[Snort-devel] [Snort++] Trying to integrate a custom Inspector

Russ rucombs at ...3461...
Thu May 4 09:39:02 EDT 2017



On 5/3/17 3:42 PM, Ronin CS wrote:
> Thank you Marcin!
>
> Using the codec example provided by Albert Lewis and these steps, I 
> managed to integrate my code into Snort!
Nice work!  Please note that you can build completely externally to 
Snort++ source.  Just make and install Snort++ and the extras and point 
your include path to the installed headers.
> One last question, does the --enable-debug-msgs option makes visible 
> the text inside a LogMessage() method?
No.  LogMessage() is output unless -q is specified.  DebugMessage() and 
DebugFormat() are dependent on --enable-debug-messages. However, you are 
encouraged to use the newer and better trace facility.  stream_ip is an 
inspector that uses that.
>
> Ronin.
>
> On Wed, May 3, 2017 at 11:22 AM, Marcin Dulak <marcin.dulak at ...2499... 
> <mailto:marcin.dulak at ...2499...>> wrote:
>
>     Hi,
>
>     you are missing a change to extra/configure.ac
>     <http://configure.ac> - this is how the process may look like:
>
>     autoreconf -isvf
>     ./configure --prefix=/tmp/snort --exec_prefix=/tmp/snort
>     --disable-static-daq --enable-debug-msgs --enable-debug
>     make install
>     cd extra
>     sed -i '/dpx/asrc/inspectors/test/Makefile \\' ./configure.ac
>     <http://configure.ac>
>     cp -r src/inspectors/dpx/ src/inspectors/test
>     mv src/inspectors/test/dpx.cc src/inspectors/test/test.cc
>     sed -i 's/dpx/test/g' src/inspectors/test/Makefile.am
>     sed -i 's/dpx/dpx \\/' src/inspectors/Makefile.am&& sed -i
>     '/dpx/atest' src/inspectors/Makefile.am
>     autoreconf -isvf
>     PKG_CONFIG_PATH=../ ./configure --prefix=/tmp/snort
>     make install
>
>     Marcin
>
>
>     On Mon, May 1, 2017 at 11:14 PM, Ronin CS <ronincs17 at ...2499...
>     <mailto:ronincs17 at ...2499...>> wrote:
>
>         Hello guys,
>
>         I'm trying to learn more about Snort++ and Inspectors as I
>         develop my own module to test on it, but I'm having a lot of
>         issues while building the extras again.
>
>         So far, I've created a super simple Inspector, that all it
>         does is print basic packet information everytime it goes
>         through the "eval" method.
>
>         I'm taking the "DPX Inspector" as a basis for my Inspector, so
>         I've created a new folder inside /extra/inspectors, let's say,
>         "test", and inside of it I have the Inspector itself "test.cc"
>         and two other files copied from "dpx" directory,
>         "CMakeLists.txt" and "Makefile.am".
>
>         I've modified these last two files to match my new Inspector.
>         Same for the files at /extra/inspectors.
>
>         But when I try to build it using "make", I receive:
>
>         make[4]: Leaving directory
>         '/home/ronin/snort_src/snort3-master/extra/src/inspectors/dpx'
>         make[3]: Leaving directory
>         '/home/ronin/snort_src/snort3-master/extra/src/inspectors/dpx'
>         Making install in test
>         make[3]: Entering directory
>         '/home/ronin/snort_src/snort3-master/extra/src/inspectors/test'
>         make[3]: *** No rule to make target 'install'.  Stop.
>         make[3]: Leaving directory
>         '/home/ronin/snort_src/snort3-master/extra/src/inspectors/test'
>         Makefile:369: recipe for target 'install-recursive' failed
>         make[2]: *** [install-recursive] Error 1
>         make[2]: Leaving directory
>         '/home/ronin/snort_src/snort3-master/extra/src/inspectors'
>         Makefile:373: recipe for target 'install-recursive' failed
>         make[1]: *** [install-recursive] Error 1
>         make[1]: Leaving directory
>         '/home/ronin/snort_src/snort3-master/extra/src'
>         Makefile:407: recipe for target 'install-recursive' failed
>         make: *** [install-recursive] Error 1
>
>         To be honest, I don't know the correct way to do it (integrate
>         a new Inspector). I've searched for references but I couldn't
>         find anything.
>
>         Ronin.
>
>         ------------------------------------------------------------------------------
>         Check out the vibrant tech community on one of the world's most
>         engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>         _______________________________________________
>         Snort-devel mailing list
>         Snort-devel at lists.sourceforge.net
>         <mailto:Snort-devel at lists.sourceforge.net>
>         https://lists.sourceforge.net/lists/listinfo/snort-devel
>         <https://lists.sourceforge.net/lists/listinfo/snort-devel>
>
>         Archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>         <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
>
>         Please visit http://blog.snort.org for the latest news about
>         Snort!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170504/2ea09ee0/attachment.html>


More information about the Snort-devel mailing list