Retrieving Source Files

Any time you are going to be downloading source code, it’s a good idea to settle on a standard place to put it. Many online guides suggest creating a temporary directory under your home user directory or even the Linux root folder (something like “/root/temp“), with the assumption that you’ll just delete the downloaded source files once you’re done with them. There’s nothing wrong with this approach, although conventional Unix/Linux wisdom has long held that you should put source files in the /usr/src directory that already exists by default in most Linux distributions. In any case, the first step is to open up a terminal session (also called a “shell”), elevate privileges to root to use administrator privileges, and either create and move to a directory for your downloaded packages or go to the existing src directory.

1. Open a terminal session, which should result in a window with a user command prompt: $
2. At the prompt, log in as root (superuser) by typing: $ sudo su
3. Enter your user account password (in Ubuntu it is not necessary to create a separate root password). When you are logged in as root, the end character of the command line should change to #
4. Change to the source directory: # cd /usr/src
5. Create a temporary directory: # mkdir snorttemp
6. Change to the temporary directory you just created: # cd snorttemp
7. Confirm you are in the intended location: # pwd

Now it’s time to get the source files from www.snort.org. There are three things we want to download: the source code for Snort itself, the data acquisition library, and the rules files. To get these files, we will use the Linux wget command, which will retrieve a file to the current directory from any location we specify. There is an alternate approach to the wget command – if you prefer, you can use the Firefox web browser from the Ubuntu desktop, browse to Snort.org, and download the files using the browser. With this method, the files will be downloaded to the user Downloads directory under the user desktop (/home/<username>/desktop) or the Downloads directory (/home/<username>/Downloads) and you will need to move them from this location to the src directory or other location from which you intend to run the installation commands. These instructions use the wget approach to bring everything to the working location and to provide a continuous set of instructions using the terminal shell, rather than switching back and forth between the command line and the graphical desktop (if you install Snort on a Linux server instance rather than the desktop version, the command line is the only approach you can use).

Note: If you read over the Snort web site, particularly the Downloads page, you will also find links to various third-party tools that complement Snort, including Barnyard2. Barnyard is a program that receives Snort output in unified2 binary format and then writes that output to any of a number of target formats and destinations, including to a logging database such as MySQL. By taking over the database writing functions from Snort, Barnyard allows Snort to allocate more resources to detection, and fewer resources to logging output, and is therefore recommended by Sourcefire to maximize Snort performance in terms of processing speed. Separate instructions are provided for Installing and setting up Barnyard2.

To know where to tell wget to look, we need to go to Snort.org and find the URLs for the files we want. Please note:  two of the three available Snort rulesets (registered and subscriber) require you to be a registered user on Snort.org so you can generate an “oinkcode” to use when downloading and updating rules. There is also a community ruleset that does not require user registration, but also does not include rules for the most recent vulnerabilities addressed by the Sourcefire team. To generate an oinkcode, log in to Snort.org, click on your username at the top right of the screen, and click on the “Oinkcode” link on the left-hand navigation menu. Bear in mind that an Oinkcode is a long string of characters, and that many Linux distributions don’t allow pasting into the command line, so you will want to transcribe it carefully from the web page where it is shown to the command line you are working on.

1. Get the latest version of Snort: # wget http://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz
2. Get the latest version of the rules (this URL is for the registered user release): # wget http://www.snort.org/downloads/registered/snortrules-snapshot-2990.tar.gz/<oinkcode> -O snortrules-29111.tar.gz (the last part of this string staring with -O saves the rules package with a somewhat simpler filename)
3. Get the Data Acquisition Library: # wget http://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
4. Get the libdnet dumb networking library: # wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
5. Get the latest version of Barnyard2: # wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz
6. Confirm the five zipped tar files are now in your working directory: # ls
7. Extract the files from the DAQ package: # tar -xzvf daq-2.0.6.tar.gz
8. Extract the files from the libdnet package: # tar -xzvf libdnet-1.12.tgz
9. Extract the files from the Snort package: # tar -xzvf snort-2.9.11.1.tar.gz
10. Extract the rules files from the package: # tar -xzvf snortrules-29111.tar.gz
11. Extract the files from the Barnyard2 package: # tar -xzvf v2-1.13.tar.gz
12. If you list the directory contents again you should see nine new folders in addition to the package files now in your working directory, one for each program package you extracted (with the same name as the packages but no extensions except in the case of Barnyard2, which when extracted will be in a directory named “barnyard-2-2-1.13“), and four directories associated with Snort and its rules (etc, rules, so-rules, and preproc-rules).
13. Optionally, you can delete the packages using the Linux remove command, such as: # rm snort-2.9.11.1.tar.gz

This is all the source code we need to compile Snort and begin configuring it on a Linux system.