Posted by: jasonk2600 | November 22, 2009

Snort IDS Sensor on FreeBSD


This document assumes that a MySQL server has already been configured for Snort sensors to connect to.  For more information on setting up a MySQL server for Snort, see “MySQL Backend for Snort”.  To begin, install oinkmaster and snort from the FreeBSD ports collection.  NOTE:  The default configuration for oinkmaster is sufficient, when configuring the snort port, be sure to select the MYSQL and FLEXRESP configuration options.  Should snort fail to compile on the first try, simply run make install clean a second time.

# cd /usr/ports/security/snort
# make config
# make install clean
   ....[ Lots of output ]....
# cd /usr/ports/security/oinkmaster
# make config
# make install clean
# rehash



Oinkmaster is a simple utility used to download and update the Snort IDS ruleset from  In order to get oinkmaster to communicate with the snort website, you will need to visit the site and obtain an oinkcode from the following link:  Get Oinkcode.  Once you have obtained your oinkcode continue by modifying /usr/local/etc/oinkmaster.conf to reflect the following settings:

url =

Next, run oinkmaster to download the latest snort ruleset.

# oinkmaster -o /usr/local/etc/snort/rules/
  ....[ Lots of output ]....

Next, modify /usr/local/etc/snort/snort.conf to reflect the following settings. NOTE: Replace with your IP network, user=snort with the snort database username, password=snort with the snort database user’s password, dbname=snort with the name of the snort database, and host= with the IP address or hostname of your database server.

var HOME_NET []
config detection: search-method lowmem
output database: log, mysql, user=snort 
  password=snort dbname=snort host=

Finally, you can skip down to the very bottom of snort.conf and comment out any ruleset that you don’t wish to use, or just leave it as-is.



Enable snort to start at system boot and run it for the first time.  Verify that everything is working by verifying that snort is running after you have started it.

# echo "snort_enable=YES" >> /etc/rc.conf
# /usr/local/etc/rc.d/snort start
Starting snort.
# /usr/local/etc/rc.d/snort status
snort is running as pid 87314

If snort has failed to start, check the log for details:

# tail /var/log/messages



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: