Snort++
C++ C CMake Lua M4 Makefile Other
Latest commit a9f9bd3 Feb 18, 2017 @snortadmin Merge pull request #820 in SNORT/snort3 from noname_daqs to master
Squashed commit of the following:

commit fa60f46919821462077a54661f7bd5171eecc191
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Feb 17 14:30:22 2017 -0500

    support DAQs w/o explicit sources (nfq, ipfw)
Permalink
Failed to load latest commit information.
cmake Merge pull request #816 in SNORT/snort3 from chroot to master Feb 14, 2017
daqs Merge pull request #774 in SNORT/snort3 from dynamic_plugins to master Jan 13, 2017
doc remove fixed gotcha from doc Feb 17, 2017
extra Merge pull request #816 in SNORT/snort3 from chroot to master Feb 14, 2017
lua Merge pull request #798 in SNORT/snort3 from appid_webdav2 to master Feb 1, 2017
m4 Merge pull request #781 in SNORT/snort3 from macros to master Jan 19, 2017
piglet/tests Fix configure.ac compiler search order for OSX. Add Piglet tests for … Sep 10, 2015
src Merge pull request #820 in SNORT/snort3 from noname_daqs to master Feb 17, 2017
tools Merge pull request #817 in SNORT/snort3 from u2_logging_bug_166983 to… Feb 17, 2017
.gitignore Merge pull request #663 in SNORT/snort3 from crc_bugs to master Oct 7, 2016
CMakeLists.txt Merge pull request #816 in SNORT/snort3 from chroot to master Feb 14, 2017
COPYING initial git at version 71 Apr 7, 2014
ChangeLog build 226 Feb 17, 2017
LICENSE reverted inadvertent cmake change; added missing LICENSE files; use b… Dec 10, 2014
Makefile.am Merge pull request #501 in SNORT/snort3 from ~MIALTIZE/snort3:for-rus… Jun 7, 2016
README.md Merge pull request #707 in SNORT/snort3 from misc_fixes to master Nov 16, 2016
cmake_uninstall.cmake.in adding cmake uninstall script Apr 16, 2014
config.cmake.h.in Merge pull request #774 in SNORT/snort3 from dynamic_plugins to master Jan 13, 2017
configure.ac Merge pull request #816 in SNORT/snort3 from chroot to master Feb 14, 2017
configure_cmake.sh Merge pull request #677 in SNORT/snort3 from tsan to master Oct 17, 2016
crusty.cfg uncrustify, see crusty.cfg Feb 27, 2015
snort.pc.in Merge pull request #774 in SNORT/snort3 from dynamic_plugins to master Jan 13, 2017

README.md

Snort++

The Snort++ project has been hard at work for a while now and we have released the third alpha of the next generation Snort IPS (Intrusion Prevention System). This file will show you what Snort++ has to offer and guide you through the steps from download to demo. If you are unfamiliar with Snort you should take a look at the Snort documentation first. We will cover the following topics:


OVERVIEW

This version of Snort++ includes new features as well as all Snort 2.X features and bug fixes for the base version of Snort except as indicated below:

Project = Snort++
Binary = snort
Version = 3.0.0-a3 build 183
Base = 2.9.7 build 262

Here are some key features of Snort++:

  • Support multiple packet processing threads
  • Use a shared configuration and attribute table
  • Use a simple, scriptable configuration
  • Make key components pluggable
  • Autodetect services for portless configuration
  • Support sticky buffers in rules
  • Autogenerate reference documentation
  • Provide better cross platform support
  • Facilitate component testing

The following Snort 2.X features are not yet supported but are planned to be supported in the next and final alpha release:

  • side channel and high availability
  • session capture
  • dcerpc2 preprocessor
  • appid preprocessor
  • sdf preprocessor

Additional features on the roadmap include:

  • Use a shared network map
  • Support pipelining of packet processing
  • Support hardware offload and data plane integration
  • Rewrite critical modules like TCP reassembly and HTTP inspection
  • Support proxy mode
  • Simplify memory management
  • Windows support

DEPENDENCIES

If you already build Snort, you may have everything you need. If not, grab the latest:

Additional packages provide optional features. Check the manual for more.

DOWNLOAD

There are two source tarballs, one for autotools and one for cmake:

snort-3.0.0-a3-auto.tar.gz
snort-3.0.0-a3-cmake.tar.gz

You can also get the code with:

git clone git://github.com/snortadmin/snort3.git

There are separate extras packages for autotools and cmake that provide additional features and demonstrate how to build plugins. The source for extras is in git repo as well.

BUILD SNORT

Follow these steps:

  1. Set up source directory:

    • If you are using a github clone:

      cd snort3/
    • Otherwise, do this:

      tar zxf snort-tarball
      cd snort-3.0.0*
  2. Setup install path:

    export my_path=/path/to/snorty
  3. Compile and install:

    • To build with autotools, simply do the usual from the top level directory:

      ./configure --prefix=$my_path
      make -j 8 install
    • To build with cmake and make, run configure_cmake.sh. It will automatically create and populate a new subdirectory named 'build'.

      ./configure_cmake.sh --prefix=$my_path
      cd build
      make -j 8 install

Note:

  • If you are using autotools with a github clone, first do autoreconf -isvf.
  • If you can do src/snort -V you built successfully.
  • If you are familiar with cmake, you can run cmake/ccmake instead of configure_cmake.sh.
  • cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately.

RUN SNORT

First set up the environment:

export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort

Then give it a go:

  • Snort++ provides lots of help from the command line. Here are some examples:

    $my_path/bin/snort --help
    $my_path/bin/snort --help-module suppress
    $my_path/bin/snort --help-config | grep thread
  • Examine and dump a pcap. In the following, replace a.pcap with your favorite:

      $my_path/bin/snort -r a.pcap
      $my_path/bin/snort -L dump -d -e -q -r a.pcap
  • Verify a config, with or w/o rules:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua
    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
  • Run IDS mode. In the following, replace pcaps/ with a path to a directory with one or more *.pcap files:

      $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
          -r a.pcap -A alert_test -n 100000
  • Let's suppress 1:2123. We could edit the conf or just do this:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        -r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
  • Go whole hog on a directory with multiple packet threads:

    $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        --pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8

Additional examples are given in doc/usage.txt.

DOCUMENTATION

Take a look at the manual, parts of which are generated by the code so it stays up to date:

$my_path/share/doc/snort/snort_manual.pdf
$my_path/share/doc/snort/snort_manual.html
$my_path/share/doc/snort/snort_manual/index.html

It does not yet have much on the how and why, but it does have all the currently available configuration, etc. Some key changes to rules:

  • you must use comma separated content sub options like this: content:"foo", nocase;
  • buffer selectors must appear before the content and remain in effect until changed
  • pcre buffer selectors were deleted
  • check the manual for more on Snort++ vs Snort
  • check the manual reference section to understand how parameters are defined, etc.

It also covers new features not demonstrated here:

  • snort2lua, a tool to convert Snort 2.X conf and rules to the new form
  • a new HTTP inspector
  • a binder, for mapping configuration to traffic
  • a wizard for port-independent configuration
  • improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments
  • local and remote command line shell

SQUEAL

o")~

We hope you are as excited about Snort++ as we are. Although a lot of work remains, we wanted to give you a chance to try it out and let us know what you think on the snort-users list. In the meantime, we'll keep our snout to the grindstone.