1.下載下面網址列出的所有列出的軟件
http://www.snort.org/start/requirements
- Libpcap
- PCRE
- Libdnet
- Barnyard2
- DAQ
Note to Windows users: If you’re downloading Snort binaries the only requirements are WinPcap and Barnyard.
Libpcap
In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network. libpcap and WinPcap also support saving captured packets to a file and reading files containing saved packets. Snort uses these files to read network traffic and analyze it.
For more information and to download please visit tcpdump
PCRE
Perl Compatible Regular Expressions (PCRE) is a regular expression C library inspired by Perl’s external interface, written by Philip Hazel. The PCRE library is incorporated into a number of prominent open-source programs such as the Apache HTTP Server, the PHP and R scripting languages, and Snort.
For more information and to download please visit PCRE
Libdnet
Libdnet is a generic networking API that provides access to several protocols.
For more information and to download please visit libdnet
Barnyard2
Barnyard is an output system for Snort. Snort creates a special binary output format called ``unified.’’ Barnyard2 reads this file, and then resends the data to a database back-end. Unlike the database output plugin, Barnyard2 manages the sending of events to the database and stores them when the database temporarily cannot accept connections.
For more information and to download please visit barnyard2
DAQ
DAQ is the Data-Acquisition API that is necessary to use Snort version 2.9.0 and above.
For more information and to download please visit DAQ
Next: Download Snort
2.如果需要apache ,php ,mysql,snort,acid支持,還需要下載上述軟件
參考 http://shenjianzhousx.blog.51cto.com/1627247/454480
3../configute snort過程中出現
ERROR! Libpcap library version >= 1.0.0 not found.
請參考
https://forums.snort.org/forums/snort-newbies/topics/libpcap-not-found
First it is important to note that libpcap is found, just not a version that is >=1.0.0. Notice the message above the one you posted says "checking for pcap_lib_version" = "yes". Then the line you posted indicates a failure because libpcap is not recent enough:
checking for pcap_lib_version… checking for pcap_lib_version in -lpcap… yes
checking for libpcap version >= "1.0.0"… no
ERROR! Libpcap library version >= 1.0.0 not found. Get it from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a>
It appears libpcap-1.1.1.tar.gz installs the library into /usr/local/lib. I tried to force daq to use that library as mentioned in the link Quiltface provided, but it did not work. This lead me to look for another version of libpcap which may be the one that daq is inspecting. I ended up finding another version which was much older:
root@xxxx:# locate libpcap
/usr/lib/libpcap.a
/usr/local/lib/libpcap.a
root@xxxx:# ls l /usr/lib/libpcap.a -r— 1 root root 228262 2008-04-08 22:19 /usr/lib/libpcap.a
-rw-r
root@xxxx:# ls l /usr/local/lib/libpcap.a -r— 1 root root 293658 2011-01-01 22:37 /usr/local/lib/libpcap.a
-rw-r
I copied the new one over the old one and daq compiled and installed without issue:
root@xxxx:# cp /usr/local/lib/libpcap.a /usr/lib/
checking for pcap_lib_version… checking for pcap_lib_version in -lpcap… yes
checking for libpcap version >= "1.0.0"… yes
4.運行snort過程中出現沒有找到規則,添加規則或“#”掉。
出現其他錯誤請參考:http://www.2cto.com/Article/201008/54546.html
1、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicengine/libsf_engine.so": No such file or directory.
Fatal Error, Quitting..
原因:沒有找到/usr/local/lib/snort_dynamicengine/libsf_engine.so文件所在的目錄。
解決:將snort安裝目錄下lib目錄內的snort_dynamicpreprocessor目錄,創建軟鏈接到/usr/local/lib下面。
如:ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
2、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicengine/libsf_engine.so": No such file or directory.
Fatal Error, Quitting..
原因:沒有找到/usr/local/lib/snort_dynamicengine/libsf_engine.so文件所在的目錄。
解決:將snort安裝目錄下lib目錄內的snort_dynamicengine目錄,創建軟鏈接到/usr/local/lib下面。
如:ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
3、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules/bad-traffic.so": No such file or directory.
Fatal Error, Quitting..
原因:沒有找到/usr/local/lib/snort_dynamicrules/bad-traffic.so文件所在的目錄。
解決:將snort安裝目錄下so_rules/precompiled/Centos-5-4/i386/2.8.6.0目錄,創建軟鏈接到/usr/local/lib下面。
如:ln -s /usr/local/snort/so_rules/precompiled/Centos-5-4/i386/2.8.6.0 /usr/local/lib/snort_dynamicrules
(請按實際情況選擇正確的操作系統的版本及CPU類型)
二、在編譯安裝snort過程中提示:
ERROR: /usr/local/snort/etc/snort.conf(193) => Invalid keyword compress_depth for global configuration.
原因:在編譯的時候沒有帶--enable-zlib
解決:清除所有已編譯安裝的snort信息,再進行編譯安裝,編譯的時候帶上--enable-zlib參數。
注:我在進行重新覆蓋編譯(帶--enable-zlib參數)安裝,沒有成功,不知道是必須清空以前的snort信息,還是RP有問題。
三、在進行base的web配置的時候提示:
Your PHP Logging Level is too high to handle the running of BASE!
Please set the error_reporting variable to at least E_ALL & ~E_NOTICE in your php.ini!
The directory where BASE is installed does not allow the web server to write.
This will prevent the setup progam from creating the base_conf.php file. You have two choices.
1. Make the directory writeable for the web server user.
2. When the set up is done, copy the information displayed to the screen and use it to create a base_conf.php.
原因:
0、提示運行base的記錄的PHP日誌級別太高。
1、snort的web目錄沒有寫權限;
2、base_conf.php內的參數有問題;
解決:
0、編輯php.ini,找到error_reporting,修改爲:error_reporting = E_ALL & ~E_NOTICE
1、將snort的web目錄權限修改爲757或777
2、將相關的參數(snort數據庫名稱、用戶名、密碼、數據庫類型、數據庫位置等信息)設置在base_conf.php文件內。
四、Not Using PCAP_FRAMES
解決:
# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance"
(修改用戶的環境變量。解決問題的方法出處:http://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/)
五、ERROR: The php session does not contain the array key "adodbpath". This is typically caused by not having allowed cookies. Exiting.
原因:???
解決:???
這個問題我自己也沒搞定,待查。
六、在Base的web頁面中出現:
Check your Pear::Image_Graph installation!
* Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no
graphing operations can be performed.
* Make sure PEAR libraries can be found by php at all:
pear config-show | grep "PEAR directory"
PEAR directory php_dir /usr/share/pear
This path must be part of the include path of php (cf. /etc/php.ini):
php -i | grep "include_path"
include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php
原因:Base需要繪圖插件Image_Graph,Image_Graph沒有安裝。
解決:去http://pear.veggerby.dk/下載Image_Canvas及Image_Graph進行安裝,也可直接執行下列命令讓系統自己下載安裝:
# pear install Image_Canvas-0.3.2
downloading Image_Canvas-0.3.2.tgz ...
Starting to download Image_Canvas-0.3.2.tgz (54,698 bytes)
.............done: 54,698 bytes
downloading Image_Color-1.0.4.tgz ...
Starting to download Image_Color-1.0.4.tgz (9,501 bytes)
...done: 9,501 bytes
install ok: channel://pear.php.net/Image_Color-1.0.4
install ok: channel://pear.php.net/Image_Canvas-0.3.2
# pear install Image_Graph-0.7.2
Did not download dependencies: pear/Numbers_Roman, pear/Numbers_Words, use --alldeps or --onlyreqdeps to download automatically
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
downloading Image_Graph-0.7.2.tgz ...
Starting to download Image_Graph-0.7.2.tgz (368,056 bytes)
.....................................done: 368,056 bytes
install ok: channel://pear.php.net/Image_Graph-0.7.2
(說明:事先必須安裝php-pear組件!)
5。ERROR: snort.conf(387) => Unable to open the IIS Unicode Map file './unicode.map'.
找到unicode.map copy到提示出錯的目錄。
6.其他問題請google。good luck!!!!