After the snort sources are patched you have to run configure in the snort source directory. This will create the file config.h which is needed to compile FLoP. Both, snort and FLoP should use the same types of variables.
After this is done change to the FLoP directory and call here
configure. You have to mention the path to the
snort sources with the directive
--with-snort=/path/to/snort and
at least one database: Either Mysql
(--with-mysql=/path/to/mysql) or
PostgreSQL
(--with-postgres=/path/to/postgresql).
Further you have to decide if the features and programs drop
(--enable-drop, this is now default), alert
(--enable-alert, this is now default), getpacket
(--enable-getpacket) and fpg
(--enable-fpg) should be compiled. To build fpg you must have libnet
version 1.1 or newer.
Whereas the path to the snort sources and the type of database are required some others are optional and some are recommended.
The configure options in detail
--prefix=DIRGives the prefix
to the installed binary, manual pages, documentation files and
configuration files. These are stalled in DIR/bin, DIR/man, DIR/doc and DIR/conf.
--with-snort=DIRThis option is
required. DIR should point to the
configured snort sources. These are required to build the FLoP
package. At least we need config.h of the snort
sources. Additionally there is a little test to see if the patch is
applied.
--with-mysql=DIRThis option
activates the support for the MySQL
database. DIR should point to the
MySQL directory where the header and library
files can be found. If first tries to run
DIR/bin/mysql_config to get
the compiler settings and flags.
--with-postgres=DIRThis option
activates the support for the PostgreSQL
database. DIR should point to the
PostgeSQL directory where the header and library
files can be found. The first try is to run
DIR/bin/pg_config to get the
compiler settings and flags. Note: You can activate both
databases. You have to decide within
servsock.conf which one should be
used.
--with-libbindThis
enables the use of libbind during the link process. Since the programs
can use the library functions getipnodebyname() and
getipnodebyaddr() which are not part of every
operating system we can use this library for these functions.
If this option is not activated then the functions gethostbyname() and
gethostbyaddr() are used instead. So probably you will not activate this configure option.
--enable-dropThis enables the build of the program drop and activates the interfaces in sockserv and servsock. Note: You have still to activate this feature via the command line options or the configuration file. So it is save to enable this feature and therefore it is activated by default.
--enable-alertThis enables the build of the program alert and activates the interfaces in sockserv and servsock. Note: You still have to activate this feature via the command line options or the configuration file. So it is save to enable this feature and therefore it is enabled by default.
--enable-getpacketThis enables the build of the program getpacket which is able to rebuild a file with the network packet in pcap format from the database. Note: You have to extend the database scheme to use this feature and have to advise servsock to store the additional needed information in the database.
If you want to use libpcap to build the pcap
file from the database you have to use the option
--with-libpcap. But normally this is not necessary,
getpacket is able to build the pcap file without
the use of libpcap.
--enable-fpgThis enables the build of the program fpg. To compile this program you need the libnet library version 1.1 or newer. Since the API of libnet seems to change quiet frequently it is not unlekely that it will not compile clean. Therefore the option to compile this program is disabled by default.
--enable-prepareThis
enables the use of the PREPARE command in conjunction
with the PostgreSQL database. The effect is that
all SQL statements where prepared, it is no longer
necessary to do a type chech and similar operations. This may enhance
the performance of the database access.
Note: This is not implemented for the MySQL database.
Note: It seems that at least with the actual snort database scheme this kind of optimization is already done by the client library of PostgreSQL.
--enable-cacheThis
enables the use of a cache for the
sig_ids. If an alert is to be inserted the
first thing is to ask for the sig_id of the signature. This is
used for all further INSERTs. Since this is
the only read statement it slows down the
database access. The idea is to store all used sig_ids
in a cache to avoid further SELECTs
for them. This cache is implemented as a red-black binary
tree.
--with-maxclients=clientsThis option is specifies how many sensors can connect to servsock simultaneously. The default are 25 sensors or alternatively sockserv processes.
On some systems the database library and header files are already part of the
operating system. There it can happen that for example the mysql header files
are not found in /path/to/mysql/include/. Here you may
find them in /usr/include/mysql where the compiler will
not search for this headers by default. Thererfore it may be useful to set the
CPPFLAGS together with the configure
command:
CPPFLAGS=-I/usr/include/mysql ./configure --with-mysql=/usr ...Additionally the options
CFLAGS for compiler flags and
LDFLAGS for linker options may be useful.NOTE: If mysql_config or pg_config is used to get the compiler settings and flags you should not need to adjust these FLAGS.
For further information read the file INSTALL and the various README files of the distribution.