"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.51.0/README" (20 Dec 2022, 3024 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Snort++ Extras
    2 
    3 Snort++ is all about plugins.  It has over 200 by default and makes it easy
    4 to add more in C++ or LuaJIT.  This file will walk you through building and
    5 running a set of extra example plugins.  If you haven't installed and
    6 verified Snort++, you will need to do that first.  We will cover the
    7 following topics:
    8 
    9 * Overview
   10 * Download
   11 * Build Extras
   12 * Run Extras
   13 * Next Steps
   14 
   15 OVERVIEW
   16 
   17 The following things are pluggable in Snort++:
   18 
   19 * codec - decode and encode support for a given protocol
   20 * data - additional configuration for inspectors
   21 * inspector - replaces Snort preprocessors
   22 * ips_option - IPS rule option like content and byte_test
   23 * ips_action - IPS rule action like alert and block
   24 * search_engine - fast pattern matcher
   25 * logger - event handers
   26 * SO rules - dynamic rules
   27 
   28 DOWNLOAD
   29 
   30 There is one extra tarball:
   31 
   32     snort_extra-1.0.0-a1-130.tar.gz
   33 
   34 You can also get the code with:
   35 
   36     git clone git://github.com/snortadmin/snort3_extra.git
   37 
   38 BUILD EXTRAS
   39 
   40 Follow these steps:
   41 
   42 1.  Set up source directory:
   43 
   44 * If you are using a github clone:
   45 
   46     cd snort3_extra/
   47 
   48 * Otherwise do this:
   49 
   50     tar zxf extra-tarball
   51     cd snort_extra-1.0.0*
   52 
   53 2.  Setup install path using pkgconfig (same as for snort):
   54 
   55     export PKG_CONFIG_PATH=$my_path/lib/pkgconfig
   56 
   57 3.  Compile and install:
   58 
   59     ./configure_cmake.sh
   60     cd build
   61     make
   62     make install
   63 
   64 Note:
   65 
   66 * cmake --help will list any available generators, such as Xcode.  Feel
   67   free to use one, however help with those will be provided separately.
   68 * each individual plugin directory is a standalone cmake project, and does
   69   not depend on any other part of the extra/ build tree
   70 
   71 RUN EXTRAS
   72 
   73 In the following, replace a.pcap with your favorite.
   74 
   75 * The following demonstrates a C++ logger and a LuaJIT logger:
   76 
   77     $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
   78         -r a.pcap --plugin-path $my_path/lib/snort_extra -A alert_ex
   79 
   80     $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
   81         -r a.pcap --script-path $my_path/lib/snort_extra -A lualert
   82 
   83 You can edit $my_path/lib/snort_extra/loggers/alert.lua to tweak the output
   84 format and rerun the above command to try it out.
   85 
   86 * The last example demonstrates a LuaJIT rule option called find.  The rule,
   87   supplied on stdin, uses the Lua [[ multiline string ]] delimiters to avoid
   88   shell escape issues:
   89 
   90     echo 'alert tcp any any -> any 80 ( sid:1; msg:"test"; http_method; find:"pat = [[GET]]"; )' | \
   91         $my_path/bin/snort -c $my_path/etc/snort/snort.lua -r a.pcap \
   92             -A cmg --script-path $my_path/lib/snort_extra --stdin-rules
   93 
   94 NEXT STEPS o")~
   95 
   96 There is no design guide yet but you can develop your own plugins in C++ by
   97 using the examples as a starting point.  In addition, IPS options and
   98 loggers can also be written in LuaJIT.  The API may change going forward,
   99 but you are encouraged to roll your own now and let us know how it goes so
  100 we can incorporate any suggestions in the final design.
  101