Snort mailing list archives
Re: Enquiries regarding search engine in Snort 3.0 Extras
From: Russ <rucombs () cisco com>
Date: Fri, 7 Aug 2015 07:45:27 -0400
Hi Siti, See the responses inline below. Thanks Russ On 8/6/15 4:37 PM, Siti Farhana Binti Lokman wrote:
I may be reading too much into this statement, but just to clarify, extras is there as an example of how to build outside the source tree. You don't need to literally put your new search algorithm in extras. It can be anywhere.Hi folks,I'm a newbie here. I'm planning to implement my search algorithm into Snort++ Extras as it allows us to install plugins with relatively ease.
There are two in extras: lowmem, and lowmem_q. You can see what search engines are available by running a command like this:What I understand so far is that there are two searching algorithms in search_engines folder; sfksearch.cc/h and lowmem.cc/h.
$ ~/Build/auto/src/snort --plugin-path ~/install/auto/lib/snort_extra --list-plugins | grep search_engine
piglet::pp_search_engine v0 static search_engine::ac_banded v0 static search_engine::ac_bnfa v0 static search_engine::ac_bnfa_q v0 static search_engine::ac_full v0 static search_engine::ac_full_q v0 static search_engine::ac_sparse v0 static search_engine::ac_sparse_bands v0 static search_engine::ac_std v0 staticsearch_engine::lowmem v0 /Users/rucombs/install/auto/lib/snort_extra/search_engines/liblowmem.0.dylib search_engine::lowmem_q v0 /Users/rucombs/install/auto/lib/snort_extra/search_engines/liblowmem.0.dylib
'static' indicates the plugin was statically linked otherwise the path to the dynamically linked plugin is shown.
That is showing you the startup output. What additional information were you looking for?I tried to build and run the extras with autotools as shown in the blog.snort.org hoping to get the summary result of the default search engines in Snort++ Extras.But I only got this:
I'm seeing a validation error with --lua "search_engine.search_method = 'lowmem'" (it is using the default set of methods only). We will get that fixed ASAP.
sfksearch is not a search method, it is an implementation algorithm used by both lowmem and lowmem_q. Use the above command to see available methods.------------------------------------------------- 0") ~ Snort++ 3.0.0-a1-160 -------------------------------------------------- Loading /opt/snort3/etc/snort/snort.lua: file_id ftp_data back_orifice ftp_server http_inspect ssh telnet sip ssl pop classifications stream_user rpc_decode port_scan stream_tcp perf_monitor smtp arp_spoof stream_file stream_icmp stream_ip stream ftp_client references stream_udp wizard dns imap Finished /opt/snort3/etc/snort/snort.lua. Reading rules until EOF or a line starting with END Loading stdin: Finished stdin. -------------------------------------------------- rule counts total rules loaded: 1 text rules: 1 option chains: 1 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip dst 1 0 0 0 slow 1 0 0 0 total 2 0 0 0 instances: 1 patterns: 17 pattern chars: 88 num states: 81 num match states: 17 memory (KB): 4.21387 patterns: 0.749023 match lists: 1.16406 transitions: 1.90234 ________________________________After rebuild, I realized there's only lowmem search algorithm in /opt/snort3/lib/snort_extra/search_engines/ but but sfksearch was not included even though initially there were two (sfksearch & lowmem) in the Snort++ extra tarballs.
So Why is sfksearch is not compiled together after rebuild? Since the only file that were there after built were lowmem files, so I assume that the result generated is for lowmem.
It is compiled but it is not a plugin. It is used by the lowmem plugins.
Is this correct? If I copy the sfksearch file manually into snort extras folder, how do I run the sfksearch algorithm?
Run one of the lowmem methods.
Snort 3X is configured much differently than 2X. Start with the default snort.lua configuration. You can find out what to configure with a command like this:From my understanding about snort 2.9.x, search algorithm that will be used is configured in config.h. I can't seems to find any guide on how to set this up in Snort++ Extra.
~/Build/auto/src/snort --plugin-path ~/install/auto/lib/snort_extra --help-config | grep search_engine
For the implementation part, the documentation is very limited. Is there any configuration files that I need to modify so that I can set my search algorithm as a default? Do I need to build the plugin or I can just copy the plugin files into respective folder?
From the above output, you will see this:select search_engine.search_method = ac_bnfa_q: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_bnfa_q | ac_full | ac_full_q | ac_sparse | ac_sparse_bands | ac_std }
That means that you can add to your snort.lua configuration:
search_engine = { search_method = 'ac_full_q' }
You should be able to set lowmem here but see above about the bug.
To build your own, use one of the existing plugin sources in extra/ as a guide.If I need to build it, may I know is there any documentation or complete guide on how I can do it?
Thanks in advance. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Enquiries regarding search engine in Snort 3.0 Extras Siti Farhana Binti Lokman (Aug 06)
- Re: Enquiries regarding search engine in Snort 3.0 Extras Russ (Aug 07)