我试图在Ubuntu 20.04桌面安装Snort 3.0。我使用该手册作为本次安装的指南。一切都很顺利,似乎安装很好,然而,在第6页,用默认配置文件测试Snort,它希望我通过snort -c /usr/local/etc/snort/snort.lua,但我得到了错误Error: Could not find requested DAQ moduel: pcap,我昨天花了几个小时在谷歌上搜索,但找不到任何东西。现在,当谈到Ubuntu时,我是一个完全的初学者。我需要安装什么存储库来实现这个功能?谢谢!
更新所以我从tcpdump中安装了pcap,但这并不能解决这个问题。我仍然得到相同的错误。
http://www.tcpdump.org/release/libpcap-1.10.0.tar.gz
我通过了:
wget http://www.tcpdump.org/release/libpcap-1.10.0.tar.gz
tar -xzvf libpcap-1.10.0.tar.gz
Install went fine.
Then I passed:
/usr/local/bin/snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.1.0.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.0
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 1.1.1f 31 Mar 2020
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version 8.44 2020-02-12
Using ZLIB version 1.2.11
Using FlatBuffers 1.12.0
Using Hyperscan version 5.3.0 2021-02-01
Using LZMA version 5.2.4
Then I passed:
administrator@Ubuntu:~/snort_src$ snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~ Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
rewrite
ips
stream_udp
binder
wizard
appid
search_engine
file_id
ftp_data
ftp_server
port_scan
dce_http_server
dce_smb
dce_tcp
telnet
ssl
sip
rpc_decode
netflow
http_inspect
network
http2_inspect
modbus
host_tracker
stream_user
stream_ip
trace
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
process
dns
dce_udp
imap
stream_file
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
ERROR: Could not find requested DAQ module: pcap
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..
请建议。谢谢你。
更新看起来我已经有最新的pcap版本了。
dministrator@Ubuntu:~/snort_src$ sudo apt-get install -y libpcap-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libpcap-dev is already the newest version (1.9.1-3).
The following packages were automatically installed and are no longer required:
libfprint-2-tod1 libllvm10
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
运行dir,看起来好像我已经安装了所有的东西?
administrator@Ubuntu:~/snort_src$ dir
boost_1_74_0 libpcap-1.10.0.tar.gz
boost_1_74_0.tar.gz libsafec-02092020.0-g6d921f
flatbuffers-1.12.0 libsafec-02092020.tar.gz
flatbuffers-build LuaJIT-2.1.0-beta3
flatbuffers-v1.12.0.tar.gz LuaJIT-2.1.0-beta3.tar.gz
gperftools-2.8 pcre-8.44
gperftools-2.8.tar.gz pcre-8.44.tar.gz
hyperscan-5.3.0 ragel-6.10
hyperscan-5.3.0-build ragel-6.10.tar.gz
libdaq-3.0.0 snort3-3.1.0.0
libdaq-3.0.0.tar.gz snort3-3.1.0.0.tar.gz
libpcap-1.10.0 v5.3.0.tar.gz
我没主意了…谢谢你。
我遇到了同样的问题。我建议使用——daq-dir.
例如,我的daq安装在/usr/local/lib/daq.
运行snort时,使用命令:
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i ens33 -l /var/log/snort
经过测试,我发现如果不使用——DAQ -dir,我的snort将报告"ERROR: Could not find requested DAQ module: pcap"。
正如Snort 3用户手册第15页,3.2构建中提到的,我们需要手动安装(并可能编译)libdaq并将PKG_CONFIG_PATH设置为安装目录。在我的环境中,我这样做:
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig
,然后完成snort编译。一切都好。
对我来说,解决方案是重新安装libdaq和snort,但在sudo中执行每一步。我发现一个帖子解决了同样的问题,但对于snort 2。它指出,在某些时候,locate daq_dump.so文件丢失了,因为我的安装也是如此。通过在sudo中执行安装的每个步骤,该文件出现在daq目录(/usr/local/lib/daq)中。
我认输了,通过Docker安装了Snort3。解决。
在尝试在snort构建目录中运行make时,我还放弃了大量的DAQ错误。(Ubuntu 20.04.1)
Docker版本更容易使用。
Snort资源:包括用于安装Snort2和Snort3的视频资源
码头工人形象