NOTE: With 1.6.0 there is a Tag added to the alertpkt. Therefore you
have to patch snort against a newer patch and you can not combine sockserv
and servsock of different releases.

To run and install FLoP you need:

 + snort sources
 + patch snort sources for the new output plugin
 + call configure in the snort directory (and make)
 + a PostgreSQL or MySQL database
 + libnet >= 1.1 for the false-positive-generator
 + run configure in the FLoP directory
 + run make

Here comes the long part:

1. tar xvzf snort-2.1.x.tar.gz
2. tar xvzf FLoP-1.x.x.tar.gz
3. cd snort-2.1.x
4. patch -p1 <../FLoP-1.x.x/patches/snort-2.1.x_patch
5. ./configure 
6. make

Now you have patched snort version which knows of a new
output plugin. You can enable this via the snort.conf
option 

output alert_unixsock_db: /tmp/snort

Next step is to configure FLoP:

./configure --with-snort=/path/to/snort-2.1.x \
            --with-postgres=/path/to/postgres \
            --with-mysql=/path/to/mysql       \
            --enable-drop                     \
            --enable-alert                    \
            --enable-getpacket                \
            --enable-fpg                      \
            --with-libpcap                    \

You need only one database, I personally recommend PostgreSQL,
it seems to perform better than MySQL on heavy load.

The --with-libpcap is optional and only used with getpacket. If
mentioned then the libpcap is used to rebuild a pcap file from
the database.

All given path should be absolute, a relative path won't work

drop, alert, getpacket and fpg are optional and only add-ons. 

By default the inclusion of debug code is activated. To disable
it use
          --disable-debug

+ drop is needed to be able to drop packets if too many are queued.
+ alert can send alerts via E-Mail based on the priority of the alert.
+ getpacket is able to reconstruct a pcap file of a special alert
  -> see README.payload if you want to use this feature.
+ fpg is a false-positive-generator which is useful to test the 
  snort implementation with a high load of alerts. You have to
  disable either the stream4 preprocessor or the established flag
  in the rules to get a maximum of alerts.

The number of remote sensors is limited to 25 but can be adjusted
by the --with-maxclients=NN option.

After the configure run all you have to do is to invoke make:

  make

WARNING: If you re-configure a compiled version you should first
         invoke a 'make clean'!

Finally you can run a 

 make install

By default it will install all files below /usr/local. But you
can change this with the --prefix=/path/to/install/FLoP directive.

For all further informations see the various README files and 
USAGE