ubuntu 14.04安装libpcap

1， 环境： Ubuntu14.04 + libpcap-1.6.1.tar.gz

2，Libpcap下载： 官方地址-http://www.tcpdump.org/#latest-release 即可下载最新版本的libpcap。

3，解压libpcap-1.6.1.tar.gz： tar -zxvf libpcap-1.4.0.tar.gz

4，配置生成makefile文件：cd到libpcap解压目录libpcap-1.4.0， 执行 ./configure。执行到这一步可能会遇到缺少flex包的问题：

configure: error: Your operating system's lex is insufficient to compile
 libpcap.  flex is a lex replacement that has many advantages, including
 being able to compile libpcap.  For more information, see
 http://www.gnu.org/software/flex/flex.html .

解决办法：安装flex包---- sudo apt-get install flex

5，make

注意在make过程中可能会出错，按下面办法解决

ERROR!  dnet header not found, go get it from

ERROR!  daq_static library not found, go get it from

解决办法：安装byacc包--- sudo apt-get install -y byacc

apt-get install  libpcre3-dev 

apt-get install libdumbnet-dev

如果还是不能解决问题，请参考下面文档

How to Install & Configure Snort NIDS in Linux

POSTED ON NOVEMBER 4, 2014 BY OMERSEZER

Snort is  network intrusion detection system (NIDS) which  is a type of open-source software to detect attacks, anomaly traffic  in the network. It is written in C language and works on multiplatform. It is themost widely deployed intrusion prevention system in the world (With over 4 million downloads and nearly 500,000 registered users)

There are not enough resource how to configure Snort in linux. So I wrote this post.

Before snort installation, some package should be installed. So we wrote this command in terminal screen.

sudo apt-get install flex bison build-essential checkinstall libpcap-dev libnet1-dev libpcre3-dev libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

After that, libnet-1.12 is downloaded and unpacked.

wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz

tar xvfz libdnet-1.12.tgz

Then, you should go to this library packet folder.(When downloading file from net, your file is downloaded in /home/downloads folder). In the file directory,

./configure “CFLAGS=-fpic”  

this configuration for 64 bit machine.

make

for compilation

sudo checkinstall

Then,

sudo dpkg -i libdnet_1.12-1_i386.deb

sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

(above) command is to create symbolic link.

After all, you should go to snort site (http://snort.org). Download snort and daq (snort-2.9.6.1.tar.gz anddaq-2.0.2.tar.gz ). In this example, firstly, I download snort-2.9.7.0.tar.gz and daq-2.0.4.tar.gz. However, I encountered a problem, so I used older versions of softwares.

Problem message:

checking for daq_load_modules in -ldaq_static… no

ERROR!  daq_static library not found, go get it from

http://www.snort.org/.

Then, (used older version)

tar xvfvz daq-2.0.2.tar.gz

./configure

make

sudo checkinstall

After that, snort file is configured

tar xvfvz snort-2.9.6.1.tar.gz

./configure

make

sudo checkinstall

sudo dpkg -i snort_2.9.6.1-1_i386.deb

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

After installation,

sudo ldconfig -v // to view version

After all, you should go to snort site to download snort rules (snortrules-snapshot-2970.tar.gz). Then it is unpacked. Create snort folder under etc folder. You can configure your snort.conf file. (/etc/snort)

ipvar HOME_NET 192.168.1.110/24  // or default mode (eg: any) can be used

ipvar EXTERNAL_NET !$HOME_NET // or default mode (eg: any) can be used 

Also, you should write rule in folder (/etc/snort/rules) or append new rules to the other rules.

alert icmp any any -> any any (msg:”Alert Getting ICMP Flood Message”;sid:1000004;)

alert tcp any any -> any any (msg:”Alert Getting TCP Flood Message”;sid:1000005;)

alert udp any any -> any any (msg:”Alert Getting UDP Flood Message”;sid:1000006;)

alert tcp $EXTERNAL_NET any -> any any (msg:”Alert HTTP GET DDos”;pcre:”/GET.*\htm/i”;classtype:web-application-activity;sid:1000007;)

After all, you can run snort using this command:

snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf -A console

This command says: your network input port is eth0, snort is working  IDS mode (-i), your log file is/var/log/snort (-l), your configuration /etc/snort/snort.conf (-c) and you can see all process on the terminal screen (-A console).

I also encountered another problem when I entered this command;

snort -i 5 -l /var/log/snort -c /etc/snort/snort.conf -A console

Also, my network input is configured as eth2.

Problem Message:

ERROR: Can’t start DAQ (-1) – SIOCGIFHWADDR: No such device!

I solved it when I changed eth2 to eth0 and enter eth0 instead of 5

After that, you can test it by sending hping3 / ping to other machine (snort host).

(Pictures below; TCP, ICMP and UDP packets are catched)

    

6，安装： sudo make install

7，完成安装： 可用 man pcap查看帮助