forked from snort3/snort3_extra
-
Notifications
You must be signed in to change notification settings - Fork 0
External plugins for examples, experimental, and some legacy code.
License
Ferguson230/snort3_extra
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Snort++ Extras Snort++ is all about plugins. It has over 200 by default and makes it easy to add more in C++ or LuaJIT. This file will walk you through building and running a set of extra example plugins. If you haven't installed and verified Snort++, you will need to do that first. We will cover the following topics: * Overview * Download * Build Extras * Run Extras * Next Steps OVERVIEW The following things are pluggable in Snort++: * codec - decode and encode support for a given protocol * data - additional configuration for inspectors * inspector - replaces Snort preprocessors * ips_option - IPS rule option like content and byte_test * ips_action - IPS rule action like alert and block * search_engine - fast pattern matcher * logger - event handers * SO rules - dynamic rules DOWNLOAD There is one extra tarball: snort_extra-1.0.0-a1-130.tar.gz You can also get the code with: git clone git://github.com/snortadmin/snort3_extra.git BUILD EXTRAS Follow these steps: 1. Set up source directory: * If you are using a github clone: cd snort3_extra/ * Otherwise do this: tar zxf extra-tarball cd snort_extra-1.0.0* 2. Setup install path using pkgconfig (same as for snort): export PKG_CONFIG_PATH=$my_path/lib/pkgconfig 3. Compile and install: ./configure_cmake.sh cd build make make install Note: * cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately. * each individual plugin directory is a standalone cmake project, and does not depend on any other part of the extra/ build tree RUN EXTRAS In the following, replace a.pcap with your favorite. * The following demonstrates a C++ logger and a LuaJIT logger: $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r a.pcap --plugin-path $my_path/lib/snort_extra -A alert_ex $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r a.pcap --script-path $my_path/lib/snort_extra -A lualert You can edit $my_path/lib/snort_extra/loggers/alert.lua to tweak the output format and rerun the above command to try it out. * The last example demonstrates a LuaJIT rule option called find. The rule, supplied on stdin, uses the Lua [[ multiline string ]] delimiters to avoid shell escape issues: echo 'alert tcp any any -> any 80 ( sid:1; msg:"test"; http_method; find:"pat = [[GET]]"; )' | \ $my_path/bin/snort -c $my_path/etc/snort/snort.lua -r a.pcap \ -A cmg --script-path $my_path/lib/snort_extra --stdin-rules NEXT STEPS o")~ There is no design guide yet but you can develop your own plugins in C++ by using the examples as a starting point. In addition, IPS options and loggers can also be written in LuaJIT. The API may change going forward, but you are encouraged to roll your own now and let us know how it goes so we can incorporate any suggestions in the final design.
About
External plugins for examples, experimental, and some legacy code.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C++ 72.0%
- CMake 13.1%
- C 9.0%
- Shell 2.6%
- Lua 1.4%
- Ruby 1.3%
- HTML 0.6%