The "generic" notes for putting this thing together are below. Here's the short version. 1.) If you are upgrading from a prior version of Snort, it is generally a good idea to start with `sudo make uninstall` in your old source tree to remove any dynamic modules that could cause you grief later. 2.) *** Make sure you have libdnet, libpcap, libpcre installed!!! *** Also make sure that dnet-config, pcre-config, and daq-modules-config are in your PATH (e.g. you should be able to `which` these). 3.) ./configure 4.) make 5.) sudo make install 6.) Check your rules file. By default, step 3 configures Snort for the features required by the included etc/snort.conf. You can validate it with: src/snort -c etc/snort.conf -T 7.) snort -? 8.) If you've used previous versions of Snort, you may need to rewrite your rules to make them compliant to the rules format. See snort_manual.pdf or http://www.snort.org for more information. 9.) If you used previous versions of Snort and the new Snort dies upon startup, try this and then restart: sudo make uninstall sudo make install 10.) Have fun! Any questions? Sign up to the snort-users mailing list at http://www.snort.org! Snort Configure-time switches ============================= `--enable-debug' Enable debugging options (bugreports and developers only). `--enable-pthread' Enable pthread support (causes snort to be linked with libpthread). `--enable-rulestate' Enable rule state configuration feature that separates the rule state (enabled/disabled) from the action (alert, drop, log, etc) and definition. `--enable-so-with-static-lib` Enable linking of dynamically loaded preprocessors with a static preprocessor library. `--enable-perfprofiling' Enable performance profiling of individual rules and preprocessors. `--enable-linux-smp-stats' Enable CPU performance statistics through proc. `--enable-react' Enable interception and termination of offending HTTP accesses. `--enable-flexresp3' Enable the 'Flexible Response, version 3' code, that allows you to reset hostile sessions. See README.active for details. `--enable-gre' Enable GRE decoder. Allows Snort to decode GRE encapsulated traffic. Only supports GRE over IP. Only one layer of encapsulation will be decoded - packets with multiple GRE headers will be alerted and discarded/blocked. `--enable-sourcefire' Enable Sourcefire specific build options, encompasing --enable-perfprofiling and --enable-ppm. `--with-snmp' Enable SNMP alerting code. `--with-dnet-includes=DIR' Specify libdnet include directory. `--with-dnet-libraries=DIR' Specify libdnet library directory. `--with-libpcap-includes=DIR' If the configuration script can't find the libpcap include files on its own, the path can be set manually with this switch. `--with-libpcap-libraries=DIR' If the configuration script can't find the libpcap library files on its own, the path can be set manually with this switch. Basic Installation ================== These are generic installation instructions. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, a file `config.cache' that saves the results of its tests to speed up reconfiguring, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.in' is used to create `configure' by a program called `autoconf'. You only need `configure.in' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. If you're using `csh' on an old version of System V, you might need to type `sh ./configure' instead to prevent `csh' from trying to execute `configure' itself. Running `configure' takes awhile. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. You can give `configure' initial values for variables by setting them in the environment. Using a Bourne-compatible shell, you can do that on the command line like this: CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure Or on systems that have the `env' program, you can do it like this: env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you must use a version of `make' that supports the `VPATH' variable, such as GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. If you have to use a `make' that does not supports the `VPATH' variable, you have to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. Installation Names ================== By default, `make install' will install the package's files in `/usr/local/bin', `/usr/local/man', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PATH'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you give `configure' the option `--exec-prefix=PATH', the package will use PATH as the prefix for installing programs and libraries. Documentation and other data files will still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=PATH' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. The following configuration switches are available for Snort: Specifying the System Type ========================== There may be some features `configure' can not figure out automatically, but needs to determine by the type of host the package will run on. Usually `configure' can figure that out, but if it prints a message saying it can not guess the host type, give it the `--host=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name with three fields: CPU-COMPANY-SYSTEM See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the host type. If you are building compiler tools for cross-compiling, you can also use the `--target=TYPE' option to select the type of system they will produce code for and the `--build=TYPE' option to select the type of system on which you are compiling the package. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Operation Controls ================== `configure' recognizes the following options to control how it operates. `--cache-file=FILE' Use and save the results of the tests in FILE instead of `./config.cache'. Set FILE to `/dev/null' to disable caching, for debugging `configure'. `--help' Print a summary of the options to `configure', and exit. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--version' Print the version of Autoconf used to generate the `configure' script, and exit. `configure' also accepts some other, not widely useful, options. Platform Specific Notes ======================= * Linux: -------- With kernels 2.2.x and higher you may get `snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings. This is because you use some older implementation of libpcap library and you need an upgrade. The recent version of libpcap could be found at www.tcpdump.org page. On linux with kernels 2.2.x and higher you may also get feature to monitor several interfaces down to network level (session + TCP + IP) if you link your snort with the latest version of libpcap which incorporates Sebastian Krahmer's patch for interface 'any'. (Consult http://www.tcpdump.org for details). * IRIX ------ [ noticed by Scott A. McIntyre <scott@whoi.edu> ] There's problem with GCC on IRIX platform which causes certain misbehaviour of snort. From the SGI web site: Gcc does not correctly pass/return structures which are smaller than 16 bytes and which are not 8 bytes. The problem is very involved and difficult to fix. It affects a number of other targets also, but irix6 is affected the most, because it is a 64 bit target, and 4 byte structures are common. The exact problem is that structures are being padded at the wrong end, e.g. a 4 byte structure is loaded into the lower 4 bytes of the register when it should be loaded into the upper 4 bytes of the register. Gcc is consistent with itself, but not consistent with the SGI C compiler [and the SGI supplied runtime libraries], so the only failures that can happen are when there are library functions that take/return such structures. There are very few such library functions. I can only recall seeing a few of them: inet_ntoa, inet_aton, inet_lnaof, inet_netof, and semctl. A possible workaround: if you have a program that calls inet_ntoa and friends or semctl, and your kernel supports 64-bit binaries (i.e. uname -a prints IRIX64 rather than just IRIX), then you may compile with gcc -mabi=64 to workaround this problem. More information is available at: http://freeware.sgi.com/2000Feb/Installable/gcc-2.8.1-sgipl2.html * MAC OSX --------- On Darwin (maybe others), the configure script shipped as part of the source distribution may need to be recreated. To do this, run the following commands: glibtoolize --force aclocal -I m4 autoheader automake --add-missing --copy autoconf Snort needs to be linked using the two level namespace. To do this, set the LD_TWOLEVEL_NAMESPACE environment variable to something prior to running configure. An example: $ export LD_TWOLEVEL_NAMESPACE=1 $ ./configure $ make * MAC OSX TIGER & LEOPARD ------------------------- For users of MAC OSX 10.5 (Leopard), the following environment variables must be set before running configure & make. For users of MAC OSX 10.4 (Tiger), this also applies if the compiler has been updated, otherwise, the instructions above may be used. Reference information for MAC OSX can be found at these two links. http://developer.apple.com/releasenotes/Darwin/SymbolVariantsRelNotes http://lists.apple.com/archives/xcode-users/2007/Jun/msg00163.html $ export LD_TWOLEVEL_NAMESPACE=1 $ export MACOSX_DEPLOYMENT_TARGET=10.5 $ ./configure $ make * Open BSD / Free BSD / MAC OSX ------------------------------- For Open BSD and some versions of Free BSD, use the --disable-static-daq option to Snort's configure script. This is a work-around to an issue with building shared libraries that link against a static library. Without this option to configure, libsf_engine.so and the dynamic preprocessors may not be built correctly. On certain BSD-based platforms, the make install may not symlink the version specific shared libraries to the non-versioned shared library. This could cause a failure to load when using dynamic libraries. Workarounds: 1) Create the symlinks by hand after make install. The shared libraries can be located under /usr/local/lib/snort_dynamicengine and /usr/local/lib/snort_dynamicpreprocessor. If necessary, symlink the .so.0 or .0.so files to a corresponding .so. 2) Use the --dynamic-preprocessor-lib (rather than --dynamic-preprocessor-lib-dir) to load the version specific shared library. 3) Use the config directive dynamicpreprocessor file (rather than dynamicpreprocessor directory) to load the version specific shared library. 4) open-appid feature has additional requirements for OpenBSD and FreeBSD platforms. Please see README.appid if using open-appid in snort. Note that on FreeBSD and OpenBSD, divert sockets don't work with bridges. Please refer to the DAQ distro README for workarounds and more details. When using the alert_unixsock output plugin on FreeBSD, please refer to the Output Modules section of the Snort Manual. * FreeBSD 6.x / FreeBSD 10.x ------------- If you run the auto tools (instead of using the delivered configure script), you may need to include -I /usr/local/share/aclocal (in addition to -I m4) as arguments to aclocal. This is required to set up the correct info for using LIBTOOL with aclocal version 1.9 that ships with FreeBSD. Due to changes within LIBTOOL, it may also be necessary to regenerate the configure script on FreeBSD 10 systems to ensure the Snort dynamic libraries are generated. In either case, the following recommended commands should be used to configure snort prior to using make: libtoolize --automake --copy aclocal -I m4 -I /usr/local/share/aclocal autoheader automake --add-missing --copy autoconf Then run configure with any desired options. Potential Problem between a Network Interface Card (NIC) and Snort ================================================================== There are two common problems that occur when running Snort for the first time. The first is that the NIC is not in promiscuous mode. That means traffic may be stopped at the NIC and in such a case, Snort will not see the data. To resolve this problem, enable promiscuous mode on the interface which Snort is using. A second common problem is that NIC's found in PC's and Servers have features that cause problems in Snort's Stream6 reassembly. For instance, when large receive offload (LRO) or generic receive offload (GRO) are enabled, the NIC will reassembles packets. Those reassembled packets, which can be significantly larger than the standard snaplen of 1518 bytes, are then sent to the operating system and Snort. However, Snort will truncate packets larger than the default snaplen of 1518 bytes. Before making any changes to production hardware, it is strongly recommended that you test the instructions below in a lab environment or non-mission critical hardware, Also, this is by no means a full list of parameters that may cause issues with Snort. This is simply a guide suggesting places to start looking when snort appears to drop or block traffic for reasons which cannot be explained by configuration or enabled rules in Snort. Linux Based Systems ------------------- In Linux based systems, you can get a listing of the capabilities of a given network card by using the following command (eth0 is used in this example): # ethtool -k eth0 which should produce the following output: Features for eth0: rx-checksumming: off <--- (ethtool setting is 'rx') tx-checksumming: off <--- (ethtool setting is 'tx') tx-checksum-ipv4: off [fixed] tx-checksum-ip-generic: off tx-checksum-ipv6: off [fixed] tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: off <--- (ethtool setting is 'tso') tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off [fixed] tx-tcp6-segmentation: off [fixed] udp-fragmentation-offload: off [fixed] generic-segmentation-offload: off <--- (ethtool setting is 'gso') generic-receive-offload: off <--- (ethtool setting is 'gro') large-receive-offload: off [fixed] <--- (ethtool setting is 'lro') rx-vlan-offload: on tx-vlan-offload: on [fixed] ntuple-filters: off [fixed] receive-hashing: off [fixed] highdma: off [fixed] rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] tx-gre-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] tx-mpls-segmentation: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: on loopback: off [fixed] rx-fcs: off rx-all: off tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed] In addition, if a given parameter has the term [fixed] next to it, that means that the parameter may NOT be adjusted by ethtool. Frequently, an option is [fixed] because the snort is running is in a virtual environment (i.e. - VMWare, VirtualBox, etc) and the guest operating is unable to change the host operating system's options. Also, to disable these options under Linux, you can use the 'ethtool' command with the following parameters: # ethtool -K eth0 tx off rx off tso off gso off gro off if you need more help with ethtool options, you may use 'info ethtool' or 'man ethtool'. You may also wish to keep these options disabled across system shutdowns or restarts. In OpenSuSE 13.x, permanently setting these options can be done as follows (should be done as root user): # `cd /etc/sysconfig/network' # `cat ifcfg-eth0' (which should produce the listing below): BOOTPROTO='static' BROADCAST='' ETHTOOL_OPTIONS='' // <-- <-- <-- <-- <-- (permanent ethtool options) IFPLUGD_PRIORITY='0' IPADDR='192.168.1.40/24' MTU='' NAME='82540EM Gigabit Ethernet Controller' NETWORK='' REMOTE_IPADDR='' STARTMODE='auto' USERCONTROL='no' Next, open up the file ifcfg-eth0 with a text editor and edit the line beginning with ETHTOOL_OPTION='' to look like the following: ETHTOOL_OPTIONS='-K eth0 tx off rx off tso off gso off gro off' Now, the options will be permanently turned off. In Fedora 19, the network scripts are located in '/etc/sysconfig/network-scripts'. Other Linux distributions may have similar configurations, or in the case where you are using a distribution which supports 'rc.local' you can insert the 'ethtool -K' command into that file as well. Unix Based Systems ------------------ In BSD based systems, the parameters may be changed via the 'ifconfig' command. For example, in FreeBSD 9.x, to disable transmit checksum offloading, receive checksum offloading, and large receive offloading for device 'em0' (ethernet 0) type the following command: /sbin/ifconfig em0 -txcsum -rxcsum -lro Enabled options for a given interface appear on the OPTIONS line, as shown below: # /sbin/ifconfig em0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:8e:a0:85 inet 192.168.1.125 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe8e:a085%em0 prefixlen 64 scopeid 0x1 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:4c:36:49 inet 192.168.56.125 netmask 0xffffff00 broadcast 192.168.56.255 inet6 fe80::a00:27ff:fe4c:3649%em1 prefixlen 64 scopeid 0x3 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> On interfaces 'em0' and 'em1' you will see that the network cards are in PROMISC mode, but transmit checksum offloading, receive checksum offloading, and large receive offloading are not listed, indicating they are disabled. You can add the parameters to the file /etc/rc.conf so that they will be enabled across system restarts network interface restarts. Here is a sample rc.conf file from FreeBSD 9.1: hostname="barnyard.foobar.com" ifconfig_em0=" inet 192.168.1.125 netmask 255.255.255.0" ifconfig em0 promisc -rxcsum -txcsum -lro ifconfig_em1=" inet 192.168.56.125 netmask 255.255.255.0" ifconfig em1 promisc -rxcsum -txcsum -lro defaultrouter="192.168.1.1" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" In the above case, interfaces 'em0' and 'em1' will be set to promiscuous mode, and have transmit checksum offload, receive checksum offload, and large receive offload disabled. In OpenBSD based systems, you can use the command: /sbin/ifconfig <interface> hwfeatures to get a list of hardware features that your network cards and device drivers support. On NetBSD based systems, available hardware options for network cards may be listed with the command below: # /sbin/ifconfig <interface_name> For example: # /sbin/ifconfig wm0 wm0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 capabilities=2bf80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx, UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Tx,UDP6CSUM_Tx> enabled=0 address: 08:00:27:cf:55:48 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fecf:5548%wm0 prefixlen 64 scopeid 0x1 Shows that this interface supports IPv4 checksum offloading (transmit and receive), TCPv4 checksum offloading (transmit and receive), UDPv4 checksum offloading (transmit and receive), and UDPv6/TCPv6 checksum offloading (transmit only). To disable these features, use the line below: # /sbin/ifconfig wm0 -ip4csum -tcp4csum -udp4csum -tcp6csum-tx -udp6csum-tx For more help, use 'man ifconfig'. Windows Based Systems ------------------- Common options found in Windows Based network cards and drivers may include (there may be others): Generic Receive Offload (IPv4 or IPv6) Large Send Offload (IPv4 or IPv6) Large Receive Offload (IPv4 or IPv6) TCP Chimney (IPv4/IPv6) TCP/UDP Checksum Offload (IPv4/IPv6) In Windows based systems these may be displayed in: >> 'Network Connections' | LAN | Properties | Configure | Advanced: These parameters may be disabled by going to >> 'Control Panel' | 'Network Connections' | 'Local Area Network' | 'Properties' | 'Configure' | Advanced (or some variant of this) and scrolling down the list in advanced and selecting 'disable' or 'off', then clicking Ok. Virtual Environments -------------------- In addition to physical computer systems, many organizations and home users may choose to run products which allow the use of multiple operating systems on a single (physical) computer by use of Virtualization Software (VMWare, VirtualBox, Xen, etc). These issues may still be present since the virtual environment is mostly dependent upon the physical hardware on which it is running. The above issues with LRO and GRO may not be present at the Virtual Machine level but rather on the 'host' operating system's physical hardware.