Snort 2.6 BETA on FreeBSD

This week Sourcefire released Snort 2.4.4 and Snort 2.6 BETA. Because the a ports tree freeze is in effect in preparation for FreeBSD 5.5 and 6.1, the Snort port will not be updated to 2.4.4 soon. If you want to install 2.4.4 using the ports tree, make the following changes to /usr/ports/security/snort/Makefile:

orr:/usr/ports/security/snort$ diff Makefile.orig Makefile

Make these changes to distinfo:

orr:/usr/ports/security/snort$ diff distinfo.orig distinfo
< MD5 (snort-2.4.3.tar.gz) = 5c3c8c69f2459bbe0c1f2057966c88a7
< SHA256 (snort-2.4.3.tar.gz) = 4f3aa911234a9fc4beb5ba9b0fe88f1e3af0fcbfe84d4448415f049b9791bc65
< SIZE (snort-2.4.3.tar.gz) = 2733590
< MD5 (snort-2.4.3.tar.gz.sig) = 680b271bb3fe67bd28d41d5a3886865a
< SHA256 (snort-2.4.3.tar.gz.sig) = a7fa680662124e6f95eb87b88e09a0ec7ae394f6845f4a1eada4626066da12d0
< SIZE (snort-2.4.3.tar.gz.sig) = 65
> MD5 (snort-2.4.4.tar.gz) = fe82febd153e121369788b3aaa05d415
> SHA256 (snort-2.4.4.tar.gz) = 9d34822e68d6c5bfd98c41f14bf9185424691824b220d70366c40f0477e9d9a7
> SIZE (snort-2.4.4.tar.gz) = 2825060

You can then build the port with 'make', 'make install', and end up running Snort 2.4.4.:

$ snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.4.4 (Build 28)
'''' By Martin Roesch & The Snort Team:
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.

To try Snort 2.6 BETA, you'll need to follow these steps. First, you need the devel/automake19, devel/libtool15, and devel/autoconf259 installed.

Now check out the Snort BETA from CVS.

cvs login
cvs co -r SNORT_2_6 snort
cd snort

Make the following changes to

orr:/home/richard/snort$ diff
< libtoolize --automake --copy
< aclocal -I m4
< autoheader
< automake --add-missing --copy
< autoconf
> libtoolize15 --automake --copy
> aclocal19 -I m4 -I /usr/local/share/aclocal
> autoheader259
> automake19 --add-missing --copy
> autoconf259

These changes are needed because of the names used by the tools that build Snort, as shown by the following directory listings:

# ls -al /usr/local/bin/libtoolize*
-r-xr-xr-x 1 root wheel 10784 Feb 6 04:08 /usr/local/bin/libtoolize15
# ls -al /usr/local/bin/aclocal*
-r-xr-xr-x 1 root wheel 19737 Feb 6 19:47 /usr/local/bin/aclocal19
# ls -al /usr/local/bin/autoheader*
-r-xr-xr-x 1 root wheel 8141 Feb 6 17:55 /usr/local/bin/autoheader259
# ls -al /usr/local/bin/automake*
-r-xr-xr-x 1 root wheel 222000 Feb 6 19:47 /usr/local/bin/automake19
# ls -al /usr/local/bin/autoconf*
-r-xr-xr-x 1 root wheel 7672 Feb 6 17:55 /usr/local/bin/autoconf259

You've got to make one more change, to src/dynamic-plugins/sf_engine/ Change the two instances of 'cp $< $@' to 'cp $? $@' as shown below.

orr:/home/richard/snort/src/dynamic-plugins/sf_engine$ diff
< cp $< $@
> cp $? $@
< cp $< $@
> cp $? $@

When these changes are made, run 'sh' from the snort directory. You'll see some errors, but they are not fatal.

orr:/home/richard/snort$ sh warning: underquoted definition of SN_CHECK_DECL
run info '(automake)Extending aclocal'
or see warning: underquoted definition of SN_CHECK_DECLS warning: underquoted definition of FAIL_MESSAGE
/usr/X11R6/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/local/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB
/usr/local/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE
/usr/local/share/aclocal/ao.m4:9: warning: underquoted definition of XIPH_PATH_AO
/usr/local/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB

After that, run the following:

make install

Remember you'll probably want to run 'make install' as root.

When done, Snort 2.6 BETA will be installed.

orr:/home/richard/snort$ snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 48)
'''' By Martin Roesch & The Snort Team:
(C) Copyright 1998-2005 Sourcefire Inc., et al.

Let us know how you find Snort 2.6. Thank you to Steven Sturges from Sourcefire for getting this to work for me!


Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics