[Snort-users] Dynamic Preprocessor install (PE Hunter) help

Tommy Cansanay toortog at ...11827...
Fri Aug 15 10:54:20 EDT 2008

Anybody successfully install PE Hunter from
http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm
not familiar with configuring preprocessors and was wondering if anybody
could help.

1.) "Then modify the autoconf stuff to include the module in
the build process." -- How?

2.) "Add a 'debug' option to the above line to produce verbose logging." --


PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
Windows executables (files in PE format) from the network stream.

It first spots a PE header and then uses a simple heuristic to calculate the
file length. Starting at the header offset in a stream, the resulting number
This technique does not work for some specially crafted binaries, e.g.,
extracting archives or programs with additional data after the end of the
section since there is no way to passively identify such data in a stream.

Compiling and Installation

Copy the pehunter source directory to src/dynamic-preprocessors in the snort
source tree. You have to add a line like

        #define PP_PEHUNTER             28

to src/preprocids.h. Then modify the autoconf stuff to include the module in
the build process. The usual configure [opts] && make && make install places
installs snort with PEHunter preprocessor.

Use snort in inline mode (configure with --enable-inline on Linux) to make
that no packet gets missed. This quarantees full and fault-free stream
reassembly and is the recommended mode for PEHunter.


Files are stored as their md5 checksum of the corresponding data in a
configurable location. Snort must be configured to use PE Hunter. Please
the following lines in your snort.conf:

        # make sure to load the stream4 preprocessor first
        dynamicpreprocessor file /location/of/libsf_smtp_preproc.so

        # Configure PE Hunter module
        # --------------------------
        preprocessor pehunter: dump_dir /var/log/snort/binaries

Add a 'debug' option to the above line to produce verbose logging.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080815/3277d30a/attachment.html>

More information about the Snort-users mailing list