My Snort on OSX Install Notes

1 Download Snort2 Download pcre
3 Untar pcre
4 Cd to pcre
5 ./configure
make install
(NOTE: Install prefix ……………… : /usr/local)
6 Untar Snort
7 CD to snort
8 ./configure -enable-dynamicplugin –with-mysql –with-mysql-includes=/opt/local/include/mysql5/ –with-mysql-libraries=/opt/local/lib/mysql5/mysql/
9 make
10 sudo make install
/usr/bin/install -c -m 644 ‘./snort.8’ ‘/usr/local/man/man8/snort.8’
test -z “/usr/local/lib/pkgconfig” || /bin/sh ./mkinstalldirs “/usr/local/lib/pkgconfig”
/usr/bin/install -c -m 644 ‘snort.pc’ ‘/usr/local/lib/pkgconfig/snort.pc’

11. Get the rules from the snort site and untar them
I used snorttemp as the folder
12. Make a folder for the rules
mkdir /opt/local/etc/snort/
mkdir /opt/local/etc/snort/rules/
13. Copy the rules over
cd ~/snorttemp/rules/
cp * /opt/local/etc/snort/rules/
I also copied over the etc folder
cd ~/snorttemp/etc/
cp * /opt/local/etc/snort/
14. Edit the Snort configuration
vi /opt/local/etc/snort/snort.cfg
change “var HOME_NET any” to “var HOME_NET” or whatever your home network is
change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET” This is everything except your home network
change “var RULE_PATH ../rules” to “var RULE_PATH /opt/local/etc/snort/rules”
goto the line that starts with “# output database: log, mysql, user=” and remove the # from the begining of the line
enter your user password and db name
15. mysql setup
log in to mysql as root
mysql -u root -p

create a snort database
mysql> create database snort;

create a user and password to match your mysql setup in the snort config:
mysql> CREATE USER ‘snort’@’localhost’ IDENTIFIED BY ‘somepassword’;

give that user access to the database
mysql> GRANT ALL PRIVILEGES ON snort.* TO ‘snort’@’localhost’;
mysql> exit

Import the snort schema into the database.
mysql -D snort -u root -p < /schemas/create_mysql

16. Start it up
snort -c /opt/local/etc/snort/snort.conf

If it works it should look something like:
–== Initialization Complete ==–

,,_ -*> Snort! <*-
o” )~ Version (Build 114)
”” By Martin Roesch & The Snort Team:

You can use ctrl+c to stop it.