Specifically, these instructions have been written for SLES 8.0, but should work on other SuSE versions as well. I am using version 0.9.2 of the Snare core, but modifying it to use the sys-call table since SuSE exports it.

To build and install the core from snare-core-0.9.2.tar.gz:

tar xvzf snare-core-0.9.2.tar.gz
cd snare-core-0.9.2

With your favorite editor make these changes:

change line 26 in auditmodule.c to:
//#define HIDDEN_SYS_CALL_TABLE 1

change lines 37-43 in Makefile to:
cd $(prefix)/etc/rc.d/rc2.d; ln -s ../../init.d/audit S98audit
cd $(prefix)/etc/rc.d/rc3.d; ln -s ../../init.d/audit S98audit
cd $(prefix)/etc/rc.d/rc4.d; ln -s ../../init.d/audit S98audit
cd $(prefix)/etc/rc.d/rc5.d; ln -s ../../init.d/audit S98audit
cd $(prefix)/etc/rc.d/rc6.d; ln -s ../../init.d/audit K10audit
cd $(prefix)/etc/rc.d/rc1.d; ln -s ../../init.d/audit K10audit
cd $(prefix)/etc/rc.d/rc0.d; ln -s ../../init.d/audit K10audit


change line 53 in Makefile to:
if [ -d $(prefix)/etc/init.d/audit ]; then rm $(prefix)/etc/init.d/audit; rm $(prefix)/etc/rc.d/rc*.d/S98audit; rm $(prefix)/etc/rc.d/rc*.d/K10audit;fi

change line 11 in audit-start to:
. /lib/lsb/init-functions

make
make install

To build and install the gui from snare-0.9.tar.gz:

There are lots of dependencies in this package here are some that you may need to add: lsb, lsb-runtime, gnome-libs-devel, gettext, and esound-devel.

aclocal -I macros
automake -a
autoconf
./configure
make
make install


Start auditing with a reboot or /etc/init.d/auditd start.
The gui can be invoked with /usr/local/bin/snare.

Note that the use of 'inetd' seems to cause problems if you turn on the network-related events (accept and connect auditing) - however, if you install and use xinetd, these problems do not occur.