>Install snort 2.9 on RHEL 5

By | October 28, 2010

>I was trying to install snort 2.9 on my RHEL 5.5 system. Initially i tried to install by downloading snort rpm from http://www.snort.org/downloads/265 but i failed because it generated error that libpcap>=1.0.0 is required to install snort 2.9. I decided to check my libpcap version using command ‘rpm -qa|grep libpcap‘ and found that libpcap-0.9.4 is installed on my system. After a bit googling and hit and trial, I got the following steps to install snort-2.9 on my RHEL 5.5 system.

step1. Downloaded libpcap-1.1.1 from http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz and uncompressed it in /usr/local/src folder.
step2. Move into /usr/local/src/libpcap-1.1.1
root#cd /usr/local/src/libpcap-1.1.1
step3. Install libpcap in /usr/lib
root#./configure –prefix=/usr
root#make
root#make install

step4. Downloaded daq from http://www.snort.org/downloads/263 and uncompressed it in /usr/local/src folder.
step5. Move into /usr/local/daq-0.2
root#cd /usr/local/src/daq-0.2
step6. install daq-0.2
root#./configure
root#make
root#make install

step7. Downloaded snort-2.9 from http://www.snort.org/downloads/269 and uncompressed it in /usr/local/src folder.
step8. Move into /usr/local/src/snort-2.9
root#cd /usr/local/src/snort-2.9
step9. ./configure –with-mysql
step10. make
step11. make install

I followed above given steps and snort-2.9 successfully get installed on RHEL 5.

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

49 thoughts on “>Install snort 2.9 on RHEL 5

  1. unixbhaskar

    >It would be great if you also mentioned the steps to check how snort working through example.

    Anyway keep up the good work mate.

    Cheers!

    Reply
  2. Anonymous

    >Got this error when I am trying to install libpcap-1.1.1
    [root@ libpcap-1.1.1]# ./configure
    checking build system type… i686-pc-linux-gnu
    checking host system type… i686-pc-linux-gnu
    checking target system type… i686-pc-linux-gnu
    checking for gcc… no
    checking for cc… no
    checking for cl.exe… no
    configure: error: no acceptable C compiler found in $PATH
    See `config.log' for more details.

    Reply
  3. vishesh

    >You should install gcc first by
    root#yum install gcc
    c compiler is compulsory if you compile source code.
    If any more error, let me know

    Reply
  4. John Lindley

    >Great article! I was banging my head trying to figure this out and there isn't anywhere out there with ALL the information… One thing you didn't mention that I found out was that you need to remove the yum/rpm version of libpcap prior to compiling the new one.

    Reply
  5. Anonymous

    >I had to install gcc gcc-g++ and compile libdnet-1.12 before performing theses steps

    Reply
  6. Anonymous

    >I had to create a symlink to the libpcap library in /lib before baq would see it. I kept getting the same error even after using –prefix=/usr

    This resolved it.

    ln -s /usr/lib/libpcap.so.1.1.1 /lib/libpcap.so.1.1.1

    Reply
  7. vishesh

    >download &install libpcap-1.1.1 from tcpdump.org , it compilation giving error that means gcc is not installed

    Reply
  8. Anonymous

    >i alredy install it..but it still have an error…
    it will be like this..
    [root@snort daq-0.5]# make
    make: *** No targets specified and no makefile found. Stop.
    [root@snort daq-0.5]# make install
    make: *** No rule to make target `install'. Stop.

    Reply
  9. Anonymous

    >[root@snort daq-0.5]# yum install gcc
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * addons: centos.maulvi.net
    * base: centos.maulvi.net
    * extras: centos.maulvi.net
    * updates: centos.maulvi.net
    Setting up Install Process
    Package gcc-4.1.2-48.el5.x86_64 already installed and latest version
    Nothing to do

    what it mean?is that mean i not install that gcc yet?

    Reply
  10. vishesh

    >gcc is installed., then i think make utility is not installed , r u able to run make command /usr/bin/make ?

    Reply
  11. vishesh

    >/usr/bin/make not /usr/bin/make/,
    also ensure MakeFile file present in daq-x directory .

    Reply
  12. Anonymous

    >[root@snort daq-0.5]# dir
    aclocal.m4 config.h.in configure.ac install-sh Makefile.in sfbpf
    api config.log COPYING ltmain.sh missing
    ChangeLog config.sub daq.dsp m4 os-daq-modules
    config.guess configure depcomp Makefile.am README

    Reply
  13. Anonymous

    >yes..before that..i ./configure daq-0.5 as the manual..but at end it will be error coz cannot find libpcap library-1.0.0…but i already install it..is that daq problem or the way i configure false?

    Reply
  14. vishesh

    >If configure give error that means make will not work. remove already installed libpcap and then install libpcap-1.0

    Reply
  15. Anonymous

    >ok..i already install libpcap-1.0.0 then after that i try install libpcap -1.1.1…

    Reply
  16. Anonymous

    >but..i already install it.before i install libpcap-1.1.1
    i installed libpcap-1.0.0..but i still face with the same error…

    Reply
  17. Anonymous

    >if i use libpcap-1.1.1..then i should install daq..but which version of daq that support for libpcap-1.1.1??

    Reply
  18. Anonymous

    >how about libpcap-1.1.1?which version should i install?daq-0.4?or daq-0.5?

    Reply
  19. Anonymous

    >i use libpcap-1.0.0,so which version of daq should i install?

    Reply
  20. Anonymous

    >after i got register and get the oinkode,what should i do after that?what it mean by snort run in 3 modes?

    Reply
  21. vishesh

    >Snort can run
    as a simple packet logger,means it can act as tcpdump command
    as as NIDS(Network intrusion detection system)
    And
    as a Host Intrusion detection system

    Reply
  22. vishesh

    >It depends upon your network design . If generic network design you may need two network card .

    Reply
  23. Anonymous

    >then..after put teh network card..what should i do?any configuration?

    Reply
  24. Anonymous

    >why i cannot creat groupadd snort after installation snort?

    Reply
  25. Anonymous

    >[root@snort snort-2.9.0.4]# groupadd snort
    bash: groupadd: command not found…

    anyone please explain to me how to solve this probleam??

    Reply
  26. vishesh

    >try
    /usr/sbin/groupadd , command
    may be path not included in PATH enviromental varibale

    Reply
  27. Anonymous

    >[root@snort ~]# cd /usr/local
    [root@snort local]# cd snort-2.9.0.4
    [root@snort snort-2.9.0.4]# groupadd snort
    bash: groupadd: command not found

    Reply
  28. Anonymous

    >I found that installing on CentOS required:
    ./configure –prefix=/usr

    when installing DAQ

    Reply
  29. Anonymous

    >none of the prefix settings for ./configure worked for me. I found that DAQ was checking for libpcap = 1.0.0 NOT >= 1.0.0

    When I installed 1.0.0 from source, in the exact same way as 1.1.1, it worked. Modifying the configure will fix the problem.

    Reply
  30. Anonymous

    >please tell me, how to configure snort with myql, base

    Reply
  31. Anonymous

    >I have been having this problem for the last week. I have tried both of the 2 latest Ubuntu versions, 32bit and 64bit; Fedora 15 32 and 64 bit, CentOs 5.7 32 and 64 bit – nothing works.

    Snort.org has these stupid install guides that dont mention these problems.

    At this point I think Snort is unusable. I have used Snort on and off for 8+ years. I have never had any issues. Now I cant even get DAQ compiled. What a f-ing joke.

    I believe there is a reason for this – Sourcefire wants you to buy their commercial product. You go on Snorts mailing list and the Sourcefire rep, although he appears to be helpful, gives 1 word or 1 sentence answers to your questions.

    I personally am going to go back to a pre-DAQ version of Snort and try my hand at that.

    Reply
  32. Gauthami

    >hi i have install daq -0.6.2 in rhel5.6 64bit

    my configuration done succraafully

    Build AFPacket DAQ module.. : yes
    Build Dump DAQ module…… : yes
    Build IPFW DAQ module…… : yes
    Build IPQ DAQ module……. : yes
    Build NFQ DAQ module……. : yes
    Build PCAP DAQ module…… : yes

    and when in do make command i get this error

    daq_nfq.c: In function ânfq_daq_initializeâ:
    daq_nfq.c:346: error: âSOL_NETLINKâ undeclared (first use in this function)
    daq_nfq.c:346: error: (Each undeclared identifier is reported only once
    daq_nfq.c:346: error: for each function it appears in.)
    daq_nfq.c:346: error: âNETLINK_NO_ENOBUFSâ undeclared (first use in this function)
    daq_nfq.c: In function âSetPktHdrâ:
    daq_nfq.c:395: warning: passing argument 2 of ânfq_get_payloadâ from incompatible pointer type
    make[2]: *** [libdaq_static_modules_la-daq_nfq.lo] Error 1
    make[2]: Leaving directory `/usr/daq-0.6.2/os-daq-modules'
    make[1]: *** [all-recursive] Error 1
    make[1]: Leaving directory `/usr/daq-0.6.2'
    make: *** [all] Error 2

    pleas correct me where i am doing wrong..
    Advance thanks
    gautt

    Reply
  33. Anonymous

    >Hi,

    Installing on centos 5.7 64-bit, I've gotten as far as the second to last step but I am then stopped by this error:

    /usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.so when searching for -lmysqlclient
    /usr/bin/ld: skipping incompatible /usr/lib/mysql/libmysqlclient.a when searching for -lmysqlclient
    /usr/bin/ld: cannot find -lmysqlclient

    also I don't know if the libpcap install was successfull even though no errors were noticed when compiling libpcap 1.1.1:
    [root@kaf-dalet ~]# rpm -qa|grep libpcap
    libpcap-0.9.4-15.el5

    Please tell me where I might've gone wrong.

    Thank you

    bozhe

    Reply
  34. Anonymous

    >error RROR! Libpcap library version >= 1.0.0 not found

    I was getting the following error during daq installation.

    removing the libpcap-0.9.4 solved my problem.

    Reply
  35. Anonymous

    >Hey Gauthami,
    I am facing the same issue.
    Did you resolve your? Please let me know how have you done it ?

    Reply
  36. Dhiera op

    >how to configure snort inline (ips) on ubuntu 12.04? please help me…. thaks…

    Reply
  37. Dhiera op

    >how to configure snort inline (ips) on ubuntu 12.04? please help me… thks….

    Reply
  38. Vishesh Kumar

    >Did you try to install ? Let us know kind of error you are getting

    Reply
  39. Daniel Butler

    After trying lots of permutations of the above I found the following worked for me:

    INSTALL PREREQUISITES

    yum -y install flex byacc bison pcre-devel libdnet-devel zlib-devel

    INSTALL LATEST LIBPCAP

    cd
    wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
    tar -xf libpcap-1.5.3.tar.gz
    mv libpcap-1.5.3 /usr/local/src/
    cd /usr/local/src/libpcap-1.5.3
    ./configure --prefix=/usr
    make
    make install
    /sbin/ldconfig

    INSTALL DAQ AND SNORT

    cd
    wget http://www.snort.org/dl/snort-current/daq-2.0.1.tar.gz -O daq-2.0.1.tar.gz
    tar -xf daq-2.0.1.tar.gz
    cd daq-2.0.1
    ./configure
    cd os-daq-modules
    make
    cd ..
    make
    make install

    cd
    wget http://www.snort.org/dl/snort-current/snort-2.9.5.6.tar.gz -O snort-2.9.5.6.tar.gz
    tar -xf snort-2.9.5.6.tar.gz
    cd snort-2.9.5.6
    ./configure
    make
    make install

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *