2015/02/15,centos6.5-64-minimal,初始205个包
[root@localhost snort]# yum install wget
[root@localhost snort]# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
[root@localhost snort]# wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
[root@localhost snort]# wget https://www.snort.org/downloads/community/community-rules.tar.gz
[root@localhost snort]# tar zxvf daq-2.0.4.tar.gz
[root@localhost snort]# tar zxvf snort-2.9.7.0.tar.gz
####以下是安装daq,libdnet,snort源码所依赖的包,一起装,libdnet与daq编译在默认路径,最好不要指定--prefix,因为暂时还没有找到报错的解决方法
[root@localhost daq-2.0.4]# yum install gcc bison flex libpcap-devel gcc-c++ pcre-devel zlib-devel
####养成习惯,编译前,先看readme,changelog等文件
[root@localhost snort]# cd daq-2.0.4
[root@localhost daq-2.0.4]# less README
[root@localhost daq-2.0.4]# less ChangeLog
[root@localhost daq-2.0.4]# less COPYING
####以下是一些要点记录
Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The
DAQ replaces direct calls to libpcap functions with an abstraction layer that
facilitates operation on a variety of hardware and software interfaces without
requiring changes to Snort. It is possible to select the DAQ type and mode
when invoking Snort to perform pcap readback or inline operation, etc. The
DAQ library may be useful for other packet processing applications and the
modular nature allows you to build new modules for other platforms.
snort 2.9为包 I/O引入了DAQ或者叫数据采集库。
DAQ使用了一个抽象层,来替换直接调用libpcap库函数,这个抽象层使得在多种硬件与软件接口上的操作更容易,并且不需要snort的更改。
选择DAQ的类型与模式是可能的,当调用snort来完成pcap的回馈或者内在的操作等等
DAQ库对其它包处理程序和模块是有用的,它天然允许你为其它平台构建新的模块。
facilitates 促进,帮助,使...容易
abstraction layer 抽象层
DAQ Data Acquisition library 数据捕获,采集库
Building the DAQ Library and DAQ Modules
PCAP Module pcap is the default DAQ
AFPACKET Module
NFQ Module
IPQ Module
IPFW Module
Dump Module
Netmap Module
http://blog.****.net/htttw/article/details/7521053
柏克莱封包过滤器(Berkeley Packet Filter,缩写 BPF),是类Unix系统上数据链路层的一种原始接口,提供原始链路层封包的收发,除此之外,如果网卡驱动支持洪泛模式,那么它可以让网卡处于此种模式,这样可以收到网络上的所有包,不管他们的目的地是不是所在主机。
几乎所有的操作系统(BSD, AIX, Mac OS, Linux等)都会在内核中提供过滤数据包的方法,主要都是基于BSD Packet Filter(BPF)结构的。libpcap利用BPF来过滤数据包。
在UNIX或Linux系统中,一般采用由美国洛伦兹伯克利国家实验室所编写的专用于数据包捕获功能的API函数库Libpcap来实现。Libpcap实质上是一个系统独立的API函数接口,用于用户层次的数据截获工作,Libpcap接口支持基于BSD的数据包过滤器(BPF,Berkeley Packet Fliter)的数据过滤机制。
正式进入编译状态
[root@localhost daq-2.0.4]# ll|wc -l
21
[root@localhost daq-2.0.4]# ./configure --prefix=/root/snort/inst/
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... no
checking for cc... no
checking for cl.exe... no
configure: error: in `/root/snort/daq-2.0.4':
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details
####这一步生成了config.log这个文件,方便排错
[root@localhost daq-2.0.4]# ll|wc -l
22
####看报错日志很重要
[root@localhost daq-2.0.4]# less config.log
####可以看报错日志,也可以看控制台输出
####看到了缺少gcc,此时安装gcc后再次运行configure
[root@localhost daq-2.0.4]# yum install gcc
[root@localhost daq-2.0.4]# ./configure --prefix=/root/snort/inst/
checking for getaddrinfo... yes
checking for flex... no
checking for bison... no
checking for capable lex... insufficient
configure: error: Your operating system's lex is insufficient to compile
libsfbpf. You should install both bison and flex.
flex is a lex replacement that has many advantages,
including being able to compile libsfbpf. For more
information, see http://www.gnu.org/software/flex/flex.html .
Lex是LEXical compiler的缩写,是Unix环境下非常著名的工具, Lex (最早是埃里克·施密特和 Mike Lesk 制作)是许多 UNIX 系统的标准词法分析器(lexical analyzer)产生程式,而且这个工具所作的行为被详列为 POSIX 标准的一部分。Lex 主要功能是生成一个词法分析器(scanner)的 C 源码,描述规则采用正则表达式(regular expression)。描述词法分析器的文件 *.l 经过lex编译后,生成一个lex.yy.c 的文件,然后由 C 编译器编译生成一个词法分析器。词法分析器,简言之,就是将输入的各种符号,转化成相应的标识符(token),转化后的标识符很容易被后续阶段处理,如YACC 或 Bison,
Flex (fast lexical analyser generator) 是 Lex 的另一个替代品。它经常和*软件 Bison 语法分析器生成器 一起使用。Flex 最初由 Vern Paxson 于 1987 年用C语言写成。Flex手册里对 Flex 描述如下:
Flex是一个生成词法分析器的工具,它可以利用正则表达式来生成匹配相应字符串的C语言代码,其语法格式基本同Lex相同。
单词的描述称为模式(Lexical Pattern),模式一般用正规表达式进行精确描述。FLEX通过读取一个有规定格式的文本文件,输出一个C语言源程序。
FLEX的输入文件称为LEX源文件,它内含正规表达式和对相应模式处理的C语言代码。LEX源文件的扩展名习惯上用.l表示。FLEX通过对源文件的扫描自动生成相应的词法分析函数int yylex(),并将之输出到名规定为lex.yy.c的文件中。实用时,可将其改名为lexyy.c。该文件即为LEX的输出文件或输出的词法分析器。也可将int yylex()加入自已的工程文件中使用。
Bison翻译 http://blog.****.net/sirouni2003/article/details/400672
GNU bison 是属于 GNU 项目的一个语法分析器生成器。Bison 把一个关于“向前查看 从左到右 最右”(LALR) 上下文无关文法的描述转化成可以分析该文法的 C 或 C++ 程序。它也可以为二义文法生成 “通用的 从左到右 最右” (GLR)语法分析器。
Bison 基本上与 Yacc 兼容,并且在 Yacc 之上进行了改进。它经常和 Flex (一个自动的词法分析器生成器)一起使用。
####看到了缺少依赖,报错已给出了方法。再次安装
[root@localhost daq-2.0.4]# yum install bison flex
[root@localhost daq-2.0.4]# ./configure --prefix=/root/snort/inst/
checking for pcap.h... (cached) no
checking for pcap_lib_version... checking for pcap_lib_version in -lpcap... (cached) no
ERROR! Libpcap library version >= 1.0.0 not found.
Get it from http://www.tcpdump.org
####再次安装依赖包
[root@localhost daq-2.0.4]# yum install libpcap-devel
[root@localhost daq-2.0.4]# ./configure --prefix=/root/snort/inst/
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no
[root@localhost daq-2.0.4]# make
[root@localhost daq-2.0.4]# make install
Libraries have been installed in:
/root/snort/inst/lib/daq
####daq编译安装完结。
[root@localhost snort-2.9.7.0]# yum install pcre-devel gcc-c++ zlib-devel
libdnet需要独立编译安装,它需要gcc-c++,所以上面一块安装了。
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire
checking for pcap_lex_destroy... yes
checking for pcap_lib_version... yes
./configure: line 14938: pcre-config: command not found
./configure: line 14944: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no
ERROR! Libpcre header not found.
Get it from http://www.pcre.org
[root@localhost snort-2.9.7.0]# yum install pcre-devel
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire
checking for dnet.h... no
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no
ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place
####从上面报错可以看出缺少libdnet,以下是安装libdnet的过程
[root@localhost snort-2.9.7.0]# cd ../
[root@localhost snort]# wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download
[root@localhost snort]# mv libdnet-1.11.tar.gz\?download libdnet-1.11.tar.gz
[root@localhost snort]# cd libdnet-1.11
[root@localhost libdnet-1.11]# ./configure --prefix=/root/snort/dnet/
checking whether we are using the GNU C++ compiler... no
checking whether g++ accepts -g... no
checking dependency style of g++... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details.
####从上面报错可以看出缺少c++,安装之
[root@localhost libdnet-1.11]# yum install gcc-c++
[root@localhost libdnet-1.11]# ./configure --prefix=/root/snort/dnet/
[root@localhost libdnet-1.11]# make;make install
####在配置时要指定dnet的头与库文件位置,但是这样还是不行
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire --with-dnet-includes=/root/snort/dnet/include/dnet --with-dnet-libraries=/root/snort/dnet/lib
checking dnet.h usability... no
checking dnet.h presence... no
checking for dnet.h... no
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no
ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place
####这次重新编译libdnet,让它在默认位置生成,即/usr/local/include,/usr/local/lib,这样snort的编译才能找到位置,但是有新的报错出现。
[root@localhost libdnet-1.11]# ./configure;make;make install
[root@localhost libdnet-1.11]# cd ../snort-2.9.7.0
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire
checking dnet.h usability... yes
checking dnet.h presence... yes
checking for dnet.h... yes
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no
checking for eth_set in -ldnet... yes
checking for eth_set in -ldumbnet... no
checking for dlsym in -ldl... yes
./configure: line 15585: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no
ERROR! daq_static library not found, go get it from
http://www.snort.org/.
####这次重新编译daq,让它在默认位置生成,即/usr/local/include,/usr/local/lib,这样snort
####libdnet不用make clean清理可以正常使用,但daq需要清理一下,才可以重新编译,否则报错。
[root@localhost daq-2.0.4]# ./configure
libtool: install: warning: remember to run `libtool --finish /root/snort/inst/lib'
/bin/mkdir -p '/usr/local/lib/daq'
/bin/sh ../libtool --mode=install /usr/bin/install -c daq_afpacket.la daq_pcap.la daq_dump.la daq_ipfw.la '/usr/local/lib/daq'
libtool: install: error: cannot install `daq_afpacket.la' to a directory not ending in /root/snort/inst/lib/daq
make[2]: *** [install-pkglibLTLIBRARIES] Error 1
make[2]: Leaving directory `/root/snort/daq-2.0.4/os-daq-modules'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/root/snort/daq-2.0.4/os-daq-modules'
make: *** [install-recursive] Error 1
[root@localhost daq-2.0.4]# make clean
[root@localhost daq-2.0.4]# ./configure;make;make install
####再次重新编译snort,报新的错误
[root@localhost daq-2.0.4]# cd ../snort-2.9.7.0
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire
checking for visibility support... yes
checking zlib.h usability... no
checking zlib.h presence... no
checking for zlib.h... no
ERROR! zlib header not found, go get it from
http://www.zlib.net
####这次成功了,没报错
[root@localhost snort-2.9.7.0]# yum install zlib-devel
[root@localhost snort-2.9.7.0]# ./configure --prefix=/root/snort/st/ --enable-sourcefire
[root@localhost ~]# snort/snort-2.9.7.0/configure --help|grep encom
--enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling and --enable-ppm
启用sourcefire构建选项,包含两个,分别是--enable-perfprofiling 和 --enable-ppm
[root@localhost snort-2.9.7.0]# make;make install