Installing Snort is never an easy task, particulary on CentOS which has packages slightly older packages in their repositories. This post isn't a complete walk through of installing Snort, but will guide you through the compiling of Snort for the latest version of CentOS (5.5).
First off, you should take notice that the version of libpcap (required by Snort) is outdated in the CentOS repositories. They are only up to version 0.9.4.
# yum info libpcap
The latest version of Snort requires libpcap >= 1.0. The latest version of Snort (2.9.0.4), requires you to also install the daq-0.5.tar.gz files (you can grab these from the Snort.org website). This depends on libpcap >= 1.0 in order to compile as well. Strangely daq also doesn't look for libpcap in the correct place (it searchs /usr/local) so you will need to make an adjustment for that.
First remove the current version of libpcap since it is doing us no good:
# yum remove libpcap libpcap-devel -y
Download the latest version of libpcap, daq, and snort. While you are downloading things you should also grab a copy of libdnet because it's required for the latest version of Snort on CentOS as well. Next create a single directory structure for easy compiling:
# cd ~
# mkdir snort && cd snort
Put all your downloaded files into the ~/snort directory. Untar each of the files that you just downloaded (your directory should look as follows):
# ls ~/snort
daq-0.5 libdnet-1.12 libpcap-1.1.1 snort-2.9.0.4
daq-0.5.tar.gz libdnet-1.12.tgz libpcap-1.1.1.tar.gz snort-2.9.0.4.tar.gz
First compile the libdnet libraries because they are a straight forward ./compile, make, make install. Second you will need to do libpcap.
# cd libpcap-1.1.1
Use the following to change the default install directory:
# ./configure --prefix=/usr
Finish off with the standard make and make install. Once libpcap is done compiling successfully you will need to make sure that you export the newly created libaries or you will get errors when attempting to compile daq.
Export the new libraries:
# ldconfig
To verify you can run:
# ldconfig -p | grep libpcap
libpcap.so.1 (libc6,x86-64) => /usr/lib/libpcap.so.1
libpcap.so (libc6,x86-64) => /usr/lib/libpcap.so
Now you can move on to compiling daq:
# cd daq-0.5
This should also be a straight forward ./configure, make, make install. If everything was successful you should see the following:
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
If you are getting errors that the libpcap version <= 1.0 make sure that you have exported the libaries like I mentioned above. Finally you can move on to compiling Snort itself.
# cd snort-2.9.0.4
Since I'm on a x64 bit platform I will need to change my MySQL option slightly from the x86 version:
# ./configure --with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin
For you x86 users just use:
# ./configure --with-mysql --enable-dynamicplugin
To finish off you can do the standard make, make install. Again, this isn't a full guide on how to install and setup Snort, but compiling it is usually the hardest part. Hopefully you will find this information useful when attemping this on CentOS 5.5. If I missed anything or you run into trouble just let me know.
This comment has been removed by the author.
ReplyDeleteDamian,
ReplyDeleteI think this guide is exactly what I have been looking for - no matter what distro I try to install Snort on, I am having this libpcap problem....and sometimes getting rid of libpcacp causes so many dependent packages to be deleted that nothing works.
So I was wondering - what type of CentOS install did you use - server, Desktop etc?
Thanks,
Mike