UpCloud
Effortless global cloud infrastructure for SMBs
Introducing
If you’re interested in what we have to offer, contact sales or fill out a contact form.
Our support live chat is available for our customers 24/7. You can also email our support team.
Send us an email to give feedback or to say hello.
Start a new journey
Why Partner with UpCloud?
I’ve been passionate about the hosting industry since 2001. Before founding UpCloud, my first company grew to become one of Finland’s largest shared web hosting providers, serving over 30,000 customers. Along the way, I faced the same challenges many of you know well—24/7 on-call responsibilities, solving technical issues, and managing customer inquiries.
At UpCloud, we’ve designed a platform that solves these challenges, offering reliability, scalability, and unparalleled support. We understand the pressures you face because we’ve been there too. Partner with us, and let’s help you focus on growing your business while we handle the rest.
Sincerely, Joel Pihlajamaa CTO, Founder
Login
Sign up
Updated on 24.5.2023
Snort is a popular choice for running a network intrusion detection system or NIDS for short. It monitors the package data sent and received through a specific network interface. NIDS can catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can identify the latest attacks, malware infections, compromised systems, and network policy violations. In this guide, you will find instructions on how to install Snort on Debian 9. The install guide is also available for cloud servers running CentOS 7 and Ubuntu 16.
Snort is one of the most commonly used network-based IDS. It is lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.
Setting up a basic configuration of Snort on Debian is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool
With the prerequisites fulfilled, next up is how to install Snort on Debian 9. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.
Setting up Snort on Debian from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.
Start by making a temporary download folder to your home directory and then changing into it with the command below.
mkdir ~/snort_src && cd ~/snort_src
Snort itself uses something called a Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source is available.
wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.
tar -xvzf daq-2.0.7.tar.gz cd daq-2.0.7
The latest version requires an additional step to auto-reconfigure DAQ before running the config. Use the command below which requires you need to have autoconf and libtool installed.
autoreconf -f -i
Afterwards, run the configuration script using its default values, then compile the program with make and finally install DAQ.
./configure && make && sudo make install
With the DAQ installed, you can get started with Snort, and change back to the download folder.
cd ~/snort_src
Next, download the Snort source code with wget. You can find the latest version number on the Snort downloads page. Replace it in the following command if necessary.
wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
Once the download is complete, extract the source and change into the new directory with these commands.
tar -xvzf snort-2.9.16.tar.gz cd snort-2.9.16
Then configure the installation with sourcefire enabled, run make and make install.
./configure --enable-sourcefire && make && sudo make install
With that done, continue below on how to set up the configuration files.
Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.
Start with updating the shared libraries using the command underneath.
sudo ldconfig
Snort on Debian gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
To run Snort on Debian safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Then create the folder structure to house the Snort configuration, just copy over the commands below.
sudo mkdir -p /etc/snort/rules sudo mkdir /var/log/snort sudo mkdir /usr/local/lib/snort_dynamicrules
Set the permissions for the new directories accordingly.
sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
Create new files for the white and blacklists as well as the local rules.
sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/black_list.rules sudo touch /etc/snort/rules/local.rules
Then copy the configuration files from the download folder.
sudo cp ~/snort_src/snort-2.9.16/etc/*.conf* /etc/snort sudo cp ~/snort_src/snort-2.9.16/etc/*.map /etc/snort
Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.
Underneath you can find instructions for downloading both community rules and registered user rule sets.
If you just want to quickly test out Snort, grab the community rules using wget with the command below.
wget https://www.snort.org/rules/community -O ~/community.tar.gz
Extract the rules and copy them to your configuration folder.
sudo tar -xvf ~/community.tar.gz -C ~/
sudo cp ~/community-rules/* /etc/snort/rules
By default, Snort on Debian expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath.
sudo sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.
Replace the oinkcode in the following command with your personal code.
wget https://www.snort.org/rules/snortrules-snapshot-29160.tar.gz?oinkcode=oinkcode -O ~/registered.tar.gz
Once downloaded, extract the rules over to your configuration directory.
sudo tar -xvf ~/registered.tar.gz -C /etc/snort
The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.
With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file in your favourite text editor, for example, using nano with the command below.
sudo nano /etc/snort/snort.conf
Find these sections shown below in the configuration file and change the parameters to reflect the examples here.
# Setup the network addresses you are protecting ipvar HOME_NET server_public_IP/32
# Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET
# Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Set the absolute path appropriately var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules
In the same snort.conf file, scroll down to section 6 and set the output for unified2 to log under the filename of snort.log like below.
# unified2 # Recommended for most installs output unified2: filename snort.log, limit 128
Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.
include $RULE_PATH/local.rules
If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.
include $RULE_PATH/community.rules
Once you are done with the configuration file, save the changes and exit the editor.
Your Snort should now be ready to run. Test the configuration using the parameter -T to enable test mode.
sudo snort -T -c /etc/snort/snort.conf
After running the Snort configuration test, you should get a message like this example below.
--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.16 GRE (Build 118) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.8.1 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.1 Preprocessor Object: SF_DCERPC2 Version 1.0 Preprocessor Object: SF_SSH Version 1.1 Preprocessor Object: SF_FTPTELNET Version 1.2 Preprocessor Object: SF_SDF Version 1.1 Preprocessor Object: SF_DNP3 Version 1.1 Preprocessor Object: SF_REPUTATION Version 1.1 Preprocessor Object: SF_IMAP Version 1.0 Preprocessor Object: SF_SMTP Version 1.1 Preprocessor Object: SF_GTP Version 1.1 Preprocessor Object: appid Version 1.1 Preprocessor Object: SF_MODBUS Version 1.1 Preprocessor Object: SF_POP Version 1.0 Preprocessor Object: SF_DNS Version 1.1 Preprocessor Object: SF_SSLPP Version 1.1 Preprocessor Object: SF_SIP Version 1.1 Snort successfully validated the configuration! Snort exiting
In case you get an error, the printout should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.
To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules file. Open your local rules in a text editor.
sudo nano /etc/snort/rules/local.rules
Then add the following line to the file.
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
The rule consists of the following parts:
Save the local.rules and exit the editor.
Start Snort with -A console option to print the alerts to stdout. You will need to select the correct network interface with the public IP address of your server, for example, eth0.
sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf
If you are not sure which interface to use, check your UpCloud control panel for the public IPv4 address of your server in the Network settings. You can also use the following command on your server.
ip addr
The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0.
With Snort up and running, ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.
07/12-11:20:33.501624 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202
After the alerts show up you can stop Snort with ctrl+C.
Snort records the alerts to a log under /var/log/snort/snort.log.timestamp, where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.
snort -r /var/log/snort/snort.log.
The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.
WARNING: No preprocessors configured for policy 0. 07/12-11:20:33.501624 83.136.252.118 -> 80.69.173.202 ICMP TTL:63 TOS:0x0 ID:20187 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:13891 Seq:1 ECHO
To run Snort on Debian as a service in the background you will need to add a startup script for Snort. Open a new file in a text editor for example with the next command.
sudo nano /lib/systemd/system/snort.service
Enter the following to the file, save and exit the editor.
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target
With the service defined, reload the systemctl daemon.
sudo systemctl daemon-reload
Snort can then be run with the configuration you set up using the command below.
sudo systemctl start snort
The startup script also includes other usual systemctl commands: stop, restart, and status. For example, you can check the status of the service with the following command.
sudo systemctl status snort
Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort documents page, or jump right into writing your own detection rules with their helpful Snort rules info graph.
Join discussion
7.1.2019 at 18.54
apt install -y libluajit-5.1-dev
7.1.2019 at 22.48
By the way, good job :)
16.1.2019 at 10.01
Hi Fabricio, thanks for the addition, we’ll get the guide updated :D
1.5.2019 at 22.04
Why not use the debian packages available?
2.5.2019 at 08.08
Hi Oscar, thanks for the comment. It’s certainly a valid option if you are not bothered the version being slightly older. Snort themselves recommend installing it from the source.
4.5.2019 at 01.49
i ran into an error when i tried to test the snort rules, there it is ‘ERROR: /etc/snort/snort.conf(104) Missing argument to RULE_PATH’ How do i fix it?
7.5.2019 at 12.32
Hi, thanks for the question. The error would indicate that your rule path has not been set in the snort.conf file. Find the part that defines the rule path and set it as follows: var RULE_PATH /etc/snort/rules
15.5.2019 at 03.17
i can’t run snort after installing it. I’m using Debian 9
15.5.2019 at 08.48
Hi Adan, thanks for the comment. If you are having trouble starting snort, the issue is most likely in the configuration file /etc/snort/snort.conf. Try validating the settings with the following command sudo snort -T -c /etc/snort/snort.conf and correct any errors it might report.
17.6.2019 at 10.38
i want to know whether it is possible to take alert mode example console fast or full from snort.conf
20.6.2019 at 11.24
Hi, thanks for the question. The Snort alert modes are defined in the command line options with the parameter -A. However, depending on what you are after, you might be able to do what you want by adding output rules e.g. output alert_fast: [<filename> ["packet"] [<limit>]] in the snort.conf. You can read more about these at the Snort manual.
21.9.2019 at 20.11
Installing snort on raspbian fails because of luajit : $ ./configure –enable-sourcefire && make && sudo make install Is stopped because of that error : checking for luajit… ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or) Try compiling without openAppId using ‘–disable-open-appid’ configure: error: “Fatal!”
I did install luajit: apt install luajit apt install libluajit-5.1-dev
Running armbian on orangepi Linux orangepi 4.19.62-sunxi #5.92 SMP Wed Jul 31 22:07:23 CEST 2019 armv7l GNU/Linux
24.9.2019 at 08.22
Hi there, Snort indeed requires the LuaJIT libraries to run properly and libluajit-5.1-dev should provide exactly what it needs. I’d suggest double-checking that the library was actually installed and going from there. You can easily verify how the process should work by installing Snort on a temporary cloud server.
13.12.2019 at 20.30
I got stuck on this one, too. Installing `pkg-config` took care of it for me.
10.1.2020 at 20.24
Hello, thank you very much for this guide!
I need a few, more, information: – snort check every data coming from every port? If yes, how can I examine data checked? If no, how can I select one port to be controlled? – snort is running in background, I have to start it when I switch on the VM or not?
13.1.2020 at 09.52
Hi there, thanks for the questions. By default, Snort does not track any traffic but needs to be configured with rules. You can in practice have Snort check everything coming to any port by creating a rule for it, e.g. alert tcp $EXTERNAL_NET any -> $HOME_NET any ( [Rule options] ) and then configuring the Rule options to look for certain type of traffic you wish to monitor or prevent. Also, if you wish to have Snort started automatically when your server starts, enable the system process with: sudo systemctl enable snort
2.2.2020 at 23.06
Thank you very much for the advice! By the way, if I had set a blacklist, every packet sent from that IP is forbidden, right?
25.2.2020 at 20.46
Hi, thank you so much for the guide. I try to install snort on MacOS, but once I do ./configure to configure the environment before intall snort, I got a message like this: ERROR! openssl/x509.h or openssl library not found. Try compiling without openAppId using ‘–disable-open-appid’ configure: error: “Fatal!” I have already double-checked that the openssl has been installed, so could you please help me what is happened here, or give me some suggestions, please. Thank you so much
26.2.2020 at 10.05
Hi there, thanks for the question. The error is likely due to a version issue with the OpenSSL you have installed and what Snort requires. I don’t believe macOS is officially supported and might not run even if successfully installed. If you want to try out Snort, I’d suggest testing it first on a Linux virtual machine or cloud server before committing time and effort to install it on your own system.
8.3.2020 at 23.20
I have a big problem, when I try to run sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf it stays stucked in “commencing packet processing pid=1534” I am in debian 10 buster, what should I do with this?
I am in a virtual machine in a Mac OS device. When I do the test above, it runs perfectly. I started my interface enp0s3 but nothing happens. Please help
10.3.2020 at 15.05
Hi there, thanks for the question. When testing Snort and passing the output to the console “Commencing packet processing” is just the last message in the startup output after which Snort is left monitoring the network. If you are not getting anything after that, it just means nothing has triggered any of your rules.
17.4.2020 at 14.47
I have got an error while running “./configure && make && sudo make install” Now snort daq goes to version 2.0.7. Could you please help. Thanks. error is… Build AFPacket DAQ module.. : yes Build Dump DAQ module…… : yes Build IPFW DAQ module…… : yes Build IPQ DAQ module……. : no Build NFQ DAQ module……. : no Build PCAP DAQ module…… : yes Build netmap DAQ module…. : no
CDPATH=”${ZSH_VERSION+.}:” && cd . && /bin/bash /home/pi/snort_src/daq-2.0.7/missing aclocal-1.15 -I m4 /home/pi/snort_src/daq-2.0.7/missing: line 81: aclocal-1.15: command not found WARNING: ‘aclocal-1.15’ is missing on your system. You should only need it if you modified ‘acinclude.m4’ or ‘configure.ac’ or m4 files included by ‘configure.ac’. The ‘aclocal’ program is part of the GNU Automake package:
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
make: *** [Makefile:372: aclocal.m4] Error 127
20.4.2020 at 11.56
Hi Gerald, thanks for the question. It would seem some changes in the newer version require a couple of extra steps. Before running the ./configure command on DAQ, install the following needed packages sudo apt-get install autoconf libtool then run an autoreconfigure in the DAQ directory autoreconf -f -i Afterwards, the rest of the installation process should work the same.
5.6.2020 at 19.38
Hello janne, im using this snort guide of installation. And after configuring the paths, on snort.conf. Im trying to validate setting, using this command “sudo snort -T -c /etc/snort/snort.conf” on /snort_src/etc/ path. It popped out the next message, sudo snort command not found. On step 2, installing from the source i made it same way. What should be the error ¿ postdata, sorry for my english.
8.6.2020 at 12.34
Hi Ben, thanks for the question. The error message saying snort command not found means that Snort did not get installed successfully. We’ve updated the tutorial for the latest Snort version so try deleting the old and reinstall with the latest version.
10.6.2020 at 22.56
HI. I followed your excellent tutorial and all worked! I still have one question: When I use the command : “sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf”, I only see pings which have as destination the machine where snort is configured. How can I do to see all icmp traffic in my network?
Thx
11.6.2020 at 09.25
Hi Viktor, thanks for the question. Snort only sees the traffic that goes through the specific network interfaces, eth0 in this case. To be able to monitor all traffic in your network, you will need to route all traffic through your Snort server by setting it as a gateway for your local network.
28.6.2020 at 07.00
Hi , i have problem : ERROR! daq_status library not found, go get it from http://www.snort.org/. What should i do?
28.6.2020 at 18.28
Hi Riska, thanks for the comment. By your error message, it seems DAQ didn’t get installed successfully. Try going through the installation steps again to double-check you did not miss anything. Note that you need to have sudo privileges or log in as root to install DAQ.
25.7.2020 at 10.50
Hi sir, i have a problem here. Did this guide three times. The error message is “ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules/app-detect.rules”: No such file or directory.”
Please help me solve it as I would like to use this for my project on information security. Thank you.
25.7.2020 at 16.28
Hi there, thanks for the question. By your error message, it seems you have the var RULE_PATH /etc/snort/rules in your /etc/snort/snort.conf file set as relative to the execution directory. Check that the rule path is set correctly and try running the config test again. If that doesn’t work and the app-detect rules require a relative path, use var RULE_PATH rules instead.
25.7.2020 at 17.55
Thank you for the fast reply. The error message was “ERROR: /etc/snort/rules/app-detect.rules(0) Unable to open rules file “/etc/snort/rules/app-detect.rules”: No such file or directory.”
I cd into /etc/snort/rules but there was a file or directory called app-detect.rules. I am using kali Linux to run using the guide.
25.7.2020 at 18.00
there was no file called app-detect.rules.* sorry
25.7.2020 at 20.24
The app-detect.rules is included in the registered users’ ruleset. You can download the rules by registering at snort.org and using your “oinkcode” to get the rules as described in section Option 2. Obtaining registered user rules.
26.7.2020 at 07.58
Hi Janne, thank you again. Downloaded all the rules into the rules folder already. Did the test and successfully verificated the snort.conf.
Then I tried to start the snort service using “sudo snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf” but it hanged/ got stuck at “commencing packet processing”. Then I tried to ctrl^C but to no avail, had to close that command line tab. I did the command “ip addr” and confirmed that the correct interface was eth0.
Also, I tried to access snortlog using “snort -r /var/log/snort/snort.log.” but with an error, ” kali@kali:~$ snort -r /var/log/snort/snort.log.15957 Running in packet dump mode
–== Initializing Snort ==– Initializing Output Plugins! Error getting stat on pcap file: /var/log/snort/snort.log.15957: No such file or directory ERROR: Error getting pcaps. Fatal Error, Quitting.. ” Not sure why though. Willing to provide more information on these. If you would help me, Thank you in advance.
26.7.2020 at 10.18
I started getting ICMP messages after adding in the ICMP test above in the given guide. I realised that there were no rules in my http://ftp.rules and other files so there were no messages.
Now I just left the snort.log to be figured out. Thanks anyways!
26.7.2020 at 15.35
The snort.log.* files have a Unix timestamp for an ID which is 10 digits. If pressing TAB doesn’t complete the file name, you have multiple logs with similar names and need to type in the rest. Check the logs folder with sudo ls /var/log/snort/ for log file names.
20.10.2020 at 03.38
has anyone had success installing barnyard on debian bullseye? I am getting an error while doing a make on barnyard from source. Help appreciated. output as follows: root@firewall:/usr/src/barnyard2# make make all-recursive make[1]: Entering directory ‘/usr/src/barnyard2’ Making all in src make[2]: Entering directory ‘/usr/src/barnyard2/src’ Making all in sfutil make[3]: Entering directory ‘/usr/src/barnyard2/src/sfutil’ make[3]: Nothing to be done for ‘all’. make[3]: Leaving directory ‘/usr/src/barnyard2/src/sfutil’ Making all in output-plugins make[3]: Entering directory ‘/usr/src/barnyard2/src/output-plugins’ gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_fwsam.o spo_alert_fwsam.c In file included from /usr/include/pcap/pcap.h:87, from /usr/include/pcap.h:43, from ../barnyard2.h:46, from spo_alert_fwsam.c:91: spo_alert_fwsam.c:118:13: error: two or more data types in declaration specifiers 118 | typedef int SOCKET; | ^~~~~~ spo_alert_fwsam.c:118:1: warning: useless type name in empty declaration 118 | typedef int SOCKET; | ^~~~~~~ spo_alert_fwsam.c: In function ‘FWsamReadLine’: spo_alert_fwsam.c:620:9: warning: this ‘if’ clause does not guard… [-Wmisleading-indentation] 620 | if(p>buf); | ^~ spo_alert_fwsam.c:621:13: note: …this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’ 621 | strcpy(buf,p); | ^~~~~~ spo_alert_fwsam.c: In function ‘AlertFWsam’: spo_alert_fwsam.c:981:18: warning: variable ‘cn’ set but not used [-Wunused-but-set-variable] 981 | ClassType *cn = NULL; | ^~ spo_alert_fwsam.c:980:18: warning: variable ‘sn’ set but not used [-Wunused-but-set-variable] 980 | SigNode *sn = NULL; | ^~ spo_alert_fwsam.c:973:27: warning: variable ‘lastbsp’ set but not used [-Wunused-but-set-variable] 973 | static unsigned short lastbsp[FWSAM_REPET_BLOCKS]; | ^~~~~~~ make[3]: *** [Makefile:391: spo_alert_fwsam.o] Error 1 make[3]: Leaving directory ‘/usr/src/barnyard2/src/output-plugins’ make[2]: *** [Makefile:498: all-recursive] Error 1 make[2]: Leaving directory ‘/usr/src/barnyard2/src’ make[1]: *** [Makefile:412: all-recursive] Error 1 make[1]: Leaving directory ‘/usr/src/barnyard2’ make: *** [Makefile:344: all] Error 2
20.10.2020 at 13.50
Hi Mohit, thanks for the question. The Barnyard project seems to have been abandoned some time ago and it might be quite difficult to get to working order at this point. I’d suggest looking for an alternative or rethinking your approach.
9.11.2020 at 18.25
The BEST set of instructions for installng Snort in Kali Linux available . thankyou and much appreciated.
24.11.2020 at 12.35
Perfect.
Thank you very much for this tutorial. I have applied it on Raspbian and it works!
Kudos!
8.12.2020 at 00.10
I am getting this error: kali@kali:~$ sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet autoconf libtool Reading package lists… Done Building dependency tree Reading state information… Done E: Unable to locate package libnghttp2-dev
9.12.2020 at 17.36
Hi Jorge, thanks for the comment. On a quick look, it seems the libnghttp2 packages are available in the kali-rolling repo which you might need to add to your sources list.
sudo tee -a /etc/apt/sources.list<
19.12.2020 at 01.15
Hi I am getting this error: sp_rpc_check.c:32:10: fatal error: rpc/rpc.h: No such file or directory 32 | #include | ^~~~~~~~~~~ compilation terminated. make[4]: *** [Makefile:489: sp_rpc_check.o] Error 1 make[4]: Leaving directory ‘/root/snort_src/snort-2.9.17/src/detection-plugins’ make[3]: *** [Makefile:440: all] Error 2 make[3]: Leaving directory ‘/root/snort_src/snort-2.9.17/src/detection-plugins’ make[2]: *** [Makefile:558: all-recursive] Error 1 make[2]: Leaving directory ‘/root/snort_src/snort-2.9.17/src’ make[1]: *** [Makefile:516: all-recursive] Error 1 make[1]: Leaving directory ‘/root/snort_src/snort-2.9.17’ make: *** [Makefile:382: all] Error 2
i’m using ubuntu 20.10
Thanks
5.1.2021 at 16.21
Hi Gianluca, thanks for the question. The error is likely due to the header file in question not being included in Ubuntu 20.10. You should be able to install it with sudo apt-get install libtirpc-dev Then try to recompile Snort.
28.1.2021 at 17.07
┌──(kali㉿kali)-[~] └─$ snort -r /var/log/snort/snort.log Running in packet dump mode
–== Initializing Snort ==– Initializing Output Plugins! pcap DAQ configured to read-file. ERROR: Can’t initialize DAQ pcap (-1) – unknown file format Fatal Error, Quitting..
28.1.2021 at 19.48
Hi Franck, thanks for the comment. The error means the file is empty or doesn’t exist. By default each log has a timestamp at the end of the name e.g. snort.log.1611855723.
18.3.2021 at 12.19
when i type this command:./configure && make && sudo make install i get an error :error in /root/snort_src/daq-2.0.7 something went wrong bootstrapping makefile fragments for automatic dependency tracking debian.try re-running configure with the disable dependancy tracking
27.3.2021 at 12.55
What are the alternatives if we cant use barnyard2 ?
29.3.2021 at 15.02
Hi Mukesh, thanks for the question. While barnyard2 is old, it is still possible to make it work with some effort. Check their GitHub issues page for more details. Some alternatives also exists, for example, u2text which was created specifically because barnyard2 has been discontinued.
29.3.2021 at 15.09
Hi Amelia, thanks for the comment. While it’s not obvious from the error message alone what could be the issue, it’s likely an issue with dependency checking. Make sure your system is up to date and not currently running any other install. Otherwise, you could try the suggestion to re-running configure command with dependency tracking disabled.
25.8.2021 at 18.38
Good evening can you help me with this error below wget https://www.snort.org/rules/snortrules-snapshot-29160.tar.gz?oinkcode=oinkcode -O ~/registered.tar.gz –2021-08-25 08:27:58– https://www.snort.org/rules/snortrules-snapshot-29160.tar.gz?oinkcode=oinkcode Resolving http://www.snort.org (www.snort.org)… 104.18.138.9, 104.18.139.9, 2606:4700::6812:8b09, … Connecting to http://www.snort.org (www.snort.org)|104.18.138.9|:443… connected. HTTP request sent, awaiting response… 422 Unprocessable Entity 2021-08-25 08:27:59 ERROR 422: Unprocessable Entity.
2.9.2021 at 12.50
Hi there, thanks for the question. You need to place your personal oinkcode in the URL after the equals sign. If you don’t know your oinkcode, log into or register for a Snort account.
24.9.2021 at 16.54
Thanks for the detailed explanation sir. I have successfully installed Snort2x and working fine in Raspberry pi. But now when I am trying to install Snort3, I am getting error. I followed the instructions provided in the user manual for Snort3 Ubuntu installation as no manual for Debian. In the dependency tools, Hyperscan tool I could not install as error generated during compile. Then I skipped Hyperscan and proceeded for Snort3 Installation. Still I am getting an error and couldn’t succeed. Please help me out. Thank you. Error: collect2: error: ld returned 1 exit status make[2]: *** [src/CMakeFiles/snort.dir/build.make:1679: src/snort] Error 1 make[1]: *** [CMakeFiles/Makefile2:2978: src/CMakeFiles/snort.dir/all] Error 2 make: *** [Makefile:152: all] Error 2
27.9.2021 at 17.39
Hi Suresh, thanks for the comment. We’ve not tested Snort 3 yet but the installation process will likely differ from the previous version 2.X. We’ll look into updating the tutorial for the latest Snort version.
20.11.2021 at 23.55
doing all off this steps and executing apt install for libuajit ! what a shame :-° :-) !! lol
go and download the source at : http://luajit.org/download.html
or do an apt like you want ;-)
20.11.2021 at 23.58
really good job (y)
big thanks for this
15.2.2022 at 15.20
https://superuser.com/questions/371901/openssl-missing-during-configure-how-to-fix check this one
13.4.2022 at 09.05
Hello I am getting this error while trying to install snort on Kali
sp_rpc_check.c:32:10: fatal error: rpc/rpc.h: No such file or directory 32 | #include | ^~~~~~~~~~~ compilation terminated. make[4]: *** [Makefile:489: sp_rpc_check.o] Error 1 make[4]: Leaving directory ‘/home/kali/snort_src/snort-2.9.19/src/detection-plugins’ make[3]: *** [Makefile:440: all] Error 2 make[3]: Leaving directory ‘/home/kali/snort_src/snort-2.9.19/src/detection-plugins’ make[2]: *** [Makefile:558: all-recursive] Error 1 make[2]: Leaving directory ‘/home/kali/snort_src/snort-2.9.19/src’ make[1]: *** [Makefile:516: all-recursive] Error 1 make[1]: Leaving directory ‘/home/kali/snort_src/snort-2.9.19’ make: *** [Makefile:382: all] Error 2
21.4.2022 at 17.36
Dear sir, If I want to use snort alert_unixsock option for output plugin, it was given in one of the snort reference document (README.UNSOCK), Snort has to be built with spo_unsock.c/h output plugin. Can you please guide me how to do it. Thanks
21.4.2022 at 17.57
Hey there, thanks for the comment. Please try to install libntirpc-dev and then recompile Snort to resolve this error.
29.4.2023 at 01.07
The same error for me. How was it resolved??
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Δ
See all tutorials