[Snort-devel] Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan)

Bill Parker wp02855 at ...2499...
Mon Feb 15 17:24:05 EST 2016


This information should be made into a document, turned into a PDF, and
sent to Joel so he can install it on the Snort.org site in the documents
section...<hint hint, Madhu> :)

Bill

On Mon, Feb 15, 2016 at 2:19 PM, Madhu Rao <k.madhurao.123 at ...2499...> wrote:

> Joel
>
> thanks a bunch!! you pointed the issue!!
> I was cutting and pasting the commands from Ubuntu machine... and trying
> to run commands I ran on ubuntu....
>
> This worked now..
>
> sudo snort -c /etc/snort/snort.conf -i en0 -k none
>
>
> I am able to fire up snort now on my MAC..
>
>
> thanks EveryOne for the pointers..
>
> In case someone needs complete instructions I followed to BUILD snort
> 2.9.8.1 on MAC OSX Version 10.11.3 (El Capitan) -- Here are the
> istructions!
>
>
> 1) Install Xcode (XCode includes the compiler and other libraries required
> to compile Snort)
>
> 2) Install MacPorts from http://www.macports.org/
>
> Note: You may consider updating ports itself if you had installed ports
> long back.   Try running 'sudo port selfupdate' & 'sudo port upgrade
> outdated'
>
> 3) Install PCRE via MacPorts
>
> ‘sudo port install pcre’
>
> 4) Install wget via MacPorts
>
> 'sudo port install wget’
>
>
>
> 5) Download Dependent Packages and Make/Install them
>
> 5a) Install Directory
>
> Assume BUILD_DIR=/Users/mrjoe/work/snort  (note it can be any dir..)
>
> export BUILD_DIR=/Users/mrjoe/work/snort
>
>
> 5a) DNET
>
> cd $BUILD_DIR
>
> wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
>
> tar xvfz libdnet-1.12.tgz
>
> cd libdnet-1.12
>
> ./configure
>
> sudo make install
>
>
>
>
>
> 5b) pkg-config
>
> snort madhurao$ wget
> http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz
>
> tar -xvf pkg-config-0.28.tar.gz
>
> cd pkg-config-0.28
>
> ./configure --with-internal-glib
>
> sudo make install
>
>
>
> 5b) LuaJIT
>
> cd $BUILD_DIR
>
> wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
>
> tar xzvf LuaJIT-2.0.2.tar.gz
>
> cd LuaJIT-2.0.2
>
> make
>
> sudo make install
>
>
> 5c) DAQ
>
> cd $BUILD_DIR
>
> wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
>
> tar xvfz daq-2.0.6.tar.gz
>
> cd daq-2.0.6
>
> ./configure --disable-afpacket-module
>
> make
>
> sudo make install
>
>
>
>
>
> 5) Download & Build Snort
>
>
>
> cd $BUILD_DIR
>
> wget –no-check-certificate  -O snort-2.9.8.0.tar.gz
> https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
>
> ./configure --enable-sourcefire --enable-open-appid
>
> make
>
> sudo make install
>
>
>
> At this Point you can start configuring for a test run
>
>
>
>
>
>
>
> 8) Configure Snort without OpenAppID enabled:
>
> sudo mkdir /etc/snort
>
> sudo mkdir /var/log/snort
>
> sudo mkdir /usr/local/lib/snort_dynamicrules
>
> sudo mkdir /etc/snort/rules
>
> sudo touch /etc/snort/rules/white_list.rules
>
> sudo touch /etc/snort/rules/black_list.rules
>
>
>
>
>
> 9) Copy configuration files you build
>
> cd /Users/madhurao/work/snort/snort-2.9.8.0/etc/
>
> cp attribute_table.dtd file_magic.conf snort.conf unicode.map
> classification.config gen-msg.map reference.config threshold.conf
> /etc/snort/
>
>
>
>
>
> 10) Add some SNORT rules from snort.org
>
> cd $BUILD_DIR
>
> mkdir crules
>
> cd crules
>
> From the Website, Download the LATEST Snort Rules.
>
> https://www.snort.org/downloads/registered/snortrules-snapshot-2980.tar.gz
>
>      NOTE:  This CLI method does not work.. unfortunately.
>
>      wget
> https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz
> (You will need to snort.org with a username/password (FREE) to get this)
>
> tar -xvfz snortrules-snapshot-2962.tar.gz
>
> sudo cp -r preproc_rules /etc/snort
>
> sudo cp -r rules /etc/snort
>
> sudo cp -r so_rules /etc/snort
>
>
>
>
>
> 11) EDIT /etc/snort/snort.conf File
>
> cd /etc/snort
>
> sudo vi snort.conf
>
>      EDIT the following lines as shown
>
> var RULE_PATH /etc/snort/rules
>
> var SO_RULE_PATH /etc/snort/so_rules
>
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>
> var WHITE_LIST_PATH /etc/snort/rules
>
> var BLACK_LIST_PATH /etc/snort/rules
>
>
>
>
>
> 11) Fire up snort and do self test (-T option)
>
> sudo snort -c /etc/snort/snort.conf -T
>
> ....you will see something like this
>
> Snort successfully validated the configuration!
>
> Snort exiting
>
>
>
>
>
> 12) Enabling OpenAppID in Snort
>
> wget https://www.snort.org/downloads/openappid/3192 -O
> snort-openappid.tar.gz
>
> tar xvfz snort-openappid.tar.gz
>
> sudo mkdir /usr/local/lib/openappid
>
> sudo mv odp /usr/local/lib/openappid/
>
>
>
>      Edit the /etc/snort/snort.conf File
>
> sudo vi /etc/snort/snort.conf
>
>      Search for "Step #5: Configure preprocessors"
>
>      After this Line -- "preprocessor reputation:"  Add the following
> Lines to enable OpenAppId.
>
>
>
> # AppID preprocessor. For more information see README.appid
>
> preprocessor appid : \
>
>    app_stats_filename appstats-unified.log, \
>
>    app_stats_period 60, \
>
>    app_detector_dir /usr/local/lib/openappid
>
>
>
> Finally, uncomment this Line in snort.conf file
>
> output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
>
>
>
>
>
> 12) Test snort with OpenAppID in Snort
>
> sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none
>
> sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i eth0
> -k none
>
>
>
>
>
> You will see the Following when SNORT run properly on MAC
>
> MADHURAO-M-90DD:snort madhurao$ sudo snort -c /etc/snort/snort.conf --daq
> pcap --daq-mode passive -i en0 -k none
>
> Password:
>
> Running in IDS mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> ....
>
>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300
> 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
> 50002 55555
>
> ....
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>
>            Preprocessor Object: appid  Version 1.1  <Build 5>
>
> Commencing packet processing (pid=66645)
>
> ...
>
>
>
>  Cheers.
>
>
>
> On Mon, Feb 15, 2016 at 1:39 PM, Joel Esler (jesler) <jesler at ...3461...>
> wrote:
>
>> I don’t think that the interface would be called “eth0” on a mac.  You
>> may want to make sure you have the right device specified.
>>
>> --
>> *Joel Esler*
>> Manager, Talos Group
>>
>>
>>
>>
>> On Feb 12, 2016, at 5:04 PM, Madhu Rao <k.madhurao.123 at ...2499...> wrote:
>>
>> Hi Folks
>>
>> Has anyone had Luck downloading and compiling snort 2.9.8.0 and get it
>> working on Latest MAC OS X El Capitan ?
>> I have a macbook pro running El Capitan. (OSX 10.11.3)
>>
>> I See the following Errors when I run Snort.
>>
>> $ sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i
>> eth0 -k none
>>
>> pcap DAQ configured to passive.
>>
>> Acquiring network traffic from "eth0".
>>
>> Reload thread starting...
>>
>> Reload thread started, thread 0x700000081000 (41553)
>>
>> ERROR: Can't start DAQ (-1) - BIOCSETIF failed: Device not configured!
>>
>> Fatal Error, Quitting..
>>
>>
>> BTW - when I configured DAQ, this was the outcome.
>>
>> $cd daq-2.0.6
>>
>> ./configure --disable-afpacket-module
>>
>> ...
>>
>> Build AFPacket DAQ module.. : no
>> Build Dump DAQ module...... : yes
>> Build IPFW DAQ module...... : yes
>> Build IPQ DAQ module....... : no
>> Build NFQ DAQ module....... : no
>> Build PCAP DAQ module...... : yes
>> Build netmap DAQ module.... : no
>>
>>
>> Any pointers appreciated.
>>
>> -- madhu
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160215/2b871c91/attachment.html>


More information about the Snort-devel mailing list