Tuesday, 12-Dec-2000 10:32:05 EST
Newbized Help Files articles discussion board bookshelf sensei's log advertising info
Installing Snort 1.6.3 on SuSE 6.x-7.x
Written By: DrSuSE
Home Page:


Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.


You MUST have libpcap and tcpdump installed. SuSE Linux includes both but if you want to get the latest or for some reason dont have them, they can be found at:

1. Login as root

2. Get Snort 1.6.3 source and save it to your /tmp directory.

3. CD to your /tmp directory and untar the snort file by using the command:
tar -xvzf snort-1.6.3.tar.gz

4. CD to /tmp/snort-1.6.3

5. Run configure by typing:

6. Run make by typing:

7. Run make install by typing:
make install

8. Create a snort directory in /etc:
mkdir /etc/snort

9. Create a snort log directory: mkdir /var/log/snort

10. Now, we need to move the Snort rule files. From the /tmp/snort-1.6.3 directory type:
mv *lib /etc/snort

11. Let's edit the /etc/snort/snort-lib file using your favorite editor. Dr SuSE likes vi

12. The first thing we need to do is find and edit the HOME_NET variable. Change it to reflect your network range. Mine is

13. Move on down until you get to the line for the DNS_SERVER and change that variable to reflect your DNS or ISP's DNS server.

14. Ok, now move down until you find a line that reads "preprocessor portscan: $HOME_NET 4 3 portscan.log" and change it so that portscan.log points to /var/log/snort. The line should look like this:
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log

15. Alright, now then if you look further down you will see a series of lines that begin with "include something-lib" Change each line so that it reflects the full path like this:
include /etc/snort/webcgi-lib

16. Ok, save the file.

Guess what? Snort is now usable but were gonna get it to start up each time you boot your machine.

1. Get the snort-init script which was written by Matthias Eckermann of SuSE Linux Solutions AG. You can get it from the following places.

2. Move snort-init to /etc/rc.d/init.d as snort:
mv ./snort-init /etc/rc.d/init.d/snort

3. cd to /etc/rc.d/init.d so we can make some sym links. Run the two following commands:
ln -s ../snort /sbin/init.d/rc2.d/S26snort
ln -s ../snort /sbin/init.d/rc2.d/K26snort

4. Make /etc/rc.d/init.d/snort executable. From the /etc/rc.d/init.d directory type:
chmod +x ./snort

5. Edit the file rc.config in the /etc directory and add this line to the end of it:

6. Ok, that's it for the rc.config file, save it and let's get to snortin some packets.

You can either shutdown -hr now or you can telinit s then telinit 2.

Well, if everything went well, your box should be snortin packets and logging alerts.

You can check to make sure Snort is running by using this command:
ps -ax | grep snort

Installing SnortSnarf on SuSE 6.x-7.x

1. Get the latest SnortSnarf version from Silicon Defense. and place it into your /tmp directory.

2. cd to the /tmp directory and extract the file using the following command:
tar -xvzf ./SnortSnarf-100400.1.tar.gz

3. cd to /tmp/SnortSnarf-100400.1/include

4. Copy the contents of the include directory to /usr/lib/perl5/site_perl
cp ./* /usr/lib/perl5/site_perl/5.005/

5. cd to /tmp/SnortSnarf-100400.1/cgi

6. Copy the contents of the cgi directory to /usr/local/httpd/cgi-bin
cp ./* /usr/local/httpd/cgi-bin/

7. Now go back to the directory /tmp/SnortSnarf-100400.1 and copy the file a directory or your choice. I just made one called /snarf and put it there.

8. Go to the directory where you placed and let's run the following command:
./ -rulesdir /etc/snort -rulesfile /etc/snort/snort-lib -d /usr/local/httpd/htdocs/snort /var/log/snort/snort.alert /var/log/snort/portscan.log

TIP: That's a long command, you might want to script it.

If everything went according to plan you should be able to view your SnortSnarf result page at http://localhost/snort

Want to see what it all looks like? Check out my SnortSnarf page HERE


I hope you enjoy Snort and SnortSnarf and I hope this NHF has been of some help to you. I encourage you to learn more about Snort and SnortSnarf as there are many features that have not been covered in this NHF.

Soon you will be well on your way to writing your own Snort rules and some of you may have the opportunity to install and administer your own Snort box at work. Snort is an excellant tool for learning about network attacks and TCP/IP and it's been a very enjoyable application to work with. I'm sure you will enjoy it as much as I do. If you run into problems, you can get help by using the Snort User Forum at As always I welcome your email and if I have the time I am always willing to help.

Links of Interest:

Official Snort site

Special Thanks:

Marty Roesch: The man responsible for giving us Snort.
Matthias Eckermann: Matthias wrote the Snort init script. Matthias, hook me up with a job at SUSE.
The Snort Team: You know who you do the FEDS ;)
Stuart, James and Joe: Silicon Defense crew who wrote SnortSnarf.
Max Vision: Masta of the uber 31337 arachNIDS database.
Sensei: It's www.linuxnewbie.ORG not .com

Would you like to have your article published online? Send them in to
[-NHF Control Panel-]
The Linux Channel at
Linux Planet
Linux Today
Linux Central
Just Linux
Linux Programming
Linux Start
BSD Today
Apache Today
Enterprise Linux Today
BSD Central
All Linux Devices
[-What's New-]
Order a Linuxnewbie T-Shirt
Easy Webcam NHF
Directory Navigation NHF
Installing Snort 1.6.3 on SuSE 6.x-7.x
Customizing vim
The SysVinit NHF
Installing ALSA for the VT82C686 integrated sound
USB Creative Video Blaster II for Linux
Configuring the Intellimouse Explorer in XFree86 V4+
The beginnings of a distro NHF
Getting Past Carnivore?
Getting and Installing PGP
Getting your ATI Rage 128 Working
How to create a multiple partition system
Using Fdisk
Introduction to Programming in C/C++ with Vim
Adding a Hard drive in Linux -- In five steps
Installing ALSA for the Yamaha DS-XG Sound Card
Getting your Diamond Rio Mp3 Player to work with Linux
Bash Programming Cheat Sheet
Installing NVIDIA Drivers for Mandrake
Setting up Portsentry
Hard Drive Speed Tweak for Linux
Sensei's Log
Chat room
Join: SETI Black Belts!
Send in your news
Click the image to add to your MyNetscape Page
[-LNO Newsletter-]

The beginnings of a distro NHF
Connecting to the Internet using KPPP
Getting your SBLive to work
Unreal Tournament NHF
LWE Day 2 Pictures
LWE Day 1 Pictures
WoW (Words of Wisdom)
Other sites news
What is Linux?
What is Linux? part deux (ups & downs)
Search newsgroups
The List
ALS Report
Feedback Form
Match: Format: Sort by:
[-Quick Links-]

Copyright 2000 Corp. All Rights Reserved. Legal Notices Privacy Policy