Updated June 15, 2018: Snort extras has moved to its own github repository. This guide has been updated to reflect that.
In this article, I will show you how to install and run the Example Plugins in Snort++. The example plugins are a series of additional plugins that the Snort team has made available for developers to use as examples. This guide assumes that you have cloned Snort++ (Snort 3.0 alpha) from github following my guide here.
These instructions are tested with Ubuntu 14, 16, and 18, with Snort 3.0 Alpha Build-245. If you have installed Snort++ from the github clone on another distribution or architecture, you should be able to modify the below instructions for your specific case. You should ensure that Snort is working correctly before you continue.
Assuming you’ve followed my Snort++ installation guide, we start by navigating to the ~/snort_src/ directory, git-clone the repository, compile, and install:
cd ~/snort_src/ git clone https://github.com/snort3/snort3_extra.git cd ./snort3_extra/ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ ./configure_cmake.sh --prefix=/usr/local cd build make sudo make install
We export PKG_CONFIG_PATH in the above instructions because that tells Snort where the pkgconfig file is for snort when we installed it. if you installed snort to another location, you’ll need to use that path. The above instructions compile and install the plugins, but you need to tell Snort where those plugin directories are when you run it. There are two types of plugins: compiled applications and Lua scripts, and you need to tell snort where to look for both types of extra plugins. To tell snort about these new directories containing the compiled plugins and lua plugins, you pass it the plugin path and/or the script path.
For example, to load the alert_ex plugin (compiled):
snort --plugin-path /opt/snort/lib/snort_extra -A alert_ex --warn-all
I’m using the the warn-all flag to warn of any errors, since snort will not display non-fatal errors by default.
If you want to test the lualert plugin (lua script):
snort --script-path /opt/snort/lib/snort_extra -A lualert --warn-all
To see all available plugins that snort is aware of when running, use the following command:
snort --list-plugins
this will not list the snort-extras plugins, since you haven’t given snort the plugin-path or script-path information. To have snort list all the new script and compiled plugins including those it can see in the extras directory:
snort --script-path /opt/snort/lib/snort_extra --plugin-path /opt/snort/lib/snort_extra --list-plugins
See the snort3 extras readme and the included source files for more information. To see the number of new plugins the extras folder makes available, let’s show all the enabled logging modules by default, then with the additional extras enabled:
noah@snort3:~$ snort --list-plugins | grep logger logger::alert_csv v0 static logger::alert_fast v0 static logger::alert_full v0 static logger::alert_json v0 static logger::alert_sfsocket v0 static logger::alert_syslog v0 static logger::alert_unixsock v0 static logger::log_codecs v0 static logger::log_hext v0 static logger::log_pcap v0 static logger::unified2 v0 static noah@snort3:~$ snort --script-path /usr/local/lib/snort\_extra \ --plugin-path /usr/local/lib/snort\_extra --list-plugins | grep logger logger::alert_csv v0 static logger::alert_ex v0 /usr/local/lib/snort_extra/loggers/alert_ex.so logger::alert_fast v0 static logger::alert_full v0 static logger::alert_json v0 static logger::alert_sfsocket v0 static logger::alert_syslog v0 static logger::alert_unixsock v0 static logger::log_codecs v0 static logger::log_hext v0 static logger::log_null v0 /usr/local/lib/snort_extra/loggers/log_null.so logger::log_pcap v0 static logger::lualert v0 static logger::unified2 v0 static
As you can see, when we tell snort to look in the extras directory, we now have additional plugins available for use.
I hope you found this article helpful. If you have issues, you can contact the snort-developers list for assistance. I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.
NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 245) in Ubuntu
The instructions below show how to install Snort 3 alpha 4 build 239 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).
Snort 3 Alpha 4 Build 239 was released on July 28, 2017, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest libsqlite3-dev
Install tools required for compiling the source from github:
sudo apt-get install -y libtool git autoconf
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):
cd ~/snort_src wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz tar -xzvf libsafec-10052013.tar.gz cd libsafec-10052013 ./configure make sudo make install
One of the Snort recommended prerequisites is Hyperscan 4.4.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.
Install Ragel 6.10 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz tar -xzvf ragel-6.10.tar.gz cd ragel-6.10 ./configure make sudo make install
Download the Boost 1.64 libraries, but do not install:
cd ~/snort_src wget https://dl.bintray.com/boostorg/release/1.64.0/source/boost_1_64_0.tar.gz tar -xvzf boost_1_64_0.tar.gz
Install Hyperscan 4.5.1 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.5.2.tar.gz tar -xvzf v4.5.2.tar.gz mkdir ~/snort_src/hyperscan-4.5.2-build cd hyperscan-4.5.2-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_64_0/ ../hyperscan-4.5.2 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.5.2-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):
cd ~/snort_src wget https://www.snort.org/downloads/snortplus/daq-2.2.2.tar.gz tar -xvzf daq-2.2.2.tar.gz cd daq-2.2.2 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 239, but as the codebase is updated, you’ll get a newer version). If you want to specifically download the version used in this guide, use this URL instead with wget below: https://github.com/snortadmin/snort3/archive/BUILD_239.tar.gz.
If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://github.com/snortadmin/snort3/archive/master.tar.gz tar -xvzf master.tar.gz cd snort3-master/ autoreconf -isvf ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc" sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.0-a4 (Build 239) from 2.9.8-383 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 2.2.2 Using libpcap version 1.7.4 Using LuaJIT version 2.0.4 Using PCRE version 8.38 2015-11-23 Using ZLIB version 1.2.8 Using LZMA version 5.1.0alpha Using OpenSSL 1.0.2g 1 Mar 2016 Using Hyperscan version 4.5.2 2017-08-05 user@snort3:~$
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3 /opt/snort ├── bin │ ├── snort │ ├── snort2lua │ ├── u2boat │ └── u2spewfoo ├── etc │ └── snort │ ├── file_magic.lua │ ├── snort_defaults.lua │ └── snort.lua ├── include │ └── snort │ ├── actions │ ├── codecs │ ├── daqs │ ├── decompress │ ├── detection │ ├── events │ ├── file_api │ ├── flow │ ├── framework │ ├── hash │ ├── log │ ├── lua │ ├── main │ ├── managers │ ├── mime │ ├── packet_io │ ├── profiler │ ├── protocols │ ├── pub_sub │ ├── search_engines │ ├── sfip │ ├── stream │ ├── time │ └── utils ├── lib │ ├── pkgconfig │ │ └── snort.pc │ └── snort │ └── daqs └── share └── doc └── snort 36 directories, 8 files
The /opt/snort/bin folder contains the following Snort binaries:
Additionally, the following folders are created / used:
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
Snort3 rules have more options than Snort 2 rules, and while the normal rules downloaded with PulledPork or manually will work, for testing you will probably want to download the set of community rules specificallycreated for snort3. You can manually download snort3 specific community rules from the snort website:
cd ~/snort_src/ wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz tar -xvzf snort3-community-rules.tar.gz cd snort3-community-rules sudo mkdir /opt/snort/etc/snort/rules sudo cp snort3-community.rules /opt/snort/etc/snort/rules/ sudo cp sid-msg.map /opt/snort/etc/snort/rules/
now test that snort can load these rules:
/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules
your output should contain something similar:
Loading rules: Loading /opt/snort/etc/snort/rules/snort3-community.rules: Finished /opt/snort/etc/snort/rules/snort3-community.rules. Finished rules. -------------------------------------------------- rule counts total rules loaded: 3462 text rules: 3462 option chains: 3462 chain headers: 264 -------------------------------------------------- ...
you may want to run Snort with the following flags to detect issues: the warn-all and pedantic flags. From the Snort3 manual:
Warnings are not emitted unless –warn-* is specified. –warn-all enables all warnings, and –pedantic makes such warnings fatal
OpenAppID allows for the identification of application layer traffic. The Snort team has put together a package of detectors, with assistance from the community that you can download and install, called the Application Detector Package which needs to be installed. First download the OpenAppID detector package:
cd ~/snort_src/ wget https://www.snort.org/downloads/openappid/5759 -O OpenAppId-5759 tar -xzvf OpenAppId-5759 sudo cp -R odp /opt/snort/lib/
Now we need to edit our snort configuration file to point to this odp directory:
sudo vi /opt/snort/etc/snort/snort.lua
At line 113 (yours line number may be slightly different) you will see the appid= entry. You will want to add the app detector dir option here, pointing to the parent folder of the odf folder. It should look like this:
appid = { app_detector_dir = '/opt/snort/lib', }
note that you must have four spaces (not a tab) for the indented line. Now we want to test the configuration file loads correctly:
/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua --warn-all
you should see output similar to:
... Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting
Now to load Snort with the OpenAppID detectors, as well as all rules (we omit the pedantic flag, since the rules will throw flowbit warnings that are non fatal and can be ignored:)
/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules --warn-all
Create a simple rule to test that OpenAppID is working correctly:
sudo touch /opt/snort/etc/snort/rules/local.rules sudo vi /opt/snort/etc/snort/rules/local.rules
with the following content:
alert tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )
test to make sure the rule loads correctly:
/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules --warn-all
You should see one rule loaded successfully. Now let’s run snort in detection mode on an interface (change eth0 below to match your interface name), printing alerts to the console:
sudo /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/local.rules -i eth0 -A alert_fast -k none
the -k none flag tells Snort to ignore bad checksums. the Stream and Frag decoders will drop packets that have bad checksums, and the packets will not get processed by the OpenAppID detectors. By including this flag, we ensure that a packet with a bad checksum still gets processed. Now from another window on that computer (open a new terminal window or a second ssh session), use wget
to connect to facebook:
wget facebook.com
from the first console window you will see alerts output similar to the following:
08/05−19:13:45.451834 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 157.240.1.35:443 −> 10.0.0.104:33882 08/05−19:13:45.451842 [∗∗] [1:10000001:0] ”Facebook trafic Seen” [∗∗] [Priority: 0] [AppID: Facebook] {TCP} 10.0.0.104:33882 −> 157.240.1.35:443
use ctrl-c to stop Snort.
Note: if you are collecting packets with a larger MTU that the standard MTU for your adapter (VLAN tagged packets, MPLS Packets, packets from a different network type with a larger MTU), you may need to use the –snaplen flag to adjust snort to process larger packets)
If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to develop Snort plugins, please see my guide: Installing Snort++ Example Plugins.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.