Snort is a free lightweight network intrusion detection system(NIDS). The following steps are what I installed Snort 2.9.2.2 on my CentOS 5.8 server.
Install CentOS 5.8 (X86_64)
When I installed the operating system, I installed MySQL, HTTP, Development Tools and Development Libararies, and then update it the latest.
Install the necessary packages
# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++
Download snort and its dependent packages
# mkdir /root/snortinstall
# cd /root/snortinstall
# wget http://www.snort.org/downloads/1538
# wget http://www.snort.org/downloads/1525
# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
# wget http://www.tcpdump.org/release/tcpdump-4.2.1.tar.gz
# wget http://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz/download
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
Install snort and its dependent packages
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tgz
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-2.9.2.2.tar.gz
# tar xvzf tcpdump-4.2.1.tar.gz
# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so.0
# rm libpcap.so.0.9
# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1
# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so
# cd /root/snortinstall/
# cd daq-0.6.2
# ./configure
# make
# make install
# cd ../pcre-8.30
# ./configure
# make
# make install
# cd ../libdnet-1.12
# ./configure
# make
# make install
# cd ../snort-2.9.2.2
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6 –enable-sourcefire
# make
# make install
# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/
Register on Snort official web site and download rules
# cd /root/snortinstall/
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules
Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”, change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”, change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128”
Setup MySQL Database
# echo “SET PASSWORD FOR root@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “create database snort;”|mysql -u root -p
# cd /root/snortinstall/
# cd snort-2.9.2.2
# mysql -u root -p -D snort < schemas/create_mysql
# echo “grant create, insert on root.* to snort@localhost”|mysql -u root -p
# echo “SET PASSWORD FOR snort@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “grant create,insert,select,delete,update on snort.* to snort@localhost”|mysql -u root -p
Download and install ADODB and BASE
# yum -y install php-pear
# pear upgrade –force http://download.pear.php.net/package/PEAR-1.9.1.tgz
# pear install Numbers_Roman
# pear install channel://pear.php.net/Numbers_Words-0.16.2
# pear install Image_Color
# pear install channel://pear.php.net/Image_Canvas-0.3.2
# pear install channel://pear.php.net/Image_Graph-0.7.2
# cd /root/snortinstall/
# wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
# cd /var/www
# tar xvzf /root/snortinstall/adodb511.tgz
# mv adodb5/ adodb/
# cd html/
# tar xvzf /root/snortinstall/base-1.4.5.tar.gz
# mv base-1.4.5/ base/
# cd base/
# cp base_conf.php.dist base_conf.php
Edit base_conf.php file, change parameters as below
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘yourpassword’;
Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”
Secure the BASE
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords base
Edit the file /etc/httpd/conf/httpd.conf, and add the following lines
<Directory “/var/www/html/base”>
AuthType Basic
AuthName “SnortIDS”
AuthUserFile /var/www/passwords/passwords
Require user base
</Directory>
# touch /var/www/html/index.html
# service httpd restart
Install Barnyard2
# cd /root/snortinstall/
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
# tar xvzf barnyard2-1.8.tar.gz
# cd barnyard2-1.8
# ./configure –with-mysql-libraries=/usr/lib64/mysql/
# make
# make install
# cp etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
Edit the file /etc/snort/barnyard2.conf,
change “config hostname: thor” to “config hostname: localhost”
change “config interface: eth0” to “config interface: eth2”
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Note: my eth0 use to launch the BASE web page, my eth2(don’t set IP) is myricom 10ge card and use for snort
Test
# /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth2
If it prompts “Initialization Complete”, it proves to work.
Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth2 up
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth2
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
Reboot and enjoy my pig to snort
# reboot
Reference
Install Snort 2.8.6 on CentOS 5.5
http://itmanager.blogs.com/notes/2011/04/how-to-install-snort-on-centos-56.html
http://ignoranceisfutile.com/node/18
Kezhong's Weblog 
Thanks for this post. I’m receiving problems when doing the actual snort source configuration. When I try what you posted – ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6 –enable-sourcefire
I get this error: configure: error: invalid variable name: `–with-mysql-libraries’
If I try with 2 dashes on the arguments, and use –with-mysql instead of –with-mysql-libraries, like this: ./configure –with-mysql=/usr/lib64/mysql/ –-enable-ipv6 -–enable-sourcefire
But I get this error:
configure: error: unrecognized option: `-–enable-dynamicplugin’
By: Bob on April 11, 2012
at 7:56 pm
what is your os? btw, you can use ./configure -h to check what parameters you have.
By: kezhong on April 11, 2012
at 8:06 pm
when I just use the –with-mysql tag, I also get an error with DAQ, despite running ./configure, make, make install for the DAQ source. I also see DAQ file references on the system.
./configure: line 15188: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static… no
ERROR! daq_static library not found, go get it from
http://www.snort.org/.
By: Bob on April 11, 2012
at 8:02 pm
Make sure you can execute this: daq-modules-config –static –libs if not add /usr/local/bin to your path
By: Anonymous on April 12, 2012
at 4:37 pm
Thanks guys. Running Centos 5.7 (Final).
Running this was all I needed to get Snort configured:
PATH=$PATH:/usr/local/bin
I’m receive the errors below when trying to make Snort. Trying to look in to this now, but will take any ideas.
/usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.so when searching for -lmysqlclient
/usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.a when searching for -lmysqlclient
/usr/bin/ld: cannot find -lmysqlclient
By: Bob on April 16, 2012
at 12:10 pm
Running this command fixed the above error:
export LDFLAGS=-L/usr/lib64/mysql
By: Bob on April 16, 2012
at 12:31 pm
I have Snort running through a span port, monitoring an HTTP/S server. Now the trick is getting the decrypted SSL traffic to Snort to passively monitor. I have the private key I need. Trying to follow guides like this, http://resources.infosecinstitute.com/ssl-decryption/, but I’m encountering errors when trying to compile viewssld. Please let me know if anyone has experience with this.
By: Bob on April 17, 2012
at 2:45 pm
configure: error: invalid variable name: `–with-mysql-libraries’
do like this , i havn’t setup for ipv6 but this will help you to configur snort. #–./configure –with-mysql-libraries=/usr/lib/mysql/ -enable-dynamicplugin-enable-zlib -enable-sourcefire
By: Arunesh Shahi on July 14, 2012
at 5:50 pm
the install failed at the mysql steps; I could not get mysql to start.
I’ve had to install mysql-server AND edit /etc/my.cnf to change
datadir=/var/lib/mysql ==> datadir=/var/lib/mysql/mysql
Note that it is a fresh install of Centos 2.6.18-308.11.1.el5
By: Anonymous on July 23, 2012
at 4:42 pm
helllo,,been cracking my head with this for a while.
i am at the
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”
firstly, 443 is not working. i try 80 and i get an empty page and cant find any area/button to click setup page? any help, thanks.
By: Anonymous on January 6, 2013
at 6:45 am
anything after 2.9.3 database plugins are deprecated, problems with using -with-mysql-libraries. please see snort.org for more info
By: chris on January 14, 2013
at 11:05 pm
I keep getting this error at the bottom of /var/log/messages any help would be greatly appreciated, this is what i used to compile and received no errors during:
./configure –with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-sourcefire
from /var/log/messages when starting with:
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
Jan 15 08:56:41 dh128 barnyard2[29300]: –== Initializing Barnyard2 ==–
Jan 15 08:56:41 dh128 barnyard2[29300]: Initializing Input Plugins!
Jan 15 08:56:41 dh128 barnyard2[29300]: Initializing Output Plugins!
Jan 15 08:56:41 dh128 barnyard2[29300]: Parsing config file “/etc/snort/barnyard2.conf”
Jan 15 08:56:50 dh128 barnyard2[29300]: Log directory = /var/log/barnyard2
Jan 15 08:56:50 dh128 barnyard2[29300]: database: ‘mysql’ support is not compiled into this build of snort
Jan 15 08:56:50 dh128 barnyard2[29300]: FATAL ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary ‘mysql’ support. If this build of snort was compiled by you, then re-run the the ./configure script using the ‘–with-mysql’ switch. For non-standard installations of a database, the ‘–with-mysql=DIR’ syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
Any help would be appreciated thank you.
By: chris on January 15, 2013
at 1:58 pm
Chris,
If your using the last current snort that you will get an error when configuring it:
[root@test01 snort-2.9.4]# ./configure –with-mysql-libraries=/usr/lib64/mysql/ -enable-dynamicplugin -enable-zlib -enable-sourcefire
configure: WARNING: unrecognized options: –with-mysql-libraries
So remove the –with-mysql-libraries and go on.
Barnyard2 is saying that mysql support it missing:
Jan 15 08:56:50 dh128 barnyard2[29300]: database: ‘mysql’ support is not compiled into this build of snort
So you have build (configure ***–with-msyql-li..***; make ; make install) barnyard without mysql support…
Have a check on this and let us know.
By: edmond on February 9, 2013
at 8:05 am
Thank a lot , for publishing this beautiful post but have a poblem
Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”
not able to see link of Base av
but there was a link of setup pages and aome php files thas it
By: jaiprakashsingh on January 16, 2013
at 6:53 pm
Hi Kezhong,
Thank you for the guide.
What is the reason that you apply 666 to a /var/log/barnyard2?
Thanks.
By: edmond on February 4, 2013
at 5:36 am
Many thanks, Kezhong. Adding the path variable was the one thing I needed to get snort compiled. You just saved me many hours of head-banging!
Cheers
Steve
By: Steve on February 23, 2013
at 11:50 am
https://sourceforge.net/projects/libdnet/files/libdnet/1.2/libdnet-1.2.tar.gz/download
new source for libdnet
By: Pranav Kumar on April 25, 2019
at 4:21 pm