The "generic" notes for putting this thing together are below. Here's the
short version.
1.) If you are upgrading from a prior version of Snort, it is generally a good
idea to start with `sudo make uninstall` in your old source tree to remove
any dynamic modules that could cause you grief later.
2.) *** Make sure you have libdnet, libpcap, libpcre installed!!! ***
Also make sure that dnet-config, pcre-config, and daq-modules-config are in
your PATH (e.g. you should be able to `which` these).
3.) ./configure
4.) make
5.) sudo make install
6.) Check your rules file. By default, step 3 configures Snort for the features
required by the included etc/snort.conf. You can validate it with:
src/snort -c etc/snort.conf -T
7.) snort -?
8.) If you've used previous versions of Snort, you may need to rewrite your
rules to make them compliant to the rules format. See snort_manual.pdf
or http://www.snort.org for more information.
9.) If you used previous versions of Snort and the new Snort dies upon startup,
try this and then restart:
sudo make uninstall
sudo make install
10.) Have fun!
Any questions? Sign up to the snort-users mailing list at http://www.snort.org!
Snort Configure-time switches
=============================
`--enable-debug'
Enable debugging options (bugreports and developers only).
`--enable-pthread'
Enable pthread support (causes snort to be linked with libpthread).
`--enable-rulestate'
Enable rule state configuration feature that separates the rule
state (enabled/disabled) from the action (alert, drop, log, etc)
and definition.
`--enable-so-with-static-lib`
Enable linking of dynamically loaded preprocessors with a static
preprocessor library.
`--enable-perfprofiling'
Enable performance profiling of individual rules and preprocessors.
`--enable-linux-smp-stats'
Enable CPU performance statistics through proc.
`--enable-react'
Enable interception and termination of offending HTTP accesses.
`--enable-flexresp3'
Enable the 'Flexible Response, version 3' code, that allows you to
reset hostile sessions. See README.active for details.
`--enable-gre'
Enable GRE decoder. Allows Snort to decode GRE encapsulated traffic.
Only supports GRE over IP. Only one layer of encapsulation will be
decoded - packets with multiple GRE headers will be alerted and
discarded/blocked.
`--enable-sourcefire'
Enable Sourcefire specific build options, encompasing
--enable-perfprofiling and --enable-ppm.
`--with-snmp'
Enable SNMP alerting code.
`--with-dnet-includes=DIR'
Specify libdnet include directory.
`--with-dnet-libraries=DIR'
Specify libdnet library directory.
`--with-libpcap-includes=DIR'
If the configuration script can't find the libpcap include files on its
own, the path can be set manually with this switch.
`--with-libpcap-libraries=DIR'
If the configuration script can't find the libpcap library files on its
own, the path can be set manually with this switch.
Basic Installation
==================
These are generic installation instructions.
The `configure' shell script attempts to guess correct values for various
system-dependent variables used during compilation. It uses those values to
create a `Makefile' in each directory of the package. It may also create one
or more `.h' files containing system-dependent definitions. Finally, it
creates a shell script `config.status' that you can run in the future to
recreate the current configuration, a file `config.cache' that saves the
results of its tests to speed up reconfiguring, and a file `config.log'
containing compiler output (useful mainly for debugging `configure').
If you need to do unusual things to compile the package, please try to figure
out how `configure' could check whether to do them, and mail diffs or
instructions to the address given in the `README' so they can be considered for
the next release. If at some point `config.cache' contains results you don't
want to keep, you may remove or edit it.
The file `configure.in' is used to create `configure' by a program called
`autoconf'. You only need `configure.in' if you want to change it or
regenerate `configure' using a newer version of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system. If you're
using `csh' on an old version of System V, you might need to type
`sh ./configure' instead to prevent `csh' from trying to execute
`configure' itself.
Running `configure' takes awhile. While running, it prints some
messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package.
4. Type `make install' to install the programs and any data files and
documentation.
5. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that the
`configure' script does not know about. You can give `configure' initial
values for variables by setting them in the environment. Using a
Bourne-compatible shell, you can do that on the command line like this: CC=c89
CFLAGS=-O2 LIBS=-lposix ./configure
Or on systems that have the `env' program, you can do it like this:
env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the same
time, by placing the object files for each architecture in their own directory.
To do this, you must use a version of `make' that supports the `VPATH'
variable, such as GNU `make'. `cd' to the directory where you want the object
files and executables to go and run the `configure' script. `configure'
automatically checks for the source code in the directory that `configure' is
in and in `..'.
If you have to use a `make' that does not supports the `VPATH' variable, you
have to compile the package for one architecture at a time in the source code
directory. After you have installed the package for one architecture, use
`make distclean' before reconfiguring for another architecture.
Installation Names
==================
By default, `make install' will install the package's files in
`/usr/local/bin', `/usr/local/man', etc. You can specify an installation
prefix other than `/usr/local' by giving `configure' the option
`--prefix=PATH'.
You can specify separate installation prefixes for architecture-specific files
and architecture-independent files. If you give `configure' the option
`--exec-prefix=PATH', the package will use PATH as the prefix for installing
programs and libraries. Documentation and other data files will still use the
regular prefix.
In addition, if you use an unusual directory layout you can give options like
`--bindir=PATH' to specify different values for particular kinds of files. Run
`configure --help' for a list of the directories you can set and what kinds of
files go in them.
If the package supports it, you can cause programs to be installed with an
extra prefix or suffix on their names by giving `configure' the option
`--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Optional Features
=================
Some packages pay attention to `--enable-FEATURE' options to `configure', where
FEATURE indicates an optional part of the package. They may also pay attention
to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x'
(for the X Window System). The `README' should mention any `--enable-' and
`--with-' options that the package recognizes.
For packages that use the X Window System, `configure' can usually find the X
include and library files automatically, but if it doesn't, you can use the
`configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their
locations.
The following configuration switches are available for Snort:
Specifying the System Type
==========================
There may be some features `configure' can not figure out automatically, but
needs to determine by the type of host the package will run on. Usually
`configure' can figure that out, but if it prints a message saying it can not
guess the host type, give it the `--host=TYPE' option. TYPE can either be a
short name for the system type, such as `sun4', or a canonical name with three
fields: CPU-COMPANY-SYSTEM
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't need to
know the host type.
If you are building compiler tools for cross-compiling, you can also use the
`--target=TYPE' option to select the type of system they will produce code for
and the `--build=TYPE' option to select the type of system on which you are
compiling the package.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share, you can
create a site shell script called `config.site' that gives default values for
variables like `CC', `cache_file', and `prefix'. `configure' looks for
`PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it
exists. Or, you can set the `CONFIG_SITE' environment variable to the location
of the site script. A warning: not all `configure' scripts look for a site
script.
Operation Controls
==================
`configure' recognizes the following options to control how it operates.
`--cache-file=FILE'
Use and save the results of the tests in FILE instead of
`./config.cache'. Set FILE to `/dev/null' to disable caching, for
debugging `configure'.
`--help'
Print a summary of the options to `configure', and exit.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--version'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`configure' also accepts some other, not widely useful, options.
Platform Specific Notes
=======================
* Linux:
-------- With kernels 2.2.x and higher you may get `snort [pid] uses obsolete
(PF_INET, SOCK_PACKET)' warnings. This is because you use some older
implementation of libpcap library and you need an upgrade. The recent version
of libpcap could be found at www.tcpdump.org page. On linux with kernels 2.2.x
and higher you may also get feature to monitor several interfaces down to
network level (session + TCP + IP) if you link your snort with the latest
version of libpcap which incorporates Sebastian Krahmer's patch for interface
'any'. (Consult http://www.tcpdump.org for details).
* IRIX
------
[ noticed by Scott A. McIntyre <scott@whoi.edu> ]
There's problem with GCC on IRIX platform which causes certain misbehaviour
of snort.
From the SGI web site:
Gcc does not correctly pass/return structures which are smaller than 16 bytes
and which are not 8 bytes. The problem is very involved and difficult to fix.
It affects a number of other targets also, but irix6 is affected the most,
because it is a 64 bit target, and 4 byte structures are common. The exact
problem is that structures are being padded at the wrong end, e.g. a 4 byte
structure is loaded into the lower 4 bytes of the register when it should be
loaded into the upper 4 bytes of the register.
Gcc is consistent with itself, but not consistent with the SGI C compiler [and
the SGI supplied runtime libraries], so the only failures that can happen are
when there are library functions that take/return such structures. There are
very few such library functions. I can only recall seeing a few of them:
inet_ntoa, inet_aton, inet_lnaof, inet_netof, and semctl.
A possible workaround: if you have a program that calls inet_ntoa and friends
or semctl, and your kernel supports 64-bit binaries (i.e. uname -a prints
IRIX64 rather than just IRIX), then you may compile with gcc -mabi=64 to
workaround this problem.
More information is available at:
http://freeware.sgi.com/2000Feb/Installable/gcc-2.8.1-sgipl2.html
* MAC OSX
---------
On Darwin (maybe others), the configure script shipped as part of the source
distribution may need to be recreated. To do this, run the following commands:
glibtoolize --force
aclocal -I m4
autoheader
automake --add-missing --copy
autoconf
Snort needs to be linked using the two level namespace. To do this, set the
LD_TWOLEVEL_NAMESPACE environment variable to something prior to running
configure. An example:
$ export LD_TWOLEVEL_NAMESPACE=1
$ ./configure
$ make
* MAC OSX TIGER & LEOPARD
-------------------------
For users of MAC OSX 10.5 (Leopard), the following environment variables must
be set before running configure & make.
For users of MAC OSX 10.4 (Tiger), this also applies if the compiler has been
updated, otherwise, the instructions above may be used.
Reference information for MAC OSX can be found at these two links.
http://developer.apple.com/releasenotes/Darwin/SymbolVariantsRelNotes
http://lists.apple.com/archives/xcode-users/2007/Jun/msg00163.html
$ export LD_TWOLEVEL_NAMESPACE=1
$ export MACOSX_DEPLOYMENT_TARGET=10.5
$ ./configure
$ make
* Open BSD / Free BSD / MAC OSX
-------------------------------
For Open BSD and some versions of Free BSD, use the --disable-static-daq
option to Snort's configure script. This is a work-around to an issue with
building shared libraries that link against a static library. Without this
option to configure, libsf_engine.so and the dynamic preprocessors may not
be built correctly.
On certain BSD-based platforms, the make install may not symlink the version
specific shared libraries to the non-versioned shared library. This could
cause a failure to load when using dynamic libraries.
Workarounds:
1) Create the symlinks by hand after make install. The shared libraries can
be located under /usr/local/lib/snort_dynamicengine and
/usr/local/lib/snort_dynamicpreprocessor. If necessary, symlink the .so.0 or
.0.so files to a corresponding .so.
2) Use the --dynamic-preprocessor-lib (rather than
--dynamic-preprocessor-lib-dir) to load the version specific shared library.
3) Use the config directive dynamicpreprocessor file (rather than
dynamicpreprocessor directory) to load the version specific shared library.
4) open-appid feature has additional requirements for OpenBSD and FreeBSD
platforms. Please see README.appid if using open-appid in snort.
Note that on FreeBSD and OpenBSD, divert sockets don't work with bridges. Please
refer to the DAQ distro README for workarounds and more details.
When using the alert_unixsock output plugin on FreeBSD, please refer to the
Output Modules section of the Snort Manual.
* FreeBSD 6.x / FreeBSD 10.x
-------------
If you run the auto tools (instead of using the delivered configure script),
you may need to include -I /usr/local/share/aclocal (in addition to -I m4) as
arguments to aclocal. This is required to set up the correct info for using
LIBTOOL with aclocal version 1.9 that ships with FreeBSD.
Due to changes within LIBTOOL, it may also be necessary to regenerate the configure
script on FreeBSD 10 systems to ensure the Snort dynamic libraries are generated.
In either case, the following recommended commands should be used to configure
snort prior to using make:
libtoolize --automake --copy
aclocal -I m4 -I /usr/local/share/aclocal
autoheader
automake --add-missing --copy
autoconf
Then run configure with any desired options.
Potential Problem between a Network Interface Card (NIC) and Snort
==================================================================
There are two common problems that occur when running Snort for the
first time. The first is that the NIC is not in promiscuous
mode. That means traffic may be stopped at the NIC and in such a
case, Snort will not see the data. To resolve this problem, enable
promiscuous mode on the interface which Snort is using.
A second common problem is that NIC's found in PC's and
Servers have features that cause problems in Snort's Stream6
reassembly. For instance, when large receive offload (LRO)
or generic receive offload (GRO) are enabled, the NIC will
reassembles packets. Those reassembled packets, which can be
significantly larger than the standard snaplen of 1518 bytes,
are then sent to the operating system and Snort. However,
Snort will truncate packets larger than the default snaplen
of 1518 bytes.
Before making any changes to production hardware, it is
strongly recommended that you test the instructions below
in a lab environment or non-mission critical
hardware,
Also, this is by no means a full list of parameters that may
cause issues with Snort. This is simply a guide suggesting places
to start looking when snort appears to drop or block traffic
for reasons which cannot be explained by configuration or enabled
rules in Snort.
Linux Based Systems
-------------------
In Linux based systems, you can get a listing of the capabilities
of a given network card by using the following command (eth0 is
used in this example):
# ethtool -k eth0
which should produce the following output:
Features for eth0:
rx-checksumming: off <--- (ethtool setting is 'rx')
tx-checksumming: off <--- (ethtool setting is 'tx')
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: off
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: on
tx-scatter-gather: on
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off <--- (ethtool setting is 'tso')
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off <--- (ethtool setting is 'gso')
generic-receive-offload: off <--- (ethtool setting is 'gro')
large-receive-offload: off [fixed] <--- (ethtool setting is 'lro')
rx-vlan-offload: on
tx-vlan-offload: on [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-mpls-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off
rx-all: off
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
In addition, if a given parameter has the term [fixed] next to it,
that means that the parameter may NOT be adjusted by ethtool. Frequently,
an option is [fixed] because the snort is running is in a virtual
environment (i.e. - VMWare, VirtualBox, etc) and the
guest operating is unable to change the host operating system's
options. Also, to disable these options under Linux, you can use the 'ethtool'
command with the following parameters:
# ethtool -K eth0 tx off rx off tso off gso off gro off
if you need more help with ethtool options, you may
use 'info ethtool' or 'man ethtool'. You may also wish to keep these
options disabled across system shutdowns or restarts. In OpenSuSE 13.x,
permanently setting these options can be done as follows (should be
done as root user):
# `cd /etc/sysconfig/network'
# `cat ifcfg-eth0' (which should produce the listing below):
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS='' // <-- <-- <-- <-- <-- (permanent ethtool options)
IFPLUGD_PRIORITY='0'
IPADDR='192.168.1.40/24'
MTU=''
NAME='82540EM Gigabit Ethernet Controller'
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
Next, open up the file ifcfg-eth0 with a text editor and edit the
line beginning with ETHTOOL_OPTION='' to look like the following:
ETHTOOL_OPTIONS='-K eth0 tx off rx off tso off gso off gro off'
Now, the options will be permanently turned off. In Fedora 19,
the network scripts are located in '/etc/sysconfig/network-scripts'.
Other Linux distributions may have similar configurations, or
in the case where you are using a distribution which supports
'rc.local' you can insert the 'ethtool -K' command into that
file as well.
Unix Based Systems
------------------
In BSD based systems, the parameters may be changed via the
'ifconfig' command. For example, in FreeBSD 9.x,
to disable transmit checksum offloading, receive checksum
offloading, and large receive offloading for device 'em0'
(ethernet 0) type the following command:
/sbin/ifconfig em0 -txcsum -rxcsum -lro
Enabled options for a given interface appear
on the OPTIONS line, as shown below:
# /sbin/ifconfig
em0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:8e:a0:85
inet 192.168.1.125 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe8e:a085%em0 prefixlen 64 scopeid 0x1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:4c:36:49
inet 192.168.56.125 netmask 0xffffff00 broadcast 192.168.56.255
inet6 fe80::a00:27ff:fe4c:3649%em1 prefixlen 64 scopeid 0x3
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
On interfaces 'em0' and 'em1' you will see that the network cards
are in PROMISC mode, but transmit checksum offloading,
receive checksum offloading, and large receive offloading
are not listed, indicating they are disabled.
You can add the parameters to the file /etc/rc.conf so that they
will be enabled across system restarts network interface restarts.
Here is a sample rc.conf file from FreeBSD 9.1:
hostname="barnyard.foobar.com"
ifconfig_em0=" inet 192.168.1.125 netmask 255.255.255.0"
ifconfig em0 promisc -rxcsum -txcsum -lro
ifconfig_em1=" inet 192.168.56.125 netmask 255.255.255.0"
ifconfig em1 promisc -rxcsum -txcsum -lro
defaultrouter="192.168.1.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
In the above case, interfaces 'em0' and 'em1' will be set to
promiscuous mode, and have transmit checksum offload, receive
checksum offload, and large receive offload disabled.
In OpenBSD based systems, you can use the command:
/sbin/ifconfig <interface> hwfeatures
to get a list of hardware features that your network cards
and device drivers support.
On NetBSD based systems, available hardware options for
network cards may be listed with the command below:
# /sbin/ifconfig <interface_name>
For example:
# /sbin/ifconfig wm0
wm0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
capabilities=2bf80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,
UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Tx,UDP6CSUM_Tx>
enabled=0
address: 08:00:27:cf:55:48
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fecf:5548%wm0 prefixlen 64 scopeid 0x1
Shows that this interface supports IPv4 checksum offloading (transmit
and receive), TCPv4 checksum offloading (transmit and receive), UDPv4
checksum offloading (transmit and receive), and UDPv6/TCPv6 checksum
offloading (transmit only).
To disable these features, use the line below:
# /sbin/ifconfig wm0 -ip4csum -tcp4csum -udp4csum -tcp6csum-tx -udp6csum-tx
For more help, use 'man ifconfig'.
Windows Based Systems
-------------------
Common options found in Windows Based network cards and
drivers may include (there may be others):
Generic Receive Offload (IPv4 or IPv6)
Large Send Offload (IPv4 or IPv6)
Large Receive Offload (IPv4 or IPv6)
TCP Chimney (IPv4/IPv6)
TCP/UDP Checksum Offload (IPv4/IPv6)
In Windows based systems these may be displayed in:
>> 'Network Connections' | LAN | Properties | Configure | Advanced:
These parameters may be disabled by going to
>> 'Control Panel' | 'Network Connections' | 'Local Area Network' |
'Properties' | 'Configure' | Advanced (or some variant of this)
and scrolling down the list in advanced and selecting 'disable' or 'off',
then clicking Ok.
Virtual Environments
--------------------
In addition to physical computer systems, many organizations
and home users may choose to run products which allow the use of
multiple operating systems on a single (physical) computer by use
of Virtualization Software (VMWare, VirtualBox, Xen, etc).
These issues may still be present since the virtual environment
is mostly dependent upon the physical hardware on which it is running.
The above issues with LRO and GRO may not be present at the Virtual
Machine level but rather on the 'host' operating system's physical hardware.
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-release
>
by-pkgid
>
18be1c5b9c5b84472d8f61f6ae8d7bbe
>
files
>
84
