http://www.internetsecurityguru.com/documents/Snort_Base_Barnyard_CentOS_5.pdf
http://miskm.blogspot.com/
1.wget http://www.snort.org/dl/current/snort-2.8.1.tar.gz
2.wget http://www.tcpdump.org/release/tcpdump-3.9.8.tar.gz
3.wget http://www.tcpdump.org/release/libpcap-0.9.8.tar.gz
4.tar xvfz libpcap-0.9.8.tar.gz
#cd libpcap-0.9.8
#./configure
将
#include <linux/types.h>
加入到
/usr/include/linux/if_packet.h
#make
#make install
5.wget http://jaist.dl.sourceforge.net/sourceforge/pcre/pcre-7.7.tar.gz
# cd pcre-7.7
#./configure
#make
#make install
6. cd snort-2.8.1
#./configure --with-mysql --enable-dynamicplugin
#make
#make install
#groupadd snort
#useradd -g snort snort –s /sbin/nologin
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
cd etc/
cp * /etc/snort
wget http://dump.komsi.se/snortrules-snapshot-2.8.tar.gz
tar zxvf snortrules-snapshot-2.8.tar.gz -C /etc/snort/
cd /etc/snort/
joe snort.conf
var HOME_NET 10.0.0.0/24 (make this what ever your internal network is, use CIDR. If you do not know CIDR then go to http://www.oav.net/mirrors/cidr.html) var EXTERNAL_NET !$HOME_NET (this means everything that is not your home net is external to your network)
change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
After the line that says “preprocessor stream4_reassemble” add a line that looks like “preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433” (without the quotes)
Uncomment (remove the #)
from the following lines in the output section of /etc/snort/snort.conf
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128