I recently took the challenge to try out the new Snort 3.0 alpha that Marty Roesch released upon the world. I was glad to see a new version of this tool available and was eager to see it work. I have had extensive use of snort over the years and cannot say I'm quite happy with the current 2.6.x.x builds. They are however very good working builds and are capable of doing what they're configured for but they seem overly complex for the job at hand.
Honestly I can say that the instructions are very good at installing but like most people...who follows instructions? Don't we all want to trailblaze?
I was at the time running Ubuntu 6.06 and getting ready to upgrade to 7.04 and decided to do the upgrade before I tried to build snort. I had a current 2.6.x build installed and also a 2.7.0.1 beta that were working. I removed the 2.6 build and left the 2.7 beta1 which managed to work with a bit of fixing.
After confirming this was fine and did a complete image backup of the computer. This ensures I can reload this image to disk and reboot the computer immediately. In fact I use disk partitions but I think you get the idea. This is my saving and backup method of choice. I use Restorer 2000 Pro Net to perform these tasks to a networked storage box. Restorer allows you to mount images also to partially restore or to test backups. Image backups can be quite handy let alone time saving.
Well I decide to pop in the 7.04 cd and start the upgrade process. What? No upgrade process? Cheap buggers, well I'll just have to make my own. Using the Synaptic Package Manager, I run a full upgrade check and compare against the latestest versions on the CDROM. Then I force it to apply all upgrades.
This gets to about 25% of the way and then fatally errors with something I don't recall. The system now boots but not completely and even though to some degree I can use it, really it's not.
So, back to the drawing board I restore the original partition and decide to do the proper upgrade to 6.10. Well this worked very well. I was quite happy with myself so much I made another backup after successfully using my 6.10 installation. Then I went ahead and did the 7.04 upgrade. This worked also very well. Afterwards I found myself enjoying my new Ubuntu package I recalled that I was doing this for my snort alpha testing!
Back to work I get the snort alpha copied over to this box using wget, awesome. Unpacking the tar.gz I review the README to discover I need LUA and LIBDNET and UUID in addition to LIBPCAP. Well I have libpcap working fine as I have snort 2.7 working fine. Ok, so I need to get lua and libdnet (at this point) for sure since I'm pretty confident I have e2fsprogs installed fine (which was the recommended means to get the UUID stuff). I attempt to get the source for lua and compile it, but I get stupid errors with readline. I realize the *dev package doesn't version match the readline package and as a consequence doesn't want to compile nice and easy.
Cursing, I decide either I figure out how to get readline to compile or I find out how I revert back to an older libdnet/lua. Then I remembered that Marty mentioned that it worked with 6.10 so I figured this must have had a matching revision for these packages to their devel counterparts! So I went back to the 6.10 install and then tried the same thing. This was a better success, but still ended up encountering errors with libdnet. This was befuddling but this time the errors were specific to finding the files that 'should' be there. Guess what? They weren't. I hadn't installed the devel packages so I realized that I needed to actually 'make' these installs instead of using synaptic. While I was running around looking for the actual downloads, I realized the '3rdparty' directory that actually included both these tar files. Sure lets use these. First I did libdnet and it worked fine. Attempted to make snort again, and it still didn't work, but this time I had no errors on libdnet. So I decided to go ahead and make lua from the snort package and then attempted to make snort. It got past lua and then found a new complaint.
This time it complained about UUID. In fact I did not have the UUID headers and again was dumbfounded over the missing headers. I did a quick google however and came up with a forum for some other product with a similar problem, and everyone complaining about having to download the entire e2fsprogs-devel package to get them. Someone then stated that the uuid-dev package would have them (for debian) and have been recently added to the 3rd party repo's for this very reason. A quick 'sudo apt-get install uuid-dev' did the trick for me I'm quite happy to say.
After this I completed the make of snort and was able to quickly start testing it out.
It looks to have some very effective ways to process traffic, but have only finished the suggestions of the README. I'm curious to see how well it develops into a future version. Using LUA was a big concern for me, but really doesn't seem to be causing any resounding concerns. I've become accustomed to it for now, but I'm not actually using it for development either. Hopefully I'll update my experiments with it in short time.
For now Snort 3.0.0.a1.4 gets a thumbs up as a usable alpha program, now back to testing!
Comments (0)
James Friesen Net
http://jamesfriesen.net/article.php/20070521170936776