It took me a while and a lot of searching around to find all the pieces to do this install so I figured that I might as well document the whole process step by step in case someone else needs help and to help me remember what I did.
They do have RPMs for Snort if you'd rather go that route, but Sourcefire (the makers of Snort) recommend that you install by compiling from source, which is what this instructional blog post is about.
The first thing you'll want to do is install CentOS 5.6 and run the autoupdater.
Next you'll want to download the following source packages:
Snort http://www.snort.org/downloads/867
Daq http://www.snort.org/downloads/860
Libpcap http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
TCPDump http://www.tcpdump.org/release/tcpdump-4.1.1.tar.gz
Libpcre http://sourceforge.net/projects/pcre/files/pcre/8.12/pcre-8.12.tar.gz/download
Libdnet http://libdnet.googlecode.com/files/libdnet-1.12.tgz
After downloading those files, you'll want to extract them. It's your choice where to extract them, but I just do it in the same folder that I downloaded them to.
Open up a terminal (command line) window and log in as root using
su - root
and enter your root password.
Make sure that gcc and the c++ module for gcc are installed:
yum install gcc
yum install gcc-c++
Change directories to where the libpcap source files were extracted to using the cd command, in my case the command is:
cd /home/alex/downloads/cd libpcap-1.1.1
Follow that with the following commands (these commands assume that libpcap 0.9.4 was installed per the default CentOS 5.6 install):
./configure
make
make install
That finishes the install of libpcap, so now we have to remove the links to the old version and create the new symbolic links.
cd /usr/lib
rm libpcap.so.0
rm libpcap.so.0.9
ln -s /usr/local/lib/libpcap.so.1.1.1 /usr/lib/libpcap.so.1.1.1
ln -s /usr/lib/libpcap.so.1.1.1 /usr/lib/libpcap.so.1
ln -s /usr/lib/libpcap.so.1 /usr/lib/libpcap.so
And now to the extracted directories from above for the daq source files and to do the install of daq:
cd /home/usr/alex/downloads/daq-0.5
./configure
make
make install
Next we need to install libpcre:
cd /home/usr/alex/downloads/pcre-8.12
./configure
make
make install
Next we need to install libdnet:
cd /home/usr/alex/downloads/libdnet-1.12
./configure
make
make install
And finally we can install snort:
cd /home/usr/alex/downloads/snort-2.9.0.5
./configure
make
make install
And you are done with the installation of Snort. You can now run it by doing this command:
/usr/local/bin/snort -v
You should now see information on the console for any packets that are received by your system's network adapters. You use ctrl-c command to exit from Snort.
Hi Alex,
This is perfect. Just followed your instructions and everything went fine. Just needed to install flex and bison to install libpcap. Thank you so much. Very much appreciated!!
Posted by: Engel Mariano | Sunday, July 17, 2011 at 12:23 PM
Thanks a bundle, besides Flex and Bison I also had to install zlib. May be good to note as well that on occasion the 'make' can fail, run 'make clean' and then 'make' again.
Posted by: JanD | Wednesday, September 14, 2011 at 11:53 AM
This is perfect. Just followed your instructions and everything went fine. Just needed to install flex and bison to install libpcap. Thank you so much. Very much appreciated!!
Posted by: Deepak | Monday, September 19, 2011 at 11:07 PM
Dear Alex,
Thank you ! It helped me so much !
Posted by: Stephen Keth | Tuesday, March 13, 2012 at 08:22 AM
You were a great help to me when I was in need.
Thanks !!
Posted by: Osiris | Wednesday, March 14, 2012 at 06:56 PM
Thank you very much!!! it's just perfect! clear as water.
Posted by: susieq | Wednesday, March 14, 2012 at 07:23 PM
The guide did work almost fine for my CentOS 5.7 too. My CentOS have some issue with zlib headers (package zlib-devel). I also installed the groupinstall 'Development Tools'. It includes far to many development package, but it makes the install-life much easier :) . . . Lynx package are also great to download when there are newer version or the descriptions link are old. I'm now running CentOS 5.7, Snort 2.9.2.2, daq 0.6.2, libdnet 1.12, libpcap 1.2.1, pcre 8.30 and tcpdump 4.2.1 on a ALIX 2D3 box. Many thanks for a very good guide, it was the symbolic links that really solved it.
Posted by: Per Håkansson | Sunday, May 06, 2012 at 10:14 AM
Hi Alex,
I am trying to install snort in CentOS6.3 (64bit), without luck. Followed all the steps provided with additional before ./configure snort by adding ln -s /usr/local/bin/daq-modules-config /usr/bin/daq-modules-config , then make& make install complete successfully. However when I run /usr/local/bin/snort -v ,it gives (No such file or directory). I am trying to install snort for the first time, appreciate any help.
Posted by: Thomas Murgan | Wednesday, August 01, 2012 at 03:08 PM
Hi Alex,
Disregard my earlier post. It works now with Snort-2.9.3 instead of Snort-2.9.0.5 for CentOS6.3
Many thanks again.
Cheers
Posted by: Thomas Murgan | Wednesday, August 01, 2012 at 04:13 PM
Hi Thomas,
Glad to see that you got it working.
Regards,
Alex
Posted by: Alex | Friday, August 03, 2012 at 05:53 PM