Snort IDS on Openbsd

Short guide how to install Snort on Openbsd current (should work on Openbsd 4.9)

Аll credits for this guide goes to Randal T. Rioux

However my setup is a little bit different in snort compilation and command line for starting.

Lets start ….

This tutorial assumes that you already have working Openbsd server. If you don’t follow guides in

First lets resolve dependencies. You can install them from ports or use packages. My example is with packages.

pkg_add -i bzip2

pkg_add -i pcre

pkg_add -i bison

pkg_add -i gmake

pkg_add -i libdnet

We need libpcap too. Lets fetch sources and compile.


mkdir -p /tmp/libpcap

cd /tmp/libpcap


tar -zxf  libpcap-1.1.1.tar.gz

cd libpcap-1.1.1

./configure –with-libpcap-includes=/usr/local/include \
–with-libpcap-libraries=/usr/local/lib \
–with-dnet-includes=/usr/local/include \
make && make install


Download snort- and daq-0.5.tar.gz from snort site

Copy sources in /tmp

First compile daq

cd /tmp

tar -zxf daq-0.5.tar.gz

cd daq-0.5

./configure –with-libpcap-includes=/usr/local/include \
–with-libpcap-libraries=/usr/local/lib \
–with-dnet-includes=/usr/local/include \
make && make install

Now snort

In configure options choose what you need for you setup, but it’s necessarily to include –disable-static-daq , or dynamic plugin libs will not be build properly (this is suggested by developers in README files)

cd /tmp

tar -zxf snort-

cd snort-

./configure –enable-reload –enable-ppm –enable-zlib \
–enable-dynamicplugin –enable-perfprofiling \
–disable-static-daq \
–enable-react –enable-flexresp3 –enable-ipv6  –enable-decoder-preprocessor-rules \
–with-libpcap-includes=/usr/local/include \
–with-libpcap-libraries=/usr/local/lib \
–with-dnet-includes=/usr/local/include \
–with-dnet-libraries=/usr/local/lib \
–with-daq-includes=/usr/local/include \
make && make install

Now we’ll symlink dynamic libs to make it work.

cd /usr/local/lib/snort_dynamicengine

ln -s

cd /usr/local/lib/snort_dynamicpreprocessor

ln -s

ln -s

ln -s

ln -s

ln -s

ln -s

ln -s


Next register in snort site and download rules file snortrules-snapshot-2905.tar.gz

Extract it in /etc/snort

cd /etc/snort/
tar zxvf snortrules-snapshot-2903.tar.gz

Edit /etc/snort/snort.conf
comment this line:

dynamicdetection directory /usr/local/lib/snort_dynamicrules
#dynamicdetection directory /usr/local/lib/snort_dynamicrules

and following lines:

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6


Edit other vars like $HOME_NET or $EXTERNAL_NET

Make snort directory structure for log files and etc…

mkdir /var/snort

mkdir /var/snort/log

Now lets test  snort. Replace -i {if} with your listening  interface (example -i rl0). We’ll use –daq-dir /usr/local/lib/daq or else snort will exit with error.

/usr/local/bin/snort –daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf  -l /var/snort/log -i {if}

If everything goes fine start snort with -D option
pkill snort
/usr/local/bin/snort –daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf  -l /var/snort/log -i vr0 -D

Also you could add unprivileged user (_snort) and group (_snort) and chroot snort to /var/snort with following command:

/usr/local/bin/snort –daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log -i {if} -D


Comment are closed.