Yes, I know this is a default config but if you are new to Snort it gets you up and running quickly so you can actually tinker with a running system. If you haven’t installed pkgin, see my post How to install XFCE on NetBSD 6 and run the steps to install pkgin.
1) Get the software.
> pkgin avail | grep snort
oinkmaster-2.0nb1 Manage snort rule updates
snort-22.214.171.124nb2 The Open Source Network Intrusion Detection System
snort-rules-2.4 Network Intrusion Detection System (Community Rules)
snortsnarf-20050314.1nb1 Generate HTML report summaries from snort incident alerts
> pkgin install oinkmaster-2.0nb1
> pkgin install snort-126.96.36.199nb2
> pkgin install snort-rules-2.4
> pkgin install snortsnarf-20050314.1nb1
> pkgin install libpcap
> pkgin install tcpdump
> pkgin install pcre-*
2) Create var RULE_PATH files in /usr/pkg/share/snort/rules.
> touch /usr/pkg/share/snort/rules/local.rules
> touch /usr/pkg/share/snort/rules/bad-traffic.rules
> touch /usr/pkg/share/snort/rules/exploit.rules
> touch /usr/pkg/share/snort/rules/scan.rules
> touch /usr/pkg/share/snort/rules/finger.rules
> touch /usr/pkg/share/snort/rules/ftp.rules
> touch /usr/pkg/share/snort/rules/telnet.rules
> touch /usr/pkg/share/snort/rules/rpc.rules
> touch /usr/pkg/share/snort/rules/rservices.rules
> touch /usr/pkg/share/snort/rules/dos.rules
> touch /usr/pkg/share/snort/rules/ddos.rules
> touch /usr/pkg/share/snort/rules/dns.rules
> touch /usr/pkg/share/snort/rules/tftp.rules
> touch /usr/pkg/share/snort/rules/web-cgi.rules
> touch /usr/pkg/share/snort/rules/web-coldfusion.rules
> touch /usr/pkg/share/snort/rules/web-iis.rules
> touch /usr/pkg/share/snort/rules/web-frontpage.rules
> touch /usr/pkg/share/snort/rules/web-misc.rules
> touch /usr/pkg/share/snort/rules/web-client.rules
> touch /usr/pkg/share/snort/rules/web-php.rules
> touch /usr/pkg/share/snort/rules/sql.rules
> touch /usr/pkg/share/snort/rules/x11.rules
> touch /usr/pkg/share/snort/rules/icmp.rules
> touch /usr/pkg/share/snort/rules/netbios.rules
> touch /usr/pkg/share/snort/rules/misc.rules
> touch /usr/pkg/share/snort/rules/attack-responses.rules
> touch /usr/pkg/share/snort/rules/oracle.rules
> touch /usr/pkg/share/snort/rules/mysql.rules
> touch /usr/pkg/share/snort/rules/snmp.rules
> touch /usr/pkg/share/snort/rules/smtp.rules
> touch /usr/pkg/share/snort/rules/imap.rules
> touch /usr/pkg/share/snort/rules/pop2.rules
> touch /usr/pkg/share/snort/rules/pop3.rules
> touch /usr/pkg/share/snort/rules/nntp.rules
> touch /usr/pkg/share/snort/rules/other-ids.rules
3) Test config.
> /usr/pkg/bin/snort -T -i wm0 -u snort -g snort -c /usr/pkg/etc/snort/snort.conf
4) Start Snort.
> /usr/pkg/bin/snort -D -i wm0 -A fast -b -d -u snort -g snort -c /usr/pkg/etc/snort/snort.conf -l /var/log/snort
5) Monitor hits.
> tail -f /var/log/snort/alert
6) After an hour or so, run snortsnarf.pl to get an html report.
> mkdir -p /var/log/snort/report
> /usr/pkg/bin/snortsnarf.pl -d /var/log/snort/report /var/log/snort/alert
> cd /var/log/snort/report
> firefox index.html
Note: if you don’t have an X11 desktop, just scp the report folder over to a host that does and run firefox index.html from that host.