[Snort-devel] Compress snort

Martin Olsson elof at ...969...
Fri Oct 15 04:33:04 EDT 2004


On Thu, 14 Oct 2004, Arpan Acharya wrote:
> I need to compress the whole of snort into one single file for a
> project. I dont have to use all the features of snort, just the main
> ones. Just a few rules and preprocessors. I need to remove all the
> file accesses in snort, Please suggest me a way to go about it. If
> someone had done something on the same lines, please share the
> experience with me. It would be really helpful to me in my project.

I don't know if I understand your question correctly, but here is how I do
it.

I only use three files: snort, snort.conf and unicode.map

1. Install PCRE- and MySQL-libs on your development machine.
2. Unpack the snort source and run ./configure --with-mysql
3. Edit src/Makefile to statically include pcre- and mysql-libs in the
   snort binary:
   LIBS = -lz /usr/...../libpcre.a -lpcap -lm /usr/...../libmysqlclient.a
4. make
5. strip src/snort
6. copy src/snort to some other machine
7. Create your snort.conf
   Put everything in snort.conf (variables, configuration options,
   preprocessors, output plugins, references, classifications, rules and
   thresholds/supression).
8. copy your snort.conf to the other machine
9. copy etc/unicode.map to the other machine

There you have it. The other machine only need these three files to run
snort with mysql-support.

(If you don't use the preprocessor http_inspect you don't even need the
file unicode.map, only two files needed)

/Martin





More information about the Snort-devel mailing list