Snort mailing list archives
Re: Dynamic Preprocessor install (PE Hunter) help
From: "Tommy Cansanay" <toortog () gmail com>
Date: Thu, 28 Aug 2008 12:21:20 -0400
Tim, Thanks for the response. I was not getting any answers, so I decided to write the author (Tillman Werner. ;) Here's a "step-by-step how-to" along with a 2.8.2.2 patch that he sent. Only thing is, I'm running snort 2.8.2.2which might be different from what others may be using. I got it to compile, run, and I tried testing it on a dedicated network, but haven't had any hits either. Curious, do you have the preproc name when it did fire? Btw, I'm looking at this through BASE (and I'm assuming) that there weren't any other extra config that needs to be done for it to show up in BASE. "o Download snort-2.8.2.2.tar.gz from <http://www.snort.org/dl/current/snort-2.8.2.2.tar.gz> o Change into the directory where you saved the archive o Save the patch from my earlier mail in the same dir o Extract the source three by running: tar xzf snort-2.8.2.2.tar.gz o Patch the source tree: patch -p0 < snort-2.8.2-pehunter.diff" o Enter the source directory: cd snort-2.8.2.2 o Open configure.in in your favorite editor and delete line 967 to 981 o Save configure.in and close it o Run: autoreconf -i (you might need to install the autoconf package for your platform) o Run: ./configure [your options here, --help gives you a list] o Run: make o Run: make install If you got this far, you successfully patched, compiled and built snort with pehunter. If you have further questions, you are invited to join the #nepenthes channel on the freenode IRC network - the guys that hang out there are always happy do help." Thanks Tom On Thu, Aug 28, 2008 at 11:43 AM, Tim Maletic <tmaletic () gmail com> wrote:
Hi Tommy. Thanks for reminding me about this tool. I ran across it months ago and meant to try it out. I managed to build snort with pehunter (see hints below), and it worked great on my test system that has practically zero load. I then added it to a sensor that sees all traffic to and from the Internet for my site. Load increased to a tolerable level, but the preprocessor fails to detect or capture files. Enabling debug raised load enough that I only tested it for small periods of time, but produced no clues as to the problem. This sensor has only about a 1% drop rate. Has anyone run pehunter successfully on a sensor that's watching a busy network (as opposed to a sensor that is dedicated to monitoring honeynet traffic)? -tm Build tips. Yes, the autoconf stuff isn't documented well. After editing <snort_src_root>/src/preprocids.h as described in the README, I then edited <snort_src_root>/configure and configure.in to include pehunter. Basically, I searched those files for "dynamic-preprocessors/ssl", and added in entries for the path to pehunter wherever I found one for the ssl preprocessor. The configure step produced the following for me: config.status: creating src/dynamic-preprocessors/pehunter/Makefile config.status: WARNING: src/dynamic-preprocessors/pehunter/Makefile.in seems to ignore the --datarootdir setting But I ignored the warning, and make produced a snort binary and libraries that appeared to contain the new preprocessor, as snort logs the following on startup: Loading dynamic preprocessor library /opt/infosec/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so... done PEHunter config: Dump Directory: /opt/snort/var/pehunted Debug: no I then added the following to my snort.conf: # Configure PE Hunter module # -------------------------- dynamicpreprocessor file /opt/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so preprocessor pehunter: dump_dir var/pehunted or optionally: preprocessor pehunter: dump_dir var/pehunted debug On Fri, Aug 15, 2008 at 10:54 AM, Tommy Cansanay <toortog () gmail com> wrote:Anybody successfully install PE Hunter from http://honeytrap.mwcollect.org/pehunter ? I added the README file below.I'mnot familiar with configuring preprocessors and was wondering if anybody could help. Questions: 1.) "Then modify the autoconf stuff to include the module in the build process." -- How? 2.) "Add a 'debug' option to the above line to produce verbose logging."--how? Thanks Tom PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting Windows executables (files in PE format) from the network stream. It first spots a PE header and then uses a simple heuristic to calculatethefile length. Starting at the header offset in a stream, the resultingnumberof This technique does not work for some specially crafted binaries, e.g., self- extracting archives or programs with additional data after the end of the last section since there is no way to passively identify such data in astream.Compiling and Installation -------------------------- Copy the pehunter source directory to src/dynamic-preprocessors in thesnortsource tree. You have to add a line like #define PP_PEHUNTER 28 to src/preprocids.h. Then modify the autoconf stuff to include the moduleinthe build process. The usual configure [opts] && make && make installplacesinstalls snort with PEHunter preprocessor. Use snort in inline mode (configure with --enable-inline on Linux) tomakesure that no packet gets missed. This quarantees full and fault-free stream reassembly and is the recommended mode for PEHunter. Configuration ------------- Files are stored as their md5 checksum of the corresponding data in a configurable location. Snort must be configured to use PE Hunter. Please include the following lines in your snort.conf: # make sure to load the stream4 preprocessor first dynamicpreprocessor file /location/of/libsf_smtp_preproc.so # Configure PE Hunter module # -------------------------- preprocessor pehunter: dump_dir /var/log/snort/binaries Add a 'debug' option to the above line to produce verbose logging. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer'schallengeBuild the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in theworldhttp://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
snort-2.8.2.2-pehunter.diff
Description:
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 15)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tommy Cansanay (Aug 28)
- Re: Dynamic Preprocessor install (PE Hunter) help Tim Maletic (Aug 28)