Saturday, December 13, 2014

Building snort 3.0 (snort++)

Now that snort has released snort++ (snort3.0) I've decided to publish a how to for Kali (fresh install)

root@securitynik:~# lsb_release -a








Install libgmp-dev libmpfr-dev libmpc-dev






Instead of installing the above, you could have also download the pre-requisite via:
root@securitynik:~/downloads/gcc-4.9.2# contrib/download_prerequisites
However, to use the above, you need to ensure you allow ftp through your firewall.


INSTALL GCCwget http://gcc.skazkaforyou.com/releases/gcc-4.9.2/gcc-4.9.2.tar.gz
    tar -xvf gcc-4.9.2.tar.gz
    cd gcc-4.9.2
    ./configure --prefix=/usr
    make && make install   


INSTALLING LIBPCAP
next we download, extract and build the latest "libpcap"
    wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
    tar -zxvf libpcap-1.6.2.tar.gz
    ./configure --prefix=/usr
    make && make install


INSTALL DAQ

    tar -zxvf daq-2.0.4.tar.gz
    cd daq-2.0.4
    ./configure --prefix=/usr
    make && make install
   

INSTALLING LIBDNET

continuing the install, next we obtain and install "libdnet-1.12 source .tgz"
root@securitynik:~/downloads# wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
    tar -zxvf libdnet-1.12.tgz
    cd libdnet-1.12/
    ./configure --prefix=/usr
    make && make install
   
   
INSTALLING LuaJIT-2.0.3

Once gcc has been successfully installed, next step was to install "LuaJIT-2.0.3"
    git clone http://luajit.org/git/luajit-2.0.git
    cd luajit-2.0/
    make && make install
   

INSTALLING ZLIB

Once libpcap has been installed successfully, we then move on to "zlib"
    wget http://zlib.net/zlib-1.2.8.tar.gz
    tar -zxvf zlib-1.2.8.tar.gz
    cd zlib-1.2.8/
    ./configure --prefix=/usr
    make && make install
   

Installing PCRE 8.3.6

    unzip pcre-8.36.zip
    cd pcre-8.36/
    ./configure
    make && make install

   
INSTALL PKG-CONFIG

    wget http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz
    tar -zxvf pkg-config-0.28.tar.gz
    cd pkg-config-0.28/
    ./configure
    make && make install
   
INSTALLING SNORT3++
    wget https://www.snort.org/downloads/snortplus/snort-3.0.0-a1-130-auto.tar.gz
    tar -zxvf snort-3.0.0-a1-130-auto.tar.gz
    cd snort-3.0.0-a1/
   
    export SNORT3_PATH=/opt/snort3
    mkdir -p /opt/snort3
    ./configure --prefix=$SNORT3_PATH
    make -j 8 install

    If you get the following message while making snort        
    "../src/snort: /usr/lib/i386-linux-gnu/libstdc++.so.6: version `CXXABI_1.3.8' not found (required by ../src/snort)"   


   do the following:     cp /usr/lib/libstdc++.so.6 /usr/lib/i386-linux-gnu/ -v
   

RUNNING SNORT     export LUA_PATH=$SNORT3_PATH/include/snort/lua/\?.lua\;\;
    export SNORT_LUA_PATH=$SNORT3_PATH/etc/snort

Let's get the version information
/opt/snort3/bin/snort --version




Create a symbolic link for snort to /usr/bin
root@securitynik:~# ln -s /opt/snort3/bin/snort /usr/bin/snort

   
Testing the config-0 without rules
root@securitynik:~# snort -c /opt/snort3/etc/snort/snort_config.lua

Testing the default rules
root@securitynik:~# snort -c /opt/snort3/etc/snort/snort_config.lua -R /opt/snort3/etc/snort/sample.rules
When I tried the verify the configuration with the rules, I got the error above.
-- At a later time I will try to address the errors above


As a result I wanted to write my own test rule.
alert tcp any any -> any any (msg:"securitynik test rule"; sid:40000001; rev:1;)

When the configuration test with the rules was run once again, I got the following


Everything looks good so far.

Running an IDS against a pcap file   
root@securitynik:~# snort -c /opt/snort3/etc/snort/snort_config.lua -R security_nik.lua -r snort-test.pcap -A "alert_full" -q -n 10



There you go, that was my full guide on how to install and configure snort++ (snort3.0) on Kali. As I continue to learn snort 3.0 I will also continue to post materials to the blog.

Hope you enjoyed this.

References:
http://www.tcpdump.org
https://www.snort.org/documents
http://linuxmantra.com/2010/10/install-snort-2-9-on-rhel-5.html
https://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=
http://luajit.org/download.html
https://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=
https://www.snort.org/downloads
http://www.zlib.net
http://www.pcre.org
http://sourceforge.net/projects/pcre/files/pcre/
http://pkgconfig.freedesktop.org/releases/?C=M;O=A
http://www.linuxfromscratch.org/~krejzi/kde5/general/gcc.html
http://blog.snort.org/2014/12/project-snort-aka-snort-30.html

3 comments: