Install Snort3 and run it with Vectorscan on Arm

Snort 3 is an open-source deep-packet inspection application. Snort 3 integrates Hyperscan, the regex parsing library.

You can install Snort 3 on an Ubuntu Linux Arm-based server, and run it with Vectorscan, the architecture-inclusive fork of Hyperscan.

Before you begin

You should already have an Arm server running Ubuntu Linux from the previous topic.

Install the Snort 3 dependencies:

    

        
        
            sudo apt update 
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev \
zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev \
libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev \
libmnl-dev ethtool libjemalloc-dev ragel
        
    

Download and install other required software

Create a directory where you can download and build the other required software dependencies:

    

        
        
            mkdir ~/snort_src
cd ~/snort_src
        
    

Install the Safe C library :

    

        
        
            wget https://github.com/rurban/safeclib/releases/download/v02092020/libsafec-02092020.tar.gz
tar -xzvf libsafec-02092020.tar.gz
cd libsafec-02092020.0-g6d921f
./configure
make -j$(nproc)
sudo make install
        
    

Install gperftools performance analysis tools:

    

        
        
            cd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
tar xzvf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1
./configure
make -j$(nproc)
sudo make install
        
    

Install PCRE (Perl Compatible Regular Expressions) :

    

        
        
            cd ~/snort_src/
wget wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
tar -xzvf pcre-8.45.tar.gz
cd pcre-8.45
./configure
make -j$(nproc)
sudo make install
        
    

Download (but do not build) Boost C++ Libraries :

    

        
        
            cd ~/snort_src
wget https://boostorg.jfrog.io/artifactory/main/release/1.77.0/source/boost_1_77_0.tar.gz
tar -xvzf boost_1_77_0.tar.gz
        
    

Download Vectorscan:

    

        
        
            cd ~/snort_src
git clone https://github.com/VectorCamp/vectorscan 
cd vectorscan 
cd .. 
mkdir hyperscan-build 
cd hyperscan-build 
        
    

Configure and build Vectorscan:

    

        
        
            cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_77_0/ ~/snort_src/vectorscan/
make -j$(nproc) && sudo make install 
        
    

Install FlatBuffers :

    

        
        
            cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/refs/tags/v2.0.0.tar.gz -O flatbuffers-v2.0.0.tar.gz
tar -xzvf flatbuffers-v2.0.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-2.0.0
make -j$(nproc)
sudo make install
        
    

Install Data Acquisition library (DAQ) :

    

        
        
            cd ~/snort_src
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.5.tar.gz -O libdaq-3.0.5.tar.gz
tar -xzvf libdaq-3.0.5.tar.gz
cd libdaq-3.0.5
./bootstrap
./configure
make -j$(nproc)
sudo make install
        
    

Update shared libraries:

    

        
        
            sudo ldconfig
        
    

Download, Compile and Install Snort 3

You can now download, compile and build Snort 3:

    

        
        
            cd ~/snort_src
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.18.0.tar.gz -O snort3-3.1.18.0.tar.gz
tar -xzvf snort3-3.1.18.0.tar.gz
cd snort3-3.1.18.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc --enable-jemalloc
cd build
make -j$(nproc)
sudo make install
        
    

Confirm Snort 3 is installed and running properly

Snort 3 should be installed in /usr/local/bin.

Verify it is installed and running correctly by printing the version:

    

        
        
            /usr/local/bin/snort -V
        
    

You should see output similar to the following:

    

        
           ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.18.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.5
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 3.0.2 15 Mar 2022
           Using libpcap version 1.10.1 (with TPACKET_V3)
           Using PCRE version 8.45 2021-06-15
           Using ZLIB version 1.2.11
           Using FlatBuffers 2.0.0
           Using Hyperscan version 5.3.0 2022-07-26
           Using LZMA version 5.2.5

        
    

Test Snort 3 with Vectorscan

You can test the performance of Snort 3 with Vectorscan on your Arm instance.

Download a capture file to using for testing:

    

        
        
            mkdir ~/snort3_test
cd ~/snort3_test
wget https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00001.pcap.gz
gunzip maccdc2012_00001.pcap.gz
        
    

Run the following command to use Snort 3 with Vectorscan on the downloaded capture file:

    

        
        
            snort -c /usr/local/etc/snort/snort.lua --lua 'search_engine.search_method="hyperscan"' -r maccdc2012_00001.pcap
        
    

You should see detailed output with packet and file statistics and a summary similar to the below.

    

        
        Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:16
                  seconds: 16.299069
                 pkts/sec: 262375
                Mbits/sec: 479
o")~   Snort exiting