Sticky Finger’s Kali-Pi – Configuration of Snort

The Sticky Fingers Kali-Pi installation walk through did not include any detailed information about the configuration of Snort, Barnyard2 and PulledPork on the Raspberry Pi 2 running Kali.

Here are my configuration notes.


sudo bash
apt-get -y install apache2 apache2-doc autoconf automake bison ca-certificates ethtool flex g++ gcc libapache2-mod-php5 libcrypt-ssleay-perl libmysqlclient-dev libnet1 libnet1-dev libpcre3 libpcre3-dev libpcap-dev libphp-adodb libssl-dev libtool libwww-perl make mysql-client mysql-common mysql-server php5-cli php5-gd php5-mysql php-pear sysstat
cd /usr/local/src
tar xvfvz libdnet-1.12.tgz
cd libdnet-1.12
./configure "CFLAGS=-fPIC"
make && make install && make check
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

cd /usr/local/src
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
make && make install

cd /usr/local/src && wget --no-check-certificate -O snort.conf
tar xvfz snort-
cd snort-
./configure --enable-sourcefire; make; sudo make install

mkdir /usr/local/etc/snort /usr/local/etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
touch /usr/local/etc/snort/rules/white_list.rules /usr/local/etc/snort/rules/black_list.rules /usr/local/etc/snort/

groupadd snort && useradd -g snort snort

cp /usr/local/src/snort-*.conf* /usr/local/etc/snort
cp /usr/local/src/snort-*.map /usr/local/etc/snort
cp /usr/local/src/snort.conf /usr/local/etc/snort
mkdir /var/log/snort
chown snort:snort /var/log/snort
nano /usr/local/etc/snort/snort.conf


var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules


var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules

delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

vi /usr/local/etc/snort/rules/local.rules

Enter a simple rule like this for testing:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)

Now we can start and test snort.

/usr/local/bin/snort -A console -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0

Ping the management IP address from another machine, alerts should be printed to the console like this:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->

Install & configure Barnyard2:

cd /usr/local/src && wget
tar -zxf master.tar.gz && cd barnyard2-*
autoreconf -fvi -I ./m4 && ./configure --with-mysql --with-mysql-libraries=/usr/lib/arm-linux-gnueabihf/ && make && make install
mv /usr/local/etc/barnyard2.conf /usr/local/etc/snort
cp schemas/create_mysql /usr/local/src
nano /usr/local/etc/snort/barnyard2.conf

Line #27 change to /usr/local/etc/snort/reference.config
Line #28 change to /usr/local/etc/snort/classification.config
Line #29 change to /usr/local/etc/snort/
Line #30 change to /usr/local/etc/snort/
Line #227 change to output alert_fast
At the end of the file add this line:

output database: log, mysql, user=snort password=<mypassword> dbname=snort host=localhost

Setup the MySQL server

service mysqld start
mysql -u root -p

Type in the root password

In the mysql console (pick a password as ‘mypassword’ that is different from root password):

create database snort;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('mypassword');
use snort;
source /usr/local/src/create_mysql

List the newly created tables:

show tables;

Exit the mysql console



/usr/local/bin/snort -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /usr/local/etc/snort/bylog.waldo -C /usr/local/etc/snort/classification.config &


cd /usr/local/src
git clone
cd pulledpork
cp /usr/local/bin && cp etc/*.conf /usr/local/etc/snort

To use the Sourcefire VRT Certified Rules, go to, register for an account and get an “oinkcode”, this will allow you to download their Registered User rule set.

edit “/usr/local/etc/snort/pulledpork.conf”:
Line 19: enter your “oinkcode” where appropriate or comment out the line
Line 26: enter your “oinkcode” where appropriate or comment out the line
Line 133: change to: distro=Debian-6-0

chmod +x /usr/local/bin/

mkdir /usr/local/etc/snort/rules/iplists

To run:
/usr/local/bin/ -c /usr/local/etc/snort/pulledpork.conf -T -l


cd /usr/local/src && sudo wget
sudo tar -zxf base-1.4.5.tar.gz && sudo cp -r base-1.4.5 /var/www/base
sudo chown www-data:www-data /var/www/base
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/

Add virtual directory “base” aka “/var/www/base/” to “/etc/apache2/sites-enabled/default-ssl.conf”

Alias /base "/var/www/base/"
<Directory "/var/www/base/">
  DirectoryIndex index.php

Change line #449 in “/etc/php5/apache2/php.ini” to read:

error_reporting = E_ALL & ~E_NOTICE

Enable SSL

sudo a2enmod ssl
sudo pear config-set preferred_state alpha && pear channel-update
sudo pear install --alldeps --force Image_Color2 Image_Canvas Image_Graph
sudo service apache2 restart
sudo perl -MCPAN -e 'install  Geography::Countries'
perl -MCPAN -e 'install  IP::Country'
cd /usr/share/php/Image/Graph/Images/Maps
cp /var/www/base/world_map6.* .

Start mysql server and apache2 server

Open “https://[ip-address]/base” in your favorite browser and follow steps to configure:
Click Continue, choose English
Path to adodb: /usr/share/php/adodb
Click Continue
Database Name: snort
Database Host: localhost
Database Port: [leave blank]
Database User Name: snort
Database Password:

Create admin user

Click “create baseag” which extends the DB to support BASE.

nano /var/www/base/base_conf.php
Enforce authentication
$Use_Auth_System = 1;

Towards the end, find the line:
//$IP2CC = “/usr/bin/ip2cc”;
Add instead:
$IP2CC = “/usr/local/bin/ip2cc”;

Fix the fonts:

ln -s /usr/share/fonts/truetype/dejavu /usr/share/php/Image/Canvas/Fonts

The following document from Jason Weir helped me a lot:

As always, please give me feedback in the forums so I can improve on this.

Many thanks,



3 thoughts on “Sticky Finger’s Kali-Pi – Configuration of Snort

Comments are closed.