your Oinkcode. Then run …

    oinkmaster -o /etc/snort/rules

    Create a cronjob to run the above command as often as you’d like, once every 24 hours?

  5. Don’t forget to do this for BASE …pear install Mail
    pear install Mail_Mime
  6. Lastly, you’ll probably want a startup script for Snort, so look here …http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html

I hope this helps somebody out there.

2 Responses to “Snort still kind of sucks to install, but its running.”

  1. enhanced says:

    srsly?

    Snort is fairly simple to install and often a simple google search will provide a ton of resources that describe (in step-by-step detail) exactly how to install snort with snorby, BASE, sguil or a number of different event viewing tools!

    Also, it’s typically best to install everything from source, tends to be more up-to-date, as the individuals maintaining the repo’s tend to be ridiculously behind .

    try pulledpork for rule management, more features! http://code.google.com/p/pulledpork

    E

  2. peet says:

    Yeah, if you notice, that’s what I detailed here, but those step-by-step instructions are not exactly always complete. Hence my nasty hodgepodge of info that aparently works pretty well.

    Thanks taking the time to reply,
    peet

Leave a Reply

Categories 

preload preload preload