Dear IPFire Community, I know that IPFire use pakfire to install software. And in 2.25-core141, IPFire used suricata rather than snort as a IDS/IPS. I want to use snort and suricata as the IPS in IPFire. However, I cannot install snort using pakfire. If I want to install snort from source code(https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz), the library and dependencies should be installed before compiled snort from source code. But I cannot install the depencies(including build-essential libpcap-dev libpcre3-dev libdumbnet-dev flex zlib1g-dev liblzma-dev openssl libssl-dev) from pakfire.
Above all, is there any solution to install snort in IPFire 2.25-core141?
Hi, how about installing a current version of Ipfire? Yours is from 2020. Currently, you can enter the Snort rules with a code for registered or subscribed users or without code the community rules into the integrated IPS of ipfire.
I didn’t know that snort is a program. I’ve been registered with snort for almost 10 years now and have been a paying customer for even longer, and I’ve always used the rule set with ipfire.
Yes, the current ipfire uses suricata, but the rule sets from even more providers can be integrated there.
Here is a screenshot
Snort is a program, and taking Snort 2.9 as an example, it consists of two parts: one is the Snort software itself, and the other is Snort rules as below:
May be you can connect to the IPFire using ssh, and check which IPS are running in your IPFire, you can use ps -ef | grep suricata to check whether there is a process running suricata. And using ps -ef | grep snort to check whether there is a process running snort.
The current version of IPFire is Core Update 189 and the Snort/VRT GPLv2 Community Rules are one of the rulesets that you can select with Suricata.
This screenshot shows all the currently available ruleset providers and you can see the Snort ruleset provider that can be selected.
You would also need to follow that same process for all dependencies that are required for build or runtime.
Following that procedure would give you a snort .ipfire package and also .ipfire packages for all the dependencies.
As those would have been built using a cloned version of the current master IPFire git repo then it is likely that the snort version built will not function in Core Update 141 as it will have been built linked to Openssl-3.3.2 and Core Update 141 has Openssl-1.1.1d which is End Of Life (EOL) and could have security vulnerabilities as found for later versions but no longer fixed on EOL versions.
If you really want to install the snort version that you would have built, it would need to be installed into an IPFire system, with Core Update 189.
We have switched 5 years ago (IPFire 2.21 is the last with snort) from snort to suricata
(which is a expanded fork of snort) it has the same ruleset syntax and more feature like IPS. Snort was only an IDS at this time. Currently there is no easy way to use snort because the configfiles has sligtly changed over the years and we use many of the features that are only present in suricata.
If you want to use registered or paid rules choose Talos VRT as rule provider.
I used the same snort lfs (with version 2.9.12) from core129 to core141 and then build all software from scratch. However, I can not make snort 2.9.12 successfully, is there any ways to compile the snort in core141?
