forked from snort3/snort3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
180 lines (128 loc) · 5.91 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
Snort++
The Snort++ project has been hard at work for a while now and we are
finally ready to release the first alpha of the next generation Snort IPS
(Intrusion Prevention System). This post will show you what Snort++ has to
offer and guide you through the steps from download to demo. If you are
unfamiliar with Snort you should take a look at the Snort documentation
first. We will cover the following topics:
* Overview
* Dependencies
* Download
* Build Snort
* Run Snort
* Documentation
* Squeal
OVERVIEW
This first alpha release is based on early Snort 2.9.6 and excludes all but
one of Snort's dynamic preprocessors (ftp_telnet). Work is underway to
port that functionality and sync with 2.9.7; those updates will be rolled
out as they become available.
Project = Snort++
Binary = snort
Version = 3.0.0-a1
Here are some key features in this alpha release:
* Support multiple packet processing threads
* Use a shared configuration and attribute table
* Use a simple, scriptable configuration
* Make key components pluggable
* Autodetect services for portless configuration
* Support sticky buffers in rules
* Autogenerate reference documentation
* Provide better cross platform support
Additional features on the roadmap include:
* Use a shared network map
* Support pipelining of packet processing
* Support hardware offload and data plane integration
* Rewrite critical modules like TCP reassembly and HTTP inspection
* Support proxy mode
* Facilitate component testing
* Simplify memory management
* Provide all of Snort's functionality
DEPENDENCIES
If you already build Snort, you may have everything you need. If not, grab
the latest:
* autotools or cmake to build from source
* g++ >= 4.8 or other C++11 compiler
* daq from http://www.snort.org for packet IO
* dnet from http://code.google.com/p/libdnet/ for network utility functions
* LuaJIT from http://luajit.org for configuration and scripting
* pcap from http://www.tcpdump.org for tcpdump style logging
* pcre from http://www.pcre.org for regular expression pattern matching
* zlib from http://www.zlib.net for decompression
* pkgconfig from http://www.freedesktop.org to build the example plugins
DOWNLOAD
There are two sets of source tarballs, once for autotools and one for
cmake. snort-3 contains the base program and snort_extra has example
plugins.
snort-3.0.0-a1-130-auto.tar.gz
snort-3.0.0-a1-130-cmake.tar.gz
BUILD SNORT
First do these setup steps:
export my_path=/path/to/snorty
tar zxf snort-tarball
cd snort-3.0.0*
Then do one of the following:
To build with autotools, simply do the usual from the top level directory:
./configure --prefix=$my_path
make -j 8 install
To build with cmake and make, run configure_cmake.sh. It will
automatically create and populate a new subdirectory named 'build'.
./configure_cmake.sh --prefix=$my_path
cd build
make -j 8 install
Note:
* If you can do src/snort -V you built successfully.
* If you are familiar with cmake, you can run cmake/ccmake instead of configure_cmake.sh.
* cmake --help will list any available generators, such as Xcode. Feel
free to use one, however help with those will be provided in a later
post.
RUN SNORT
First set up the environment:
export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort
Then give it a go:
Snort++ provides lots of help from the command line. Here are some examples:
$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread
Examine and dump a pcap:
$my_path/bin/snort -r pcap
$my_path/bin/snort -K text -d -e -q -r pcap
Verify a config, with or w/o rules:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
Run IDS mode. In the following, replace a.pcap with your favorite. pcaps/
is a directory with one or more *.pcap files:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000
Let's suppress 1:2123. We could edit the conf or just do this:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
Go whole hog on a directory with multiple packet threads:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
--pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8
DOCUMENTATION
Take a look at the manual, parts of which are generated by the code so it
stays up to date:
$my_path/share/doc/snort/snort_manual.pdf
$my_path/share/doc/snort/snort_manual.html
$my_path/share/doc/snort/snort_manual/index.html
It does not yet have much on the how and why, but it does have all the
currently available configuration, etc. Some key changes to rules:
* you must use comma separated content sub options like this: content:"foo", nocase;
* buffer selectors must appear before the content and remain in effect until changed
* pcre buffer selectors were deleted
* check the manual for more on Snort++ vs Snort
* check the manual reference section to understand how parameters are defined, etc.
It also covers new features not demonstrated here:
* snort2lua, a tool to convert Snort 2.X conf and rules to the new form
* a new HTTP inspector, new_http_inspect - incomplete but off to a good start
* a binder, for mapping configuration to traffic
* a wizard for port-independent configuration
* improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments
* local and remote command line shell
SQUEAL o")~
We hope you are as excited about Snort++ as we are. Although a lot of work
remains, we wanted to give you a chance to try it out and let us know what
you think on the snort-users list. In the meantime, we'll keep our snout
to the grindstone.