The very first thing to do is make sure all necessary dependencies are installed. The following is a list of required packages:
- cmake to build from source
- The Snort 3 libdaq for packet IO
- dnet for network utility functions
- g++ >= 5 or other C++14 compiler
- hwloc for CPU affinity management
- LuaJIT for configuration and scripting
- OpenSSL for SHA and MD5 file signatures, the protected_content rule option, and SSL service detection
- pcap for tcpdump style logging
- pcre for regular expression pattern matching
- pkgconfig to locate build dependencies
- zlib for decompression
Information on where to download each of these required packages can be found here: https://github.com/snort3/snort3/blob/master/doc/user/tutorial.txt#L6.
There are also a few optional packages that can be installed to take advantage of some of Snort's optional features. These include:
- asciidoc to build the HTML manual
- cpputest to run additional unit tests with make check
- dblatex to build the PDF manual included with Snort 3 installs
- flatbuffers for enabling the flatbuffers serialization format
- hyperscan >= 4.4.0 to build the new regex and sd_pattern rule options and hyperscan search engine.
- iconv for converting UTF16-LE filenames to UTF8 (usually included in glibc)
- libunwind to attempt to dump a somewhat readable backtrace when a fatal signal is received
- lzma >= 5.1.2 for decompression of SWF and PDF files
- safec >= 3.5 for runtime bounds checks on certain legacy C-library calls
- source-highlight to generate the dev guide
- w3m from to build the plain text manual
- uuid from uuid-dev package for unique identifiers
Information on where to download each of these optional packages can be found here: https://github.com/snort3/snort3/blob/master/doc/user/tutorial.txt#L36.
We now need to install the Snort 3 LibDAQ, which provides an abstraction layer for communicating with a data source (such as a network interface).
If you have LibDAQ already installed for Snort 2 and want to install a DAQ just for Snort 3, or if you want to install LibDAQ in a custom location, you can change the DAQ install location with the
--prefix option when configuring:
To show this in action, first clone the LibDAQ repository from GitHub:
$ git clone https://github.com/snort3/libdaq.git
Then, run the following commands to generate the configure script, configure with a specified prefix, build, and lastly install:
$ cd libdaq $ ./bootstrap $ ./configure --prefix=/usr/local/lib/daq_s3 $ make install
After installing libdaq, you must then run
ldconfig to configure your system's dynamic linker run-time bindings. However, if you have installed the DAQ in a nonstandard location, you'll first need to tell your system where to find the new shared libraries. One common solution is to create a file in the
/etc/ld.so.conf.d/ directory that points to where those libraries are located:
$ cat /etc/ld.so.conf.d/libdaq3.conf /usr/local/lib/daq_s3/lib/
Once ready you may proceed with the
ldconfig command to configure the run-time bindings:
$ sudo ldconfig
After all dependencies have been installed, it is time to build Snort.
To do this, first clone the Snort 3 repository:
$ git clone https://github.com/snort3/snort3.git
You can choose to install Snort in the system-default directories, or you can specify to install it in some other directory with the
--prefix=<path> command line argument.
$ export my_path=/path/to/snorty $ mkdir -p $my_path $ cd snort3 $ ./configure_cmake.sh --prefix=$my_path
Additionally, if the LibDAQ has been installed in a non-standard or custom location, then you must include the
--with-daq-includes arguments and set them accordingly.
$ ./configure_cmake.sh --prefix=$my_path \ --with-daq-includes=/usr/local/lib/daq_s3/include/ \ --with-daq-libraries=/usr/local/lib/daq_s3/lib/
There are many more CMake configuration options to choose from (like enabling debug mode, for example), and the full list of options can be seen by running the following command:
$ ./configure_cmake.sh --help
Once you've configured CMake to your liking and the build files are ready to go, it's time to compile and install Snort. To do this,
cd to the newly-created
build directory, and then compile and install:
$ cd build $ make -j $(nproc) $ make install
If all goes well, run
snort -V at the command line to verify successful installation.
$ $my_path/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 18.104.22.168 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.6 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1q 5 Jul 2022 Using libpcap version 1.10.1 (with TPACKET_V3) Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.2.12 Using LZMA version 5.2.6
Lastly, verify that your installation has the appropriate DAQs available to it:
$ $my_path/bin/snort --daq-list Available DAQ modules: afpacket(v7): live inline multi unpriv Variables: buffer_size_mb <arg> - Packet buffer space to allocate in megabytes debug - Enable debugging output to stdout fanout_type <arg> - Fanout loadbalancing method fanout_flag <arg> - Fanout loadbalancing option use_tx_ring - Use memory-mapped TX ring …
If, however, you get
No available DAQ modules (try adding directories with --daq-dir)., then you will need to specify
--daq-dir as the error points out:
$ $my_path/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq --daq-list
If that's the case, you can create an "alias" for your Snort command so that you don't have to specify
--daq-dir each time you want to invoke Snort:
alias snort='/path/to/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq'