snort  3.0.0-beta-beta
About: Snort 3.0 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection. Beta version.
  Fossies Dox: snort-3.0.0-beta.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

snort Documentation

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the steelblue colored "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies
  4. snort-3.0.0-beta.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).
README.md

Snort++

The Snort++ project has been hard at work for a while now and we have released the fourth alpha of the next generation Snort IPS (Intrusion Prevention System). This file will show you what Snort++ has to offer and guide you through the steps from download to demo. If you are unfamiliar with Snort you should take a look at the Snort documentation first. We will cover the following topics:


OVERVIEW

This version of Snort++ includes new features as well as all Snort 2.X features and bug fixes for the base version of Snort except as indicated below:

Project = Snort++
Binary = snort
Version = 3.0.0-a4 build 235
Base = 2.9.8 build 383

Here are some key features of Snort++:

  • Support multiple packet processing threads
  • Use a shared configuration and attribute table
  • Use a simple, scriptable configuration
  • Make key components pluggable
  • Autodetect services for portless configuration
  • Support sticky buffers in rules
  • Autogenerate reference documentation
  • Provide better cross platform support
  • Facilitate component testing

Additional features on the roadmap include:

  • Use a shared network map
  • Support pipelining of packet processing
  • Support hardware offload and data plane integration
  • Support proxy mode
  • Windows support

DEPENDENCIES

If you already build Snort, you may have everything you need. If not, grab the latest:

Additional packages provide optional features. Check the manual for more.

DOWNLOAD

There is a source tarball available in the Downloads section on snort.org:

snort-3.0.0-a3.tar.gz

You can also get the code with:

git clone git://github.com/snortadmin/snort3.git

There are separate extras packages for cmake that provide additional features and demonstrate how to build plugins. The source for extras is in snort3_extra.git repo.

BUILD SNORT

Follow these steps:

  1. Set up source directory:
  • If you are using a github clone:

    cd snort3/
    
  • Otherwise, do this:

    tar zxf snort-tarball
    cd snort-3.0.0*
    
  1. Setup install path:

    export my_path=/path/to/snorty
    
  2. Compile and install:

  • To build with cmake and make, run configure_cmake.sh. It will automatically create and populate a new subdirectory named 'build'.

    ./configure_cmake.sh --prefix=$my_path
    cd build
    make -j $(nproc) install
    

Note:

  • If you can do src/snort -V you built successfully.
  • If you are familiar with cmake, you can run cmake/ccmake instead of configure_cmake.sh.
  • cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately.

RUN SNORT

First set up the environment:

export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort

Then give it a go:

  • Snort++ provides lots of help from the command line. Here are some examples:

    $my_path/bin/snort --help
    $my_path/bin/snort --help-module suppress
    $my_path/bin/snort --help-config | grep thread
    
  • Examine and dump a pcap. In the following, replace a.pcap with your favorite:

    $my_path/bin/snort -r a.pcap
    $my_path/bin/snort -L dump -d -e -q -r a.pcap
    
  • Verify a config, with or w/o rules:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua
    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
    
  • Run IDS mode. In the following, replace pcaps/ with a path to a directory with one or more *.pcap files:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        -r a.pcap -A alert_test -n 100000
    
  • Let's suppress 1:2123. We could edit the conf or just do this:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        -r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
    
  • Go whole hog on a directory with multiple packet threads:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        --pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8
    

Additional examples are given in doc/usage.txt.

DOCUMENTATION

Take a look at the manual, parts of which are generated by the code so it stays up to date:

$my_path/share/doc/snort/snort_manual.pdf
$my_path/share/doc/snort/snort_manual.html
$my_path/share/doc/snort/snort_manual/index.html

It does not yet have much on the how and why, but it does have all the currently available configuration, etc. Some key changes to rules:

  • you must use comma separated content sub options like this: content:"foo", nocase;
  • buffer selectors must appear before the content and remain in effect until changed
  • pcre buffer selectors were deleted
  • check the manual for more on Snort++ vs Snort
  • check the manual reference section to understand how parameters are defined, etc.

It also covers new features not demonstrated here:

  • snort2lua, a tool to convert Snort 2.X conf and rules to the new form
  • a new HTTP inspector
  • a binder, for mapping configuration to traffic
  • a wizard for port-independent configuration
  • improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments
  • local and remote command line shell

SQUEAL

o")~

We hope you are as excited about Snort++ as we are. Although a lot of work remains, we wanted to give you a chance to try it out and let us know what you think on the snort-users list. In the meantime, we'll keep our snout to the grindstone.