===== Snort Install Notes =====
Have ran into too many issues installing from apt-get, so I now just compile all the necessary packages.

Latest version installed:  2.9.2.1 on 10.04

Some required packages:
  * gcc
  * g++
  * bison
  * flex
  * libpcre3
  * libpcre3-dev
  * daq <'' http://www.snort.org/snort-downloads
  * zlib <'' http://www.zlib.net/
  * libdnet <'' http://code.google.com/p/libdnet/
  * ''sudo apt-get install linux-headers-$(uname -r)''

You may need to copy libdnet.1 to a different directory
<file>
cp /usr/local/lib/libdnet.1 /usr/lib/
</file>

In the new version of the snort.conf file if you did not use the --enable-ipv6 option with the ./configure command, change ipvar to var.  Also, you may need to comment out all the IP, ICMP, and TCP normalization.

Compiling and installing:
<file>
sudo ./configure --enable-zlib
<OR>
sudo ./configure --enable-ipv6 --enable-gre \
--enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules \
--enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response \
--enable-normalizer --enable-reload --enable-react --enable-flexresp3

sudo make
sudo make install
</file>
Configuration options:
<file>
 --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE''no)
 --enable-FEATURE[''ARG]  include FEATURE [ARG''yes]
 --enable-64bit-gcc        Try to compile 64bit (only tested on Sparc Solaris 9).
 --enable-maintainer-mode  enable make rules and dependencies not useful
                         (and sometimes confusing) to the casual installer
 --disable-dependency-tracking  speeds up one-time build
 --enable-dependency-tracking   do not reject slow dependency extractors
 --enable-shared[''PKGS]
                         build shared libraries [default''yes]
 --enable-static[''PKGS]
                         build static libraries [default''yes]
 --enable-fast-install[''PKGS]
                         optimize for fast installation [default''yes]
 --disable-libtool-lock  avoid locking (might break parallel builds)
 --enable-debug           Enable debugging options (bugreports and developers only)
 --enable-profile         Enable profiling options (developers only)
 --enable-pthread         Enable pthread support
 --enable-prelude         Enable Prelude Hybrid IDS support
 --enable-sourcefire      Enable Sourcefire specific build options
 --enable-rulestate       Enable seperation of Rule State from Rule definition
 --enable-dynamicplugin   Enable Ability to dynamically load preprocessors, detection engine, and rules lib
 --enable-timestats       Enable TimeStats functionality
 --enable-perfprofiling   Enable preprocessor and rule performance profiling
 --enable-linux-smp-stats Enable statistics reporting through proc
 --enable-inline          Use the libipq interface for inline snort
 --enable-ipfw            Enable ipfw Divert mode for use with inline
 --enable-flexresp        Flexible Responses on hostile connection attempts
 --enable-flexresp2       NEW Flexible Responses on hostile connection attempts
 --enable-react           Intercept and terminate offending HTTP accesses
</file>

To start snort:
<file>
sudo snort -c /etc/snort/snort.conf -i eth0 -D
</file>

===== Paths to Create =====
| ''/etc/snort/'' | Location of Snort configuration files |
| ''/etc/snort/pulledpork/'' | Location of pulledpork scripts and configuration |
| ''/etc/snort/rules/'' | Location of Snort rules |
| ''/scripts/'' | Location of various custom Snort scripts |
| ''/var/log/snort/'' | Snort logging directory |

===== Errors =====
==== Segmentation Fault: ====
  * Check /usr/local/lib/snort_dynamicpreprocessor for a group of outdated preprocessor files.
  * Delete the rules and re-download
==== Compression Depth ====
<file>ERROR: c:\snort\etc\snort.conf(240) ''> 'compress_depth' and 'decompress_depth' should 
be set to max in the default policy to enable 'unlimited_decompress'
Fatal Error, Quitting.. </file>
Open your snort.conf file and look for the line :
<file>
# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
</file>
You can find it in section 5 ... then change your values compress_depth and decompress_depth each to 65535 as shown above.

[[http://emergingthreats.net/index.php|Emerging Threats]]

[[http://sourceforge.net/projects/oinkmaster/|oinkmaster]]

[[http://code.google.com/p/pulledpork/|Pulledpork]]

[[http://www.symmetrixtech.com/articles/007-updatingsnortandubuntu.pdf|Updating guide]]

-- Main.FredPettis - 2011-01-10