Home » Debian, Linux Distributions, OpenSourceSoftware, Security, Sguil, Snort, Suricata, Ubuntu » Sourcefire daq-0.4 and Snort-2.9.0.2 debian packages for Ubuntu 10.04
Dec
19

Moving to the new Snort 2.9 version, it added dependencies on a new library, namely DAQ(Data Acquisition library) for packet I/O.

So the little extra of packaging a new deb (daq) and check snort-debian files that they where compliant to the new version, made me debianize Suricata instead, as I saw that as quicker way to get an IDS up and running on my new firewall at home.

Now that I have suricata in place, plus some extra time last night, and I see people struggling trying to install/upgrade to Snort 2.9 on Ubuntu, I could not help my self trying to be helpful, again…

So I made debian packages and put them in my Ubuntu 10.04 Lucid PPA on launchpad. I started a new clean debian package for Snort. Its not yet packed with “debian-easy-features”, so it just installs Snort, makes the directories and adds some default configuration files. I will improve this as I go.

DAQ is built with:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module…… : yes
Build IPFW DAQ module…… : yes
Build IPQ DAQ module……. : no
Build NFQ DAQ module……. : no
Build PCAP DAQ module…… : yes

And Snort is compiled with:

–enable-perfprofiling
–enable-ipv6
–enable-sourcefire
–enable-dynamicplugin
–enable-targetbased
–enable-zlib
–enable-ppm
–enable-gre
–enable-mpls
–enable-decoder-preprocessor-rules
–without-mysql
–without-postgresql

So, if you add my PPA, you apt-get install snort version 2.9.0.2. Pronto though, Snort 2.9.0.3 will be out, and I’ll upgrade accordingly. Suricata will also soon be out in 1.0.3, hopefully this week. Maybe we get fresh releases from this Santa for both engines :)

Until then,

-*> Snort! <*-
Version 2.9.0.2 IPv6 GRE (Build 92)
By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3.3

3 Responses to “Sourcefire daq-0.4 and Snort-2.9.0.2 debian packages for Ubuntu 10.04”

  1. lyerra
    April 18th, 2012 at 01:55 | #1

    Hi,

    Thanks for the package. I added your ppa and installed snort, all goes fine, snort runs on sniffer mode and logger mode both.

    However, when I add the rules from the snort website, and I try to run snort on NIDS mode, it complains of not finding “white_list.rules”

    I edited sort.conf as follow :

    var WHITE_LIST_PATH /etc/snort/rules
    var BLACK_LIST_PATH /etc/snort/rules

    But that was useless, that file does not exist in the new ruleset… How to fix that ?

  2. April 18th, 2012 at 10:32 | #2

    Hi,

    Try to set vars in snort.conf like:
    var WHITE_LIST_PATH rules
    var BLACK_LIST_PATH rules

    And then touch the following files:
    $ touch /etc/snort/rules/white_list.rules
    $ touch /etc/snort/rules/black_list.rules

    It should then not error out.

  3. lyerra
    April 18th, 2012 at 21:36 | #3

    Working like a charm now.

    By default, the vars in snort.conf were listed as :

    var WHITE_LIST_PATH rules/rules
    var BLACK_LIST_PATH rules/rules

    I don’t really get why it doesn’t understand the absolute path, but whatever works…

    Thanks a LOT for the packages, please maintain it for our sake. Ubuntu really should be updating their repositories but it does not look like they will.

Add reply