1.下載所需檔案
安裝snort需要用到libpcap,故請自行下載最新的libpcap及snort,
此安裝說明使用的版本是:
snort-1.6.tar.gz(亦可使用rpm版,snort-1.6-0.i386.rpm)
libpcap.tar.Z(目前最新為0.4版)
2.進行安裝
首先,先將libpcap裝起來:
# tar zxvf libpcap.tar.Z (將libpcap.tar.Z解壓縮)
# cd libpcap-0.4 (到libpcap目錄下)
# cp Makefile.in Makefile
# ./configure
# make
# make install
# make install-incl (某些情況下,若發生error,你可能必須自己建目錄)
# make install-man
# make clean
再來安裝snort:
# tar zxvf snort-1.6.tar.gz
# cd snort-1.6
# ./configure
# make
# make install
# make clean
3.啟動snort
首先,snort安裝好後,你可以下 snort -v 指令來看看snort是否可正常運行.
其次,在snort目錄下有一個snort-lib檔,這是default的主要設定檔,
你可以看一下裡面內容並做適當的修改,這個檔案會去include其他的設定檔,
同樣的,你也可以適當的去修改這些檔案,不過你得先弄懂snort的規則!
我的啟動方法是:
cd snort-1.6
snort -c snort-lib
.....start run
initalizing network interface
...........
.............keyword | perprocessor 偵測網路上的異常封包還是解碼?

http_decode : 0x1234567
-c (指定snort依snort-lib設定檔的設定運行)
我的snort-lib設定如下
-------------------------------------------------------------------------
preprocessor http_decode: 80 8080
preprocessor minfrag: 128
var HOME_NET xx.xx.xx.xx/xx (請填自己想偵測的網域)
preprocessor portscan: $HOME_NET 7 2 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $HOME_NET
include web-lib
include overflow-lib
include misc-lib
include scan-lib
include backdoor-lib
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";)
alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";)
alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER "; nocase; offset:0; depth:5; content: " "; offset:11; depth:
1; content: " "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg: "PrettyPark activity!";)
----------------------------------------------------------------------------
如此一來,snort就會把偵測到的警告訊息存到/var/log/snort.alert及/var/log/snort/下,
接下來,就看你如何運用了!! =================>可是沒有var/log/snort.alert及/var/log/snort/