Skip to content

Instantly share code, notes, and snippets.

@maka-io

maka-io/install-snort.sh

Last active October 18, 2022 19:24
Show Gist options
  • Save maka-io/dfc984a3bf4b6c503ab21dcac3475165 to your computer and use it in GitHub Desktop.
Save maka-io/dfc984a3bf4b6c503ab21dcac3475165 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
install-snort.sh
SNORTVER=2.9.15
DAQVER=2.0.6
LUAJITVER=2.0.5
OINKCODE=$1
sudo apt-get update
sudo apt-get install -y ethtool g++
sudo apt-get install -y build-essential
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev zlib1g-dev
sudo apt-get install -y bison flex
cd ~
# Configure DAQ
wget https://www.snort.org/downloads/snort/daq-$DAQVER.tar.gz
tar -xf daq-$DAQVER.tar.gz
cd daq-$DAQVER
./configure && sudo make && sudo make install
cd ~
# Configure LuaJIT
wget http://luajit.org/download/LuaJIT-$LUAJITVER.tar.gz
tar -xf LuaJIT-$LUAJITVER.tar.gz
cd LuaJIT-$LUAJITVER
sudo make && sudo make install
cd ~
# Configure SNORT
wget https://www.snort.org/downloads/snort/snort-$SNORTVER.tar.gz
tar -xf snort-$SNORTVER.tar.gz
cd snort-$SNORTVER
./configure --enable-sourcefire --disable-open-appid
sudo make && sudo make install
cd ~
# load the config
sudo ldconfig
# create soft link
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
# set group
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# make working directories
sudo mkdir /etc/snort \
/etc/snort/rules \
/etc/snort/preproc_rules \
/etc/snort/so_rules
sudo touch /etc/snort/rules/white-list.rules \
/etc/snort/rules/black-list.rules \
/etc/snort/rules/local.rules
sudo chmod -R 5775 /etc/snort
sudo chown -R snort:snort /etc/snort
# make the log directories
sudo mkdir /var/log/snort
sudo chmod -R 5775 /var/log/snort
sudo chown -R snort:snort /var/log/snort
# create dynamic rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
# copy config and map to snort directory
# NOTE: If this fails, the permission is wrong.
cp /home/$USER/snort-$SNORTVER/etc/*.conf* /etc/snort/
cp -v /home/$USER/snort-$SNORTVER/etc/*.map* /etc/snort/
# make a backup of config
cp /etc/snort/snort.conf /etc/snort/snort.conf.orig
# Comment out all rule sets, and configure manually
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
# Optional
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xf community-rules.tar.gz -C /etc/snort/rules/
cat /etc/snort/snort.conf | \
sed 's/var RULE_PATH*/var RULE_PATH /etc/snort/rules' | \
sed 's/var SO_RULE_PATH*/var SO_RULE_PATH /etc/snort/so_rules' | \
sed 's/var PREPROC_RULE_PATH*/var PREPROC_RULE_PATH /etc/snort/preproc_rules' | \
sed 's/var WHITE_LIST_PATH*/var WHITE_LIST_PATH /etc/snort/rules' | \
sed 's/var BLACK_LIST_PATH*/var BLACK_LIST_PATH /etc/snort/rules' | \
sed 's/#include $RULE_PATH/local.rules/include $RULE_PATH/local.rules'\
>> ~/snort.conf
sudo mv ~/snort.conf /etc/snort/snort.conf
cat /etc/snort/pulledpork.conf | \
sed 's/rule_path*/rule_path=/etc/snort/rules/snort.rules' | \
sed 's/local_rules=*/local_rules=/etc/snort/rules/local.rules' | \
sed 's/sid_msg=*/sid_msg=/etc/snort/sid-msg.map' | \
sed 's/sid_msg_version=*/sid_msg_version=2/' | \
sed 's/config_path=*/config_path=/etc/snort/snort.conf' \ |
sed 's/distro=*/distro=Ubuntu' | \
sed 's/black_list=*/black_list=/etc/snort/rules/black_list.rules' | \
sed 's/white_list=*/white_list=/etc/snort/rules/white_list.rules' | \
sed 's/IPRVersion=*/IPRVersion=/etc/snort/rules/' \
>> ~/pulledpork.conf
sudo mv ~/pulledpork.conf /etc/snort/pulledpork.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment