Alex Scoble's IT Notes - An Information Technology Blog

It took me a while and a lot of searching around to find all the pieces to do this install so I figured that I might as well document the whole process step by step in case someone else needs help and to help me remember what I did.

They do have RPMs for Snort if you'd rather go that route, but Sourcefire (the makers of Snort) recommend that you install by compiling from source, which is what this instructional blog post is about.

The first thing you'll want to do is install CentOS 5.6 and run the autoupdater.

Next you'll want to download the following source packages:

Snort http://www.snort.org/downloads/867

Daq http://www.snort.org/downloads/860

Libpcap http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz

TCPDump http://www.tcpdump.org/release/tcpdump-4.1.1.tar.gz

Libpcre http://sourceforge.net/projects/pcre/files/pcre/8.12/pcre-8.12.tar.gz/download

Libdnet http://libdnet.googlecode.com/files/libdnet-1.12.tgz

After downloading those files, you'll want to extract them. It's your choice where to extract them, but I just do it in the same folder that I downloaded them to.

Open up a terminal (command line) window and log in as root using

su - root

and enter your root password.

Make sure that gcc and the c++ module for gcc are installed:

yum install gcc

yum install gcc-c++

Change directories to where the libpcap source files were extracted to using the cd command, in my case the command is:

cd /home/alex/downloads/cd libpcap-1.1.1

Follow that with the following commands (these commands assume that libpcap 0.9.4 was installed per the default CentOS 5.6 install):

./configure

make

make install

That finishes the install of libpcap, so now we have to remove the links to the old version and create the new symbolic links.

cd /usr/lib

rm libpcap.so.0

rm libpcap.so.0.9

ln -s /usr/local/lib/libpcap.so.1.1.1 /usr/lib/libpcap.so.1.1.1

ln -s /usr/lib/libpcap.so.1.1.1 /usr/lib/libpcap.so.1

ln -s /usr/lib/libpcap.so.1 /usr/lib/libpcap.so

And now to the extracted directories from above for the daq source files and to do the install of daq:

cd /home/usr/alex/downloads/daq-0.5

./configure

make

make install

Next we need to install libpcre:

cd /home/usr/alex/downloads/pcre-8.12

./configure

make

make install

Next we need to install libdnet:

cd /home/usr/alex/downloads/libdnet-1.12

./configure

make

make install

And finally we can install snort:

cd /home/usr/alex/downloads/snort-2.9.0.5

./configure

make

make install

And you are done with the installation of Snort. You can now run it by doing this command:

/usr/local/bin/snort -v

You should now see information on the console for any packets that are received by your system's network adapters. You use ctrl-c command to exit from Snort.