Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
Currently, I have installed the newest NST in the VMServer and it works ok.
But what makes me in trouble is I don't know how to enable snort inline mode ( the snort in intruction detection mode is ok).
At normal setup snort inline mode, I just need to compile the snort when installing like, ./configure -enable-inline ; make ; make install. And enable snort inline mode just type: snort -Q -c /etc/snort/snort.conf.
But in NST, it seems not work in inline mode, how can I enable snort inline mode in NST? Does it still need to recompile the snort into inline moed? like ./configure -enable-inline ? if so, where can I find the "configure" file for the snort?
Can anyone give me some idea to enable and run snort inline mode in NST?
Thanks a lot!
Ronald W. Henderson
Unfortunately the version of snort compiled with NST does not support the inline mode (was not compiled in).
You will need to compile your own version of snort using: "-enable-inline" when configuring as you have already pointed out.
You will need to get the latest snort source code from the source fire site:
The configure script is located within the compressed tar archive…
Thanks your kindly reply.
In this case, when I have installed the snort, and how can I combine existing function in NST, like BASE, OinkMaster and etc softwares with snort for using?
And does it mean when I install my own snort in inline mode, I cannot use the browser to view or configure it? As usually, we just need to link like : https://192.168.1.132, then we can view all installed tools.
After compiling replace the following binaries and libraries with your inline version. This should allow the NST WUI to function correctly.
***Note: Be ware - if a new RPM is released by the NST project it will overwrite your custom snort inline build. Therefore becarefil when updating your NST system by skipping any snort updates…
I will take a look at trying to build snort with inline mode enable when we move to F12…
Really thanks for your information. I will follow your suggestion to implement snort inline mode.
When you build a custom version of snort, there are a couple of approaches you can take. I've outlined the "RPM" approach which should work on a 2.11.0 x86 version of the NST system with snort 220.127.116.11.
To take the RPM approach, you need to log in as 'root' as it involves installing packages onto the system.
Download the source RPM:
yumdownloader -source snort
This should download the current source RPM from the NST repository. You then install the source using the command:
rpm -ivh snort-18.104.22.168-4.nst11.src.rpm
This should extract the code from the source snort RPM and install it under various $HOME/rpmbuild directories.
Before you will be able to compile snort, you will need to have several development packages installed on your system. You will probably need to experiment a bit, but here are a few critical ones (I'm making a guess here as I've updated my system with other packages over time - you may need to install more):
yum install gcc make rpmbuild libnet-devel mysql-devel nst-devel libdnet-devel
Verify that you can build the current version of snort (if this fails, it means there are more packages you need to install - look for compilation errors for hints).
rpmbuild -bb $HOME/rpmbuild/SPECS/snort.spec
Once you can build the current version of snort, edit the $HOME/rpmbuild/SPECS/snort.spec file with the options you would like to include in your build:
Look for the invocation of the configure script (you'll see things like -prefix, -bindir and many other settings). Add the options you want to experiment with, but leave the directory settings alone (so that your build of snort will interact cleanly with the NST system).
Try building your own custom snort package:
If the build works, you should get a binary RPM (look under $HOME/rpmbuild/RPMS/i586). If it doesn't work, it means one of the following occurred:
1. You incorrectly modified the
2. The options you added require that additional packages/libraries be installed on your system (again look at the output and try to figure out what libraries you need to add to your system).
Once you get a good build, remove the current snort installation and install your newly built package:
rpm -erase -nodep snort
rpm -ivh -force $HOME/rpmbuild/RPMS/i586/snort-22.214.171.124-4.nst11.i586.rpm
And remember, if you run yum update in the future, your custom build might be clobbered. So, you'll either need to repeat the process, or make sure you don't update snort when using yum (check out the man page for yum or yum.conf - I think there is a way to tell yum not to update certain packages).
PS: If you are successful in accomplishing your goal, could you post a follow up note describing what changes you need to make to snort.spec and what additional packages/libraries you needed to install on the system?