Snort 3 Installation
Required Packages
The very first thing to do is make sure all necessary dependencies are installed. The following is a list of required packages:
- cmake to build from source
- The Snort 3 libdaq for packet IO
- dnet for network utility functions
- flex >= 2.6.0 for JavaScript syntax parsing
- g++ >= 5 or other C++14 compiler
- hwloc for CPU affinity management
- LuaJIT for configuration and scripting
- OpenSSL for SHA and MD5 file signatures, the protected_content rule option, and SSL service detection
- pcap for tcpdump style logging
- pcre for regular expression pattern matching
- pkgconfig to locate build dependencies
- zlib for decompression
Information on where to download each of these required packages can be found here: https://github.com/snort3/snort3/blob/master/doc/user/tutorial.txt#L6.
Optional Packages
There are also a few optional packages that can be installed to take advantage of some of Snort's optional features. These include:
- asciidoc to build the HTML manual
- cpputest to run additional unit tests with make check
- dblatex to build the PDF manual included with Snort 3 installs
- flatbuffers for enabling the flatbuffers serialization format
- hyperscan >= 4.4.0 to build the new regex and sd_pattern rule options and hyperscan search engine.
- iconv for converting UTF16-LE filenames to UTF8 (usually included in glibc)
- libunwind to attempt to dump a somewhat readable backtrace when a fatal signal is received
- lzma >= 5.1.2 for decompression of SWF and PDF files
- safec >= 3.5 for runtime bounds checks on certain legacy C-library calls
- source-highlight to generate the dev guide
- w3m from to build the plain text manual
- uuid from uuid-dev package for unique identifiers
Information on where to download each of these optional packages can be found here: https://github.com/snort3/snort3/blob/master/doc/user/tutorial.txt#L36.
Installing LibDAQ
We now need to install the Snort 3 LibDAQ, which provides an abstraction layer for communicating with a data source (such as a network interface).
If you have LibDAQ already installed for Snort 2 and want to install a DAQ just for Snort 3, or if you want to install LibDAQ in a custom location, you can change the DAQ install location with the --prefix option when configuring: ./configure --prefix=/usr/local/lib/daq_s3.
To show this in action, first clone the LibDAQ repository from GitHub:
$ git clone https://github.com/snort3/libdaq.git
Then, run the following commands to generate the configure script, configure with a specified prefix, build, and lastly install:
$ cd libdaq
$ ./bootstrap
$ ./configure --prefix=/usr/local/lib/daq_s3
$ make install
After installing libdaq, you must then run ldconfig to configure your system's dynamic linker run-time bindings. However, if you have installed the DAQ in a nonstandard location, you'll first need to tell your system where to find the new shared libraries. One common solution is to create a file in the /etc/ld.so.conf.d/ directory that points to where those libraries are located:
$ cat /etc/ld.so.conf.d/libdaq3.conf
/usr/local/lib/daq_s3/lib/
Once ready you may proceed with the ldconfig command to configure the run-time bindings:
$ sudo ldconfig
Building Snort
After all dependencies have been installed, it is time to build Snort.
To do this, first clone the Snort 3 repository:
$ git clone https://github.com/snort3/snort3.git
You can choose to install Snort in the system-default directories, or you can specify to install it in some other directory with the --prefix=<path> command line argument.
$ export my_path=/path/to/snorty
$ mkdir -p $my_path
$ cd snort3
$ ./configure_cmake.sh --prefix=$my_path
Additionally, if the LibDAQ has been installed in a non-standard or custom location, then you must include the --with-daq-libraries and --with-daq-includes arguments and set them accordingly.
$ ./configure_cmake.sh --prefix=$my_path \
--with-daq-includes=/usr/local/lib/daq_s3/include/ \
--with-daq-libraries=/usr/local/lib/daq_s3/lib/
There are many more CMake configuration options to choose from (like enabling debug mode, for example), and the full list of options can be seen by running the following command:
$ ./configure_cmake.sh --help
Once you've configured CMake to your liking and the build files are ready to go, it's time to compile and install Snort. To do this, cd to the newly-created build directory, and then compile and install:
$ cd build
$ make -j $(nproc)
$ make install
If all goes well, run snort -V at the command line to verify successful installation.
$ $my_path/bin/snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.1.36.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.6
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 1.1.1q 5 Jul 2022
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.2.12
Using LZMA version 5.2.6
Lastly, verify that your installation has the appropriate DAQs available to it:
$ $my_path/bin/snort --daq-list
Available DAQ modules:
afpacket(v7): live inline multi unpriv
Variables:
buffer_size_mb <arg> - Packet buffer space to allocate in megabytes
debug - Enable debugging output to stdout
fanout_type <arg> - Fanout loadbalancing method
fanout_flag <arg> - Fanout loadbalancing option
use_tx_ring - Use memory-mapped TX ring
…
If, however, you get No available DAQ modules (try adding directories with --daq-dir)., then you will need to specify --daq-dir as the error points out:
$ $my_path/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq --daq-list
If that's the case, you can create an "alias" for your Snort command so that you don't have to specify --daq-dir each time you want to invoke Snort:
alias snort='/path/to/bin/snort --daq-dir /usr/local/lib/daq_s3/lib/daq'