Snort 2.6 BETA on FreeBSD

This week Sourcefire released Snort 2.4.4 and Snort 2.6 BETA. Because the a ports tree freeze is in effect in preparation for FreeBSD 5.5 and 6.1, the Snort port will not be updated to 2.4.4 soon. If you want to install 2.4.4 using the ports tree, make the following changes to /usr/ports/security/snort/Makefile:

orr:/usr/ports/security/snort$ diff Makefile.orig Makefile
9,10c9,10
< PORTVERSION=  2.4.3
< PORTREVISION= 1
---
> PORTVERSION=  2.4.4
> #PORTREVISION=        1

Make these changes to distinfo:

orr:/usr/ports/security/snort$ diff distinfo.orig distinfo
1,6c1,3
< MD5 (snort-2.4.3.tar.gz) = 5c3c8c69f2459bbe0c1f2057966c88a7
< SHA256 (snort-2.4.3.tar.gz) = 4f3aa911234a9fc4beb5ba9b0fe88f1e3af0fcbfe84d4448415f049b9791bc65
< SIZE (snort-2.4.3.tar.gz) = 2733590
< MD5 (snort-2.4.3.tar.gz.sig) = 680b271bb3fe67bd28d41d5a3886865a
< SHA256 (snort-2.4.3.tar.gz.sig) = a7fa680662124e6f95eb87b88e09a0ec7ae394f6845f4a1eada4626066da12d0
< SIZE (snort-2.4.3.tar.gz.sig) = 65
---
> MD5 (snort-2.4.4.tar.gz) = fe82febd153e121369788b3aaa05d415
> SHA256 (snort-2.4.4.tar.gz) = 9d34822e68d6c5bfd98c41f14bf9185424691824b220d70366c40f0477e9d9a7
> SIZE (snort-2.4.4.tar.gz) = 2825060

You can then build the port with 'make', 'make install', and end up running Snort 2.4.4.:

$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.4 (Build 28) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

To try Snort 2.6 BETA, you'll need to follow these steps. First, you need the devel/automake19, devel/libtool15, and devel/autoconf259 installed.

Now check out the Snort BETA from CVS.

cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login
cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot co -r SNORT_2_6 snort
cd snort

Make the following changes to autojunk.sh:

orr:/home/richard/snort$ diff autojunk.sh.orig autojunk.sh
3,7c3,7
< libtoolize --automake --copy
< aclocal -I m4
< autoheader
< automake --add-missing --copy
< autoconf
---
> libtoolize15 --automake --copy
> aclocal19 -I m4 -I /usr/local/share/aclocal
> autoheader259
> automake19 --add-missing --copy
> autoconf259

These changes are needed because of the names used by the tools that build Snort, as shown by the following directory listings:

# ls -al /usr/local/bin/libtoolize*                                    
-r-xr-xr-x  1 root  wheel  10784 Feb  6 04:08 /usr/local/bin/libtoolize15
# ls -al /usr/local/bin/aclocal*
-r-xr-xr-x  1 root  wheel  19737 Feb  6 19:47 /usr/local/bin/aclocal19
# ls -al /usr/local/bin/autoheader*
-r-xr-xr-x  1 root  wheel  8141 Feb  6 17:55 /usr/local/bin/autoheader259
# ls -al /usr/local/bin/automake*
-r-xr-xr-x  1 root  wheel  222000 Feb  6 19:47 /usr/local/bin/automake19
# ls -al /usr/local/bin/autoconf*
-r-xr-xr-x  1 root  wheel  7672 Feb  6 17:55 /usr/local/bin/autoconf259

You've got to make one more change, to src/dynamic-plugins/sf_engine/Makefile.am. Change the two instances of 'cp $< $@' to 'cp $? $@' as shown below.

orr:/home/richard/snort/src/dynamic-plugins/sf_engine$ diff Makefile.am.orig Makefile.am
28c28
<       cp $< $@
---
>       cp $? $@
31c31
<       cp $< $@
---
>       cp $? $@

When these changes are made, run 'sh autojunk.sh' from the snort directory. You'll see some errors, but they are not fatal.

orr:/home/richard/snort$ sh autojunk.sh
configure.in:170: warning: underquoted definition of SN_CHECK_DECL
  run info '(automake)Extending aclocal'
  or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
configure.in:203: warning: underquoted definition of SN_CHECK_DECLS
configure.in:303: warning: underquoted definition of FAIL_MESSAGE
/usr/X11R6/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/local/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB
/usr/local/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE
/usr/local/share/aclocal/ao.m4:9: warning: underquoted definition of XIPH_PATH_AO
/usr/local/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB

After that, run the following:

./configure
make 
make install

Remember you'll probably want to run 'make install' as root.

When done, Snort 2.6 BETA will be installed.

orr:/home/richard/snort$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 48)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.

Let us know how you find Snort 2.6. Thank you to Steven Sturges from Sourcefire for getting this to work for me!

Comments

Post a Comment

Popular posts from this blog

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti...
Read more

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technica...
Read more