SnortExtras: README

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.51.0/README" (20 Dec 2022, 3024 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

1 Snort++ Extras 2 3 Snort++ is all about plugins. It has over 200 by default and makes it easy 4 to add more in C++ or LuaJIT. This file will walk you through building and 5 running a set of extra example plugins. If you haven't installed and 6 verified Snort++, you will need to do that first. We will cover the 7 following topics: 8 9 * Overview 10 * Download 11 * Build Extras 12 * Run Extras 13 * Next Steps 14 15 OVERVIEW 16 17 The following things are pluggable in Snort++: 18 19 * codec - decode and encode support for a given protocol 20 * data - additional configuration for inspectors 21 * inspector - replaces Snort preprocessors 22 * ips_option - IPS rule option like content and byte_test 23 * ips_action - IPS rule action like alert and block 24 * search_engine - fast pattern matcher 25 * logger - event handers 26 * SO rules - dynamic rules 27 28 DOWNLOAD 29 30 There is one extra tarball: 31 32 snort_extra-1.0.0-a1-130.tar.gz 33 34 You can also get the code with: 35 36 git clone git://github.com/snortadmin/snort3_extra.git 37 38 BUILD EXTRAS 39 40 Follow these steps: 41 42 1. Set up source directory: 43 44 * If you are using a github clone: 45 46 cd snort3_extra/ 47 48 * Otherwise do this: 49 50 tar zxf extra-tarball 51 cd snort_extra-1.0.0* 52 53 2. Setup install path using pkgconfig (same as for snort): 54 55 export PKG_CONFIG_PATH=$my_path/lib/pkgconfig 56 57 3. Compile and install: 58 59 ./configure_cmake.sh 60 cd build 61 make 62 make install 63 64 Note: 65 66 * cmake --help will list any available generators, such as Xcode. Feel 67 free to use one, however help with those will be provided separately. 68 * each individual plugin directory is a standalone cmake project, and does 69 not depend on any other part of the extra/ build tree 70 71 RUN EXTRAS 72 73 In the following, replace a.pcap with your favorite. 74 75 * The following demonstrates a C++ logger and a LuaJIT logger: 76 77 $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ 78 -r a.pcap --plugin-path $my_path/lib/snort_extra -A alert_ex 79 80 $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ 81 -r a.pcap --script-path $my_path/lib/snort_extra -A lualert 82 83 You can edit $my_path/lib/snort_extra/loggers/alert.lua to tweak the output 84 format and rerun the above command to try it out. 85 86 * The last example demonstrates a LuaJIT rule option called find. The rule, 87 supplied on stdin, uses the Lua [[ multiline string ]] delimiters to avoid 88 shell escape issues: 89 90 echo 'alert tcp any any -> any 80 ( sid:1; msg:"test"; http_method; find:"pat = [[GET]]"; )' | \ 91 $my_path/bin/snort -c $my_path/etc/snort/snort.lua -r a.pcap \ 92 -A cmg --script-path $my_path/lib/snort_extra --stdin-rules 93 94 NEXT STEPS o")~ 95 96 There is no design guide yet but you can develop your own plugins in C++ by 97 using the examples as a starting point. In addition, IPS options and 98 loggers can also be written in LuaJIT. The API may change going forward, 99 but you are encouraged to roll your own now and let us know how it goes so 100 we can incorporate any suggestions in the final design. 101