Download CentOS 8 Stream- http://isoredirect.centos.org/centos/8-stream/isos/x86_64/
Download LibDAQ- https://github.com/snort3/libdaq
The following dependencies are mandatory for installing snort- dnet, pcap, pcre, openssl, zlib, pkgconfig,LuaJIT,hwloc, LibDAQ, libmnl.
Preparation
Building snort on Centos requires several development libraries which are not present in the default repositories- AppStream, Base or Extra. Instead, these libraries exist in the PowerTools repository, which is disabled by default. Hence, the PowerTools repository is enabled first.
# dnf config-manager –add-repo /etc/yum.repos.d/ CentOS-Stream-PowerTools.repo
# dnf config-manager –set-enabled powertools
Additional development libraries exist in the EPEL repository. Enabling the EPEL repository reduces build time and streamlines the installation and updates of these libraries. Otherwise, packages from the EPEL repository can be built from their source code.
# dnf install epel-release
Now that all of the repositories are enabled, it is time to ensure that the operating system and existing packages are up to date. This may require a reboot, especially if the updates included kernel upgrades
# dnf upgrade
# reboot now
Since some of the packages may be built from the source, a directory is created to house the source codes.
# mkdir sources && cd sources
Next, some helper packages are installed, which are not required by Snort and can be removed later.
# dnf install vim git nano
Red-Hat based operating systems do not include the /usr/local/lib and /usr/local/lib64 in the linker caching paths, resulting in build errors since the referenced libraries cannot be found. This is corrected by creating a configuration file under /etc/ld.so.conf.d containing the required paths and updating the cache.
# vi /etc/ld.so.conf.d/local.conf
Add the below two lines to the newly created configuration file.
# /usr/local/lib
# /usr/local/lib64
After saving the configuration file, run ldconfig.
# ldconfig
The final step in the preparation is to install the build tools from the repository. These include: flex (flex), bison (bison), gcc (gcc), c++ (gcc-c++), make (make),cmake (cmake), autoconf (autoconf), automake (automake) and libtool (libtool) packages.
# dnf install flex bison gcc gcc-c++ make cmake automake autoconf libtool
Install Snort Dependencies. These dependencies are installed from the CentOS repositories.
# dnf install libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconf libmnl-devel libunwind-devel
LibDAQ library forms the main part of the snort installation and its role is in the network packet acquisition.LibDAQ clearly separates the fetching of packets from NIC and actual Snort processing.LibDAQ’s default network library is PCAP (libpcap)– a platform-independent interface to capture packets in user space.
Building LibDAQ with NFQ support requires additional packages to be installed before configuration: libnfnetlink (libnfnetlink-devel), libnetfilter_queue (libnetfilter_queue-devel).
# dnf install libnfnetlink-devel libnetfilter_queue-devel
Snort 3 requires LibDAQ (>=3.0.0). Clone it and generate the configuration script.
# git clone https://github.com/snort3/libdaq.git
# cd libdaq/
# ./bootstrap
# ./configure
You will get an output similar as below
Proceed to install LibDAQ
# make
# make install
# ldconfig
Installing Snort
Now that all of the dependencies are installed, clone the Snort 3 repository from GitHub
# git clone https://github.com/snort3/snort3.git
# cd snort3
Before configuring Snort, export the PKG_CONFIG_PATH to include the LibDAQ pkgconfig path, as well as other packages’ pkgconfig paths, otherwise, the build process may fail.
# export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
# export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:$PKG_CONFIG_PATH
Proceed to build Snort 3 while enabling tcmalloc support. The compiler flags exported prior to building Snort are used to help improve compilation time, the performance of the generated code, and the final Snort’s binary image size.
# export CFLAGS=”-O3″
# export CXXFLAGS=”-O3 -fno-rtti”
# ./configure_cmake.sh –prefix=/usr/local/snort –enable-tcmalloc
The above command should result in an output (omitted) similar to the one below.
Proceed to installing snort
# cd build/
# make -j$(nproc)
# make -j$(nproc) install
Once the installation is complete, verify that Snort 3 reports the expected version and library names
# /usr/local/snort/bin/snort –V
