Snort mailing list archives
Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan)
From: Madhu Rao <k.madhurao.123 () gmail com>
Date: Mon, 15 Feb 2016 16:19:44 -0600
Joel thanks a bunch!! you pointed the issue!! I was cutting and pasting the commands from Ubuntu machine... and trying to run commands I ran on ubuntu.... This worked now.. sudo snort -c /etc/snort/snort.conf -i en0 -k none I am able to fire up snort now on my MAC.. thanks EveryOne for the pointers.. In case someone needs complete instructions I followed to BUILD snort 2.9.8.1 on MAC OSX Version 10.11.3 (El Capitan) -- Here are the istructions! 1) Install Xcode (XCode includes the compiler and other libraries required to compile Snort) 2) Install MacPorts from http://www.macports.org/ Note: You may consider updating ports itself if you had installed ports long back. Try running 'sudo port selfupdate' & 'sudo port upgrade outdated' 3) Install PCRE via MacPorts ‘sudo port install pcre’ 4) Install wget via MacPorts 'sudo port install wget’ 5) Download Dependent Packages and Make/Install them 5a) Install Directory Assume BUILD_DIR=/Users/mrjoe/work/snort (note it can be any dir..) export BUILD_DIR=/Users/mrjoe/work/snort 5a) DNET cd $BUILD_DIR wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xvfz libdnet-1.12.tgz cd libdnet-1.12 ./configure sudo make install 5b) pkg-config snort madhurao$ wget http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz tar -xvf pkg-config-0.28.tar.gz cd pkg-config-0.28 ./configure --with-internal-glib sudo make install 5b) LuaJIT cd $BUILD_DIR wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz tar xzvf LuaJIT-2.0.2.tar.gz cd LuaJIT-2.0.2 make sudo make install 5c) DAQ cd $BUILD_DIR wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure --disable-afpacket-module make sudo make install 5) Download & Build Snort cd $BUILD_DIR wget –no-check-certificate -O snort-2.9.8.0.tar.gz https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz ./configure --enable-sourcefire --enable-open-appid make sudo make install At this Point you can start configuring for a test run 8) Configure Snort without OpenAppID enabled: sudo mkdir /etc/snort sudo mkdir /var/log/snort sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/rules sudo touch /etc/snort/rules/white_list.rules sudo touch /etc/snort/rules/black_list.rules 9) Copy configuration files you build cd /Users/madhurao/work/snort/snort-2.9.8.0/etc/ cp attribute_table.dtd file_magic.conf snort.conf unicode.map classification.config gen-msg.map reference.config threshold.conf /etc/snort/ 10) Add some SNORT rules from snort.org cd $BUILD_DIR mkdir crules cd crules
From the Website, Download the LATEST Snort Rules.
https://www.snort.org/downloads/registered/snortrules-snapshot-2980.tar.gz NOTE: This CLI method does not work.. unfortunately. wget https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz (You will need to snort.org with a username/password (FREE) to get this) tar -xvfz snortrules-snapshot-2962.tar.gz sudo cp -r preproc_rules /etc/snort sudo cp -r rules /etc/snort sudo cp -r so_rules /etc/snort 11) EDIT /etc/snort/snort.conf File cd /etc/snort sudo vi snort.conf EDIT the following lines as shown var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules 11) Fire up snort and do self test (-T option) sudo snort -c /etc/snort/snort.conf -T ....you will see something like this Snort successfully validated the configuration! Snort exiting 12) Enabling OpenAppID in Snort wget https://www.snort.org/downloads/openappid/3192 -O snort-openappid.tar.gz tar xvfz snort-openappid.tar.gz sudo mkdir /usr/local/lib/openappid sudo mv odp /usr/local/lib/openappid/ Edit the /etc/snort/snort.conf File sudo vi /etc/snort/snort.conf Search for "Step #5: Configure preprocessors" After this Line -- "preprocessor reputation:" Add the following Lines to enable OpenAppId. # AppID preprocessor. For more information see README.appid preprocessor appid : \ app_stats_filename appstats-unified.log, \ app_stats_period 60, \ app_detector_dir /usr/local/lib/openappid Finally, uncomment this Line in snort.conf file output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types 12) Test snort with OpenAppID in Snort sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i eth0 -k none You will see the Following when SNORT run properly on MAC MADHURAO-M-90DD:snort madhurao$ sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i en0 -k none Password: Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! .... Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 .... Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: appid Version 1.1 <Build 5> Commencing packet processing (pid=66645) ... Cheers. On Mon, Feb 15, 2016 at 1:39 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
I don’t think that the interface would be called “eth0” on a mac. You may want to make sure you have the right device specified. -- *Joel Esler* Manager, Talos Group On Feb 12, 2016, at 5:04 PM, Madhu Rao <k.madhurao.123 () gmail com> wrote: Hi Folks Has anyone had Luck downloading and compiling snort 2.9.8.0 and get it working on Latest MAC OS X El Capitan ? I have a macbook pro running El Capitan. (OSX 10.11.3) I See the following Errors when I run Snort. $ sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i eth0 -k none pcap DAQ configured to passive. Acquiring network traffic from "eth0". Reload thread starting... Reload thread started, thread 0x700000081000 (41553) ERROR: Can't start DAQ (-1) - BIOCSETIF failed: Device not configured! Fatal Error, Quitting.. BTW - when I configured DAQ, this was the outcome. $cd daq-2.0.6 ./configure --disable-afpacket-module ... Build AFPacket DAQ module.. : no Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes Build netmap DAQ module.... : no Any pointers appreciated. -- madhu ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Madhu Rao (Feb 12)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Joel Esler (jesler) (Feb 15)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Bill Parker (Feb 15)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Madhu Rao (Feb 15)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Bill Parker (Feb 15)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Madhu Rao (Feb 15)
- Re: Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan) Joel Esler (jesler) (Feb 15)