1.点击连接安装以下软件
https://www.snort.org/downloads#snort
2.解压daq源码包,此时直接安装daq会有报错,缺少各种各样的依赖包,所以要先安装依赖包:bison、flex、libpcap(安装过程见下方)
3.编译安装dap: 进入解压好的文件夹./configure
4.如果出现以下错误,点击(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/),安装pcre-8.40.tar.gz,并解压 编译 安装
#./configure
#make
#make check
#make install
错误原文:
checking pcre.h usability… no
checking pcre.h presence… no
checking for pcre.h… no
ERROR! Libpcre header not found.
Get it from http://www.pcre.org
5.再回到dap目录下继续 ./configure 如果出现如下,则配置成功
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no
6.编译:sudo autoreconf -ivf (如果没有autoreconf,安装 sudo apt-get install autoconf automake libtool)
安装: sudo make
sudo make install
7.进入snort目录,先安装下面的软件:libdumbnet-dev、zlib1g-dev
sudo apt-get install libdumbnet-dev zlib1g-dev
8.编译并安装snort
./configure --enable-sourcefire
sudo autoreconf -ivf
sudo make
sudo make install
snort会被安装到,如下目录:
snort: /usr/local/bin/snort /usr/local/lib/snort
9.启动snort
sudo snort时报错:
/usr/local/nginx/sbin/nginx: error while loading shared libraries: libpcre.so.1: cannot open shared object file: No such file or directory
添加软链接:
sudo find / -type f -name *libpcre.so.*
sudo ln -s/lib/libpcre.so.0.0.1 /lib/libpcre.so.1
10.启动成功
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eno16777736".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.0 GRE (Build 229)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8
Commencing packet processing (pid=47760)
附:ubuntu下libpcap的安装
1.从 ftp://ftp.gnu.org/gnu/下载最新版本flex、bison、GNU M4、libpcap安装包。链接如下:
ftp://ftp.gnu.org/gnu/bison/
ftp://ftp.gnu.org/gnu/m4/
http://sourceforge.net/projects/flex/files/
http://www.tcpdump.org/release/
2.解压各个安装包(注意:如果使用的是虚拟机,需解压到非windows共享文件夹下)
进入目标文件所在目录,解压下载的4个安装包:tar –zxvf libpcap-1.2.1.tar.gz (tar -zxvf 需解压文件名)
3.依次到m4**,bison-**,flex-**,libpcap-**各个目录下运行:
sudo ./configure
sudo make
sudo make install
4.可以成功编译,不过运行的时候却提示找不到libpcap.so.1,因为libpcap.so.1默认安装到了/usr/local/lib下,我们做一个符号链接到/usr/lib/下即可。(我在Linux命令里面提到过ln的命令)
如果不创建链接会出现NO SUCH FILE OR DIRECTORY的错误
我们可以创建链接代码如下:
①查看libpcap.so.*的路径:sudo find / -type f -name *libpcre.so.*
②查找结果在:/usr/local/lib/libpcap.so.1.8.1
③建立软连接:sudo ln -s /usr/local/lib/libpcap.so.1.8.1 /usr/lib/libpcap.so.1
5.安装成功
6.编译:gcc simplesniffer.c -g -Wall -lpcap -o simplesniffer
7.运行:./simplesniffer