README.slackware - Joey Moe <family_geek@yahoo.com>

This Readme file is a walk-through for installing Snort with the SnortSAM? plugin on a computer running Slackware 10. They do not tell you how to configure Snort or SnortSAM?, since there is already README files for this and every installation is unique, but it will be thorough. This walk-through assumes that you are saving these files to /usr/local/src. This is not a mandatory location, but it is the most common.

~ jmoe ~

DEPENDANCIES

First there are a few dependancies that you will have to install. These are not needed to run Snort, but they will be needed to run SnortSAM? later. The dependancies need to be installed in the order listed here:

libgpg-error-1.0 (http://bent.latency.net/bent/darcs/libgpg-error-1.0/src)

To install: tar zxvf libgpg-error-1.0.tar.gz change directories to the libgpg-error-1.0 folder ./configure make make install make clean

libgcrypt-1.2.0 (http://lists.gnupg.org/pipermail/gnupg-announce/2004q2/000167.html)

To install: tar zxvf libgcrypt-1.2.0.tar.gz change directories to the libgcrypt-1.2.0 folder ./configure make make install make clean Restart the computer

gnutls-1.0.24 (http://lists.gnupg.org/pipermail/gnutls-dev/2005-January/000807.html)

To install: tar zxvf gnutls-1.0.24.tar.gz change directories to the gnutils-1.0.24 folder ./configure make make install make clean Restart services

libprelude-0.9.0-rc15 (http://www.prelude-ids.org/rubrique.php3?id_rubrique=6)

To install: tar zxvflibprelude-0.9.0-rc15.tar change directories to the libprelude-0.9.0-rc14 folder ./configure make make install make clean Restart services

automake-1.9.2 (http://lists.gnu.org/archive/html/autoconf/2004-09/msg00203.html)

To install:

tar zxvf automake-1.9.2.tar.gz change directories to the automake-1.9.2 folder ./configure make make install make clean

(You might want to do a "automake --version" to verify that 1.9.2 is your current version)

Now that you have your dependancies installed, now we have to install Snort. I configured Snort to log to a MYSQL database, so I will be including this in this README file.

INSTALLING SNORT

Snort-2.4.0 (www.snort.org)

To Install: tar zxvf snort-2.4.0.tar.gz change directories to the Snort-2.4.0 folder ./configure --with-mysql=/usr make make install make clean

Snort-2.4.0 does not include the rules folder. You will have to download the current rule set. You can et this from www.snort.org. Make sure to copy this to your snort-2.4.0 root directory or point your snort.conf file to the location where you save it.

With Snort installed we now have to create the MYSQL database. But before we we can create the database we need to setup MYSQL. I chose to use the MYSQL installation that came with the Slackware distro.

MYSQL (OPTIONALLY: www.mysql.org)

To Configure: su mysql mysql_install_database /usr/bin/mysqld_safe & /usr/bin/mysqladmin -u root password "your password" (DO NOT INCLUDE QUOTES! This sets your MYSQL admin password) mysql -u root -p (You will be prompted for the password you just provided) (Once you enter a password you will be given a MYSQL prompt) create database snort; (you must include the semicolon at the end) connect snort; source /usr/local/src/snort-2.4.0/schemas/create_mysql; (you will see the creation of numerous tables) (as verification, check the tables) show tables;

Next you wan to set permissions for your new snort database. This includes both accounts and passwords:

grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to root; grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to root@localhost;

set password for 'snort'@'%'=password('your password'); set password for 'root'@'%'=password('your password'); set password for 'snort'@'localhost'=password('your mysql password'); set password for 'root'@'localhost'=password('your mysql password');

exit; (you will be brought back to a command line prompt) exit; (you should be brought back to a root prompt)

Next we need to download and install a package that is supposed to enhance the Snort MYSQL database. This file is snortdb-extra.gz. We need to download it to the /snort-2.4.0/contrib folder, (DO NOT UNCOMPRESS IT).

snortdb-extra.gz (http://cvs.snort.org/viewcvs.cgi/snort/contrib/Attic/snortdb-extra.gz)

zcat /usr/local/src/snort-2.4.0/contrib/snortdb-extra.gz | mysql -p snort

Now we have to adjust the snort.conf file to work with the newly configured snort database:

vi /usr/local/src/snort-2.4.0/etc/snort.conf :set number (this allows you to see the line numbers)

On line 575 you will uncomment the line (remove the proceeding pound sign) and make the following changes to the user, password, dbname, and host fields: "user"= the account you want to use to access the MYSQL snort database "password"= password for the "user" you selected "dbname"=snort "host"=name of the localhost

From here, you can escape, save, and exit.

You have to create a folder in the /var/log directory for snort to log to, or else you will get an error

mkdir /var/log/snort

This would be a good time to verify that Snort is working. While there are numerous options for snort to use, I am only using the option to log to the snort database. -c option takes one argument: the path to the snort.conf file.

snort -c /usr/local/src/snort-2.4.0/etc/snort.conf

INSTALLING SNORTSAM

Now that you know snort is working correctly, now it is time to take it up a notch. I know there are many different scenarios and even more opinions of how to deploy your SnortSAM? setup, this README file assumes you are installing Snort and SnortSAM? on the same machine.

You have to move to the SnortSAM? directory and change the permissions on the shell script that creates snortsam:

tar zxvf snortsam-src-2.40.tar.gz (www.snortsam.net/download.html) change directories to the snortsam folder chmod +x makesnortsam.sh ./makesnortsam.sh

This creates two programs. (snortsam and snortsam-debug).Move these programs to the /usr/local/bin folder.

PATCHING SNORT

This is the last step to getting Snort to work with SnortSAM?. It takes a little bit of work, but the pay off is huge. We have to first change the permissions on the patchsnort.sh file and then run it. The patch takes only one argument, the path to the snort-2.4.0 folder:

tar zxvf snortsam-patch.tar.gz (www.snortsam.net/download.html) rename the folder "snortsam-patch" change directories to the snortsam-patch chmod +x patchsnort.sh ./patchsnort.sh /usr/local/src/snort-2.4.0

At this point, you have change directories so you wind up in the snort-2.4.0 folder. Once in the snort-2.4.0 directory, you have to run the following commands in the following order:

aclocal

When you run aclocal, you will get a small series of errors. This is a quick run down of the files and modifications you need to make to fix these:

In the file configure.in you will need to make the following changes:

- Line 169 originally looks like this: AC_DEFUN(SN_CHECK_DECL,[

Change the line so it reads: AC_DEFUN([SN_CHECK_DECL],[

- Line 202 originally looks like this: AC_DEFUN(SN_CHECK_DECL,

Change the line so it reads: AC_DEFUN([SN_CHECK_DECL],

- Line 298 originally looks like this: AC_DEFUN(FAIL_MESSAGE,[

Change the line so it reads: AC_DEFUN([FAIL_MESSAGE],[

In the file /usr/local/share/aclocal/libgcrypt.m4 you will need to make the following changes:

- Line 23 originally looks like this: AC_DEFUN(AM_PATH_LIBGCRYPT,

Change the line so it reads: AC_DEFUN([AM_PATH_LIBGCRYPT],

Now that aclocal is not reporting any errors you can finish the rest of the snort patch process without any problems:

autoheader automake --add-missing autoconf

Finally, you have to configure snort the same way you did when when we first installed it. Don't forget to include the MYSQL option for database support.

From this point please see the respective README files for configuring Snort and SnortSAM?. These files will show you how to fine tune your installation