Updated June 15, 2018: Snort extras has moved to its own github repository. This guide has been updated to reflect that.

In this article, I will show you how to install and run the Example Plugins in Snort++. The example plugins are a series of additional plugins that the Snort team has made available for developers to use as examples. This guide assumes that you have cloned Snort++ (Snort 3.0 alpha) from github following my guide here.

These instructions are tested with Ubuntu 14, 16, and 18, with Snort 3.0 Alpha Build-245. If you have installed Snort++ from the github clone on another distribution or architecture, you should be able to modify the below instructions for your specific case. You should ensure that Snort is working correctly before you continue.

Assuming you’ve followed my Snort++ installation guide, we start by navigating to the ~/snort_src/ directory, git-clone the repository, compile, and install:

cd ~/snort_src/
git clone https://github.com/snort3/snort3_extra.git
cd ./snort3_extra/
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
./configure_cmake.sh --prefix=/usr/local
cd build
make
sudo make install

We export PKG_CONFIG_PATH in the above instructions because that tells Snort where the pkgconfig file is for snort when we installed it. if you installed snort to another location, you’ll need to use that path. The above instructions compile and install the plugins, but you need to tell Snort where those plugin directories are when you run it. There are two types of plugins: compiled applications and Lua scripts, and you need to tell snort where to look for both types of extra plugins. To tell snort about these new directories containing the compiled plugins and lua plugins, you pass it the plugin path and/or the script path.

For example, to load the alert_ex plugin (compiled):

snort --plugin-path /opt/snort/lib/snort_extra -A alert_ex --warn-all

I’m using the the warn-all flag to warn of any errors, since snort will not display non-fatal errors by default.

If you want to test the lualert plugin (lua script):

snort --script-path /opt/snort/lib/snort_extra -A lualert --warn-all

To see all available plugins that snort is aware of when running, use the following command:

snort --list-plugins

this will not list the snort-extras plugins, since you haven’t given snort the plugin-path or script-path information. To have snort list all the new script and compiled plugins including those it can see in the extras directory:

snort --script-path /opt/snort/lib/snort_extra --plugin-path /opt/snort/lib/snort_extra --list-plugins

See the snort3 extras readme and the included source files for more information. To see the number of new plugins the extras folder makes available, let’s show all the enabled logging modules by default, then with the additional extras enabled:

noah@snort3:~$ snort --list-plugins | grep logger
logger::alert_csv v0 static
logger::alert_fast v0 static
logger::alert_full v0 static
logger::alert_json v0 static
logger::alert_sfsocket v0 static
logger::alert_syslog v0 static
logger::alert_unixsock v0 static
logger::log_codecs v0 static
logger::log_hext v0 static
logger::log_pcap v0 static
logger::unified2 v0 static

noah@snort3:~$ snort --script-path /usr/local/lib/snort\_extra \
--plugin-path /usr/local/lib/snort\_extra --list-plugins | grep logger
logger::alert_csv v0 static
logger::alert_ex v0 /usr/local/lib/snort_extra/loggers/alert_ex.so
logger::alert_fast v0 static
logger::alert_full v0 static
logger::alert_json v0 static
logger::alert_sfsocket v0 static
logger::alert_syslog v0 static
logger::alert_unixsock v0 static
logger::log_codecs v0 static
logger::log_hext v0 static
logger::log_null v0 /usr/local/lib/snort_extra/loggers/log_null.so
logger::log_pcap v0 static
logger::lualert v0 static
logger::unified2 v0 static

As you can see, when we tell snort to look in the extras directory, we now have additional plugins available for use.

I hope you found this article helpful. If you have issues, you can contact the snort-developers list for assistance. I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.