Snort mailing list archives
Re: Dynamic Preprocessor install (PE Hunter) help
From: "Tim Maletic" <tmaletic () gmail com>
Date: Thu, 28 Aug 2008 11:43:00 -0400
Hi Tommy. Thanks for reminding me about this tool. I ran across it months ago and meant to try it out. I managed to build snort with pehunter (see hints below), and it worked great on my test system that has practically zero load. I then added it to a sensor that sees all traffic to and from the Internet for my site. Load increased to a tolerable level, but the preprocessor fails to detect or capture files. Enabling debug raised load enough that I only tested it for small periods of time, but produced no clues as to the problem. This sensor has only about a 1% drop rate. Has anyone run pehunter successfully on a sensor that's watching a busy network (as opposed to a sensor that is dedicated to monitoring honeynet traffic)? -tm Build tips. Yes, the autoconf stuff isn't documented well. After editing <snort_src_root>/src/preprocids.h as described in the README, I then edited <snort_src_root>/configure and configure.in to include pehunter. Basically, I searched those files for "dynamic-preprocessors/ssl", and added in entries for the path to pehunter wherever I found one for the ssl preprocessor. The configure step produced the following for me: config.status: creating src/dynamic-preprocessors/pehunter/Makefile config.status: WARNING: src/dynamic-preprocessors/pehunter/Makefile.in seems to ignore the --datarootdir setting But I ignored the warning, and make produced a snort binary and libraries that appeared to contain the new preprocessor, as snort logs the following on startup: Loading dynamic preprocessor library /opt/infosec/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so... done PEHunter config: Dump Directory: /opt/snort/var/pehunted Debug: no I then added the following to my snort.conf: # Configure PE Hunter module # -------------------------- dynamicpreprocessor file /opt/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so preprocessor pehunter: dump_dir var/pehunted or optionally: preprocessor pehunter: dump_dir var/pehunted debug On Fri, Aug 15, 2008 at 10:54 AM, Tommy Cansanay <toortog () gmail com> wrote:
Anybody successfully install PE Hunter from http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm not familiar with configuring preprocessors and was wondering if anybody could help. Questions: 1.) "Then modify the autoconf stuff to include the module in the build process." -- How? 2.) "Add a 'debug' option to the above line to produce verbose logging." -- how? Thanks Tom PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting Windows executables (files in PE format) from the network stream. It first spots a PE header and then uses a simple heuristic to calculate the file length. Starting at the header offset in a stream, the resulting number of This technique does not work for some specially crafted binaries, e.g., self- extracting archives or programs with additional data after the end of the last section since there is no way to passively identify such data in a stream. Compiling and Installation -------------------------- Copy the pehunter source directory to src/dynamic-preprocessors in the snort source tree. You have to add a line like #define PP_PEHUNTER 28 to src/preprocids.h. Then modify the autoconf stuff to include the module in the build process. The usual configure [opts] && make && make install places installs snort with PEHunter preprocessor. Use snort in inline mode (configure with --enable-inline on Linux) to make sure that no packet gets missed. This quarantees full and fault-free stream reassembly and is the recommended mode for PEHunter. Configuration ------------- Files are stored as their md5 checksum of the corresponding data in a configurable location. Snort must be configured to use PE Hunter. Please include the following lines in your snort.conf: # make sure to load the stream4 preprocessor first dynamicpreprocessor file /location/of/libsf_smtp_preproc.so # Configure PE Hunter module # -------------------------- preprocessor pehunter: dump_dir /var/log/snort/binaries Add a 'debug' option to the above line to produce verbose logging. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 15)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)