Installing Snort++ Example Plugins

In this article, I will show you how to install and run the Example Plugins in Snort++. The example plugins are a series of additional plugins that the Snort team has made available for developers to use as examples. This guide assumes that you have cloned Snort++ (Snort 3.0 alpha) from github following my guide here. If you downloaded and installed Snort++ from the tarball on Snort’s website, these instructions may not work for you (since that tarball doesn’t include the snort-extras).

These instructions are tested with the x86 and x64 versions of Ubuntu 14 and 16, with Snort 3.0 Alpha Build-239. If you have installed Snort++ from the github clone on another distribution or architecture, you should be able to modify the below instructions for your specific case. You should ensure that Snort is working correctly before you continue.

Assuming you’ve followed my Snort++ installation guide, you should have a clone of the snort++ github repository under ~/snort_src/. We start by navigating to the extras directory, compile, and install:

cd ~/snort_src/snort3-master/extra
autoreconf -isvf
export PKG_CONFIG_PATH=/opt/snort/lib/pkgconfig/
./configure --prefix=/opt/snort
make
sudo make install

We export PKG_CONFIG_PATH in the above instructions because that tells Snort where the pkgconfig file is for snort when we installed it. if you installed snort to another location, you’ll need to use that path. The above instructions compile and install the plugins, but you need to tell Snort where those plugin directories are when you run it. There are two types of plugins: compiled applications and Lua scripts, and you need to tell snort where to look for both types of extra plugins. To tell snort about these new directories containing the compiled plugins and lua plugins, you pass it the plugin path and/or the script path.

For example, to load the alert_ex plugin (compiled):

snort --plugin-path /opt/snort/lib/snort_extra -A alert_ex --warn-all

I’m using the the warn-all flag to warn of any errors, since snort will not display non-fatal errors by default.

If you want to test the lualert plugin (lua script):

snort --script-path /opt/snort/lib/snort_extra -A lualert --warn-all

To see all available plugins that snort is aware of when running, use the following command:

snort --list-plugins

this will not list the snort-extras plugins, since you haven’t given snort the plugin-path or script-path information. To have snort list all the new script and compiled plugins including those it can see in the extras directory:

snort --script-path /opt/snort/lib/snort_extra --plugin-path /opt/snort/lib/snort_extra --list-plugins

See the snort3 extras readme and the included source files for more information. To see the number of new plugins the extras folder makes available, let’s show all the enabled logging modules by default, then with the additional extras enabled:

noah@snort3: ̃$ snort −−list−plugins | grep logger
logger::alert csv v0 static
logger::alert fast v0 static
logger::alert full v0 static
logger::alert sfsocket v0 static
logger::alert syslog v0 static
logger::log codecs v0 static
logger::log hext v0 static
logger::log pcap v0 static
logger::unified2 v0 static

noah@snort3: ̃$ snort −−script−path /opt/snort/lib/snort extra −−plugin−path /opt/snort/lib/snort extra −−list−plugins | grep logger
logger::alert csv v0 static
logger::alert ex v0 /opt/snort/lib/snort extra/loggers/alert ex.so
logger::alert fast v0 static
logger::alert full v0 static
logger::alert sfsocket v0 static
logger::alert syslog v0 static
logger::alert unixsock v0 /opt/snort/lib/snort extra/loggers/alert unixsock.so
logger::log codecs v0 static
logger::log hext v0 static
logger::log null v0 /opt/snort/lib/snort extra/loggers/log null.so
logger::log pcap v0 static
logger::lualert v0 static
logger::unified2 v0 static

As you can see, when we tell snort to look in the extras directory, we now have additional plugins available for use.

I hope you found this article helpful. If you have issues, you can contact the snort-developers list for assistance. I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.

Comments are Disabled