Note to Windows users: If you’re downloading Snort binaries the only requirements are WinPcap and Barnyard. Libpcap
In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network. libpcap and WinPcap also support saving captured packets to a file and reading files containing saved packets. Snort uses these files to read network traffic and analyze it.
For more information and to download please visit tcpdump PCRE
Perl Compatible Regular Expressions (PCRE) is a regular expression C library inspired by Perl’s external interface, written by Philip Hazel. The PCRE library is incorporated into a number of prominent open-source programs such as the Apache HTTP Server, the PHP and R scripting languages, and Snort.
For more information and to download please visit PCRE Libdnet
Libdnet is a generic networking API that provides access to several protocols.
For more information and to download please visit libdnet Barnyard2
Barnyard is an output system for Snort. Snort creates a special binary output format called ``unified.’’ Barnyard2 reads this file, and then resends the data to a database back-end. Unlike the database output plugin, Barnyard2 manages the sending of events to the database and stores them when the database temporarily cannot accept connections.
For more information and to download please visit barnyard2 DAQ
DAQ is the Data-Acquisition API that is necessary to use Snort version 2.9.0 and above.
For more information and to download please visit DAQ Next: Download Snort
2.如果需要apache ,php ,mysql,snort,acid支持,还需要下载上述软件
参考 http://shenjianzhousx.blog.51cto.com/1627247/454480
3../configute snort过程中出现
ERROR! Libpcap library version >= 1.0.0 not found.
请参考
https://forums.snort.org/forums/snort-newbies/topics/libpcap-not-found
First it is important to note that libpcap is found, just not a version that is >=1.0.0. Notice the message above the one you posted says "checking for pcap_lib_version" = "yes". Then the line you posted indicates a failure because libpcap is not recent enough:
checking for pcap_lib_version… checking for pcap_lib_version in -lpcap… yes
checking for libpcap version >= "1.0.0"… no
ERROR! Libpcap library version >= 1.0.0 not found. Get it from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a>
It appears libpcap-1.1.1.tar.gz installs the library into /usr/local/lib. I tried to force daq to use that library as mentioned in the link Quiltface provided, but it did not work. This lead me to look for another version of libpcap which may be the one that daq is inspecting. I ended up finding another version which was much older:
root@xxxx:# locate libpcap
/usr/lib/libpcap.a
/usr/local/lib/libpcap.a
root@xxxx:# ls l /usr/lib/libpcap.a
-rw-r-r— 1 root root 228262 2008-04-08 22:19 /usr/lib/libpcap.a
root@xxxx:# ls l /usr/local/lib/libpcap.a
-rw-r-r— 1 root root 293658 2011-01-01 22:37 /usr/local/lib/libpcap.a
I copied the new one over the old one and daq compiled and installed without issue:
root@xxxx:# cp /usr/local/lib/libpcap.a /usr/lib/
checking for pcap_lib_version… checking for pcap_lib_version in -lpcap… yes
checking for libpcap version >= "1.0.0"… yes
4.运行snort过程中出现没有找到规则,添加规则或“#”掉。
出现其他错误请参考:http://www.iyunv.com/Article/201008/54546.html
一、执行# snort -c /usr/local/snort/etc/snort.conf的时候出现的三个问题:
1、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicengine/libsf_engine.so": No such file or directory.
2、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicengine/libsf_engine.so": No such file or directory.
Fatal Error, Quitting..
原因:没有找到/usr/local/lib/snort_dynamicengine/libsf_engine.so文件所在的目录。
解决:将snort安装目录下lib目录内的snort_dynamicengine目录,创建软链接到/usr/local/lib下面。
如:ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
3、
ERROR: parser.c(5047) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules/bad-traffic.so": No such file or directory.
Fatal Error, Quitting..
原因:没有找到/usr/local/lib/snort_dynamicrules/bad-traffic.so文件所在的目录。
解决:将snort安装目录下so_rules/precompiled/Centos-5-4/i386/2.8.6.0目录,创建软链接到/usr/local/lib下面。
如:ln -s /usr/local/snort/so_rules/precompiled/Centos-5-4/i386/2.8.6.0 /usr/local/lib/snort_dynamicrules
(请按实际情况选择正确的操作系统的版本及CPU类型)
二、在编译安装snort过程中提示:
ERROR: /usr/local/snort/etc/snort.conf(193) => Invalid keyword compress_depth for global configuration.
原因:在编译的时候没有带--enable-zlib
解决:清除所有已编译安装的snort信息,再进行编译安装,编译的时候带上--enable-zlib参数。
注:我在进行重新覆盖编译(带--enable-zlib参数)安装,没有成功,不知道是必须清空以前的snort信息,还是RP有问题。
三、在进行base的web配置的时候提示:
Your PHP Logging Level is too high to handle the running of BASE!
Please set the error_reporting variable to at least E_ALL & ~E_NOTICE in your php.ini!
The directory where BASE is installed does not allow the web server to write.
This will prevent the setup progam from creating the base_conf.php file. You have two choices.
1. Make the directory writeable for the web server user.
2. When the set up is done, copy the information displayed to the screen and use it to create a base_conf.php.
四、Not Using PCAP_FRAMES
解决:
# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance"
(修改用户的环境变量。解决问题的方法出处:http://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/)
五、ERROR: The php session does not contain the array key "adodbpath". This is typically caused by not having allowed cookies. Exiting.
原因:???
解决:???
这个问题我自己也没搞定,待查。
六、在Base的web页面中出现:
Check your Pear::Image_Graph installation!
* Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no
graphing operations can be performed.
* Make sure PEAR libraries can be found by php at all:
pear config-show | grep "PEAR directory"
PEAR directory php_dir /usr/share/pear
This path must be part of the include path of php (cf. /etc/php.ini):
php -i | grep "include_path"
include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php
# pear install Image_Graph-0.7.2
Did not download dependencies: pear/Numbers_Roman, pear/Numbers_Words, use --alldeps or --onlyreqdeps to download automatically
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
downloading Image_Graph-0.7.2.tgz ...
Starting to download Image_Graph-0.7.2.tgz (368,056 bytes)
.....................................done: 368,056 bytes
install ok: channel://pear.php.net/Image_Graph-0.7.2
(说明:事先必须安装php-pear组件!)
5。ERROR: snort.conf(387) => Unable to open the IIS Unicode Map file './unicode.map'.
找到unicode.map copy到提示出错的目录。
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-12 14:27:08
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡