snort3_extra  3.0.3-1
About: SnortExtras contains plugins for the snort IDS/IPS system (for snort 3.0).
  Fossies Dox: snort3_extra-3.0.3-1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

snort3_extra Documentation

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the steelblue colored "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies
  4. snort3_extra-3.0.3-1.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).
README

Snort++ Extras

Snort++ is all about plugins. It has over 200 by default and makes it easy to add more in C++ or LuaJIT. This file will walk you through building and running a set of extra example plugins. If you haven't installed and verified Snort++, you will need to do that first. We will cover the following topics:

  • Overview
  • Download
  • Build Extras
  • Run Extras
  • Next Steps

OVERVIEW

The following things are pluggable in Snort++:

  • codec - decode and encode support for a given protocol
  • data - additional configuration for inspectors
  • inspector - replaces Snort preprocessors
  • ips_option - IPS rule option like content and byte_test
  • ips_action - IPS rule action like alert and block
  • search_engine - fast pattern matcher
  • logger - event handers
  • SO rules - dynamic rules

DOWNLOAD

There is one extra tarball:

snort_extra-1.0.0-a1-130.tar.gz

You can also get the code with:

git clone git://github.com/snortadmin/snort3_extra.git

BUILD EXTRAS

Follow these steps:

  1. Set up source directory:
  • If you are using a github clone:

    cd snort3_extra/

  • Otherwise do this:

    tar zxf extra-tarball cd snort_extra-1.0.0*

  1. Setup install path using pkgconfig (same as for snort):

    export PKG_CONFIG_PATH=$my_path/lib/pkgconfig

  2. Compile and install:

    ./configure_cmake.sh cd build make make install

Note:

  • cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately.
  • each individual plugin directory is a standalone cmake project, and does not depend on any other part of the extra/ build tree

RUN EXTRAS

In the following, replace a.pcap with your favorite.

  • The following demonstrates a C++ logger and a LuaJIT logger:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
    -r a.pcap --plugin-path $my_path/lib/snort_extra -A alert_ex

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
    -r a.pcap --script-path $my_path/lib/snort_extra -A lualert

You can edit $my_path/lib/snort_extra/loggers/alert.lua to tweak the output format and rerun the above command to try it out.

  • The last example demonstrates a LuaJIT rule option called find. The rule, supplied on stdin, uses the Lua [[ multiline string ]] delimiters to avoid shell escape issues:

    echo 'alert tcp any any -> any 80 ( sid:1; msg:"test"; http_method; find:"pat = [[GET]]"; )' |
    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -r a.pcap
    -A cmg --script-path $my_path/lib/snort_extra --stdin-rules

NEXT STEPS o")~

There is no design guide yet but you can develop your own plugins in C++ by using the examples as a starting point. In addition, IPS options and loggers can also be written in LuaJIT. The API may change going forward, but you are encouraged to roll your own now and let us know how it goes so we can incorporate any suggestions in the final design.