[Snort-users] Dynamic Preprocessor install (PE Hunter) help
toortog at ...11827...
Fri Aug 15 10:54:20 EDT 2008
Anybody successfully install PE Hunter from
http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm
not familiar with configuring preprocessors and was wondering if anybody
1.) "Then modify the autoconf stuff to include the module in
the build process." -- How?
2.) "Add a 'debug' option to the above line to produce verbose logging." --
PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
Windows executables (files in PE format) from the network stream.
It first spots a PE header and then uses a simple heuristic to calculate the
file length. Starting at the header offset in a stream, the resulting number
This technique does not work for some specially crafted binaries, e.g.,
extracting archives or programs with additional data after the end of the
section since there is no way to passively identify such data in a stream.
Compiling and Installation
Copy the pehunter source directory to src/dynamic-preprocessors in the snort
source tree. You have to add a line like
#define PP_PEHUNTER 28
to src/preprocids.h. Then modify the autoconf stuff to include the module in
the build process. The usual configure [opts] && make && make install places
installs snort with PEHunter preprocessor.
Use snort in inline mode (configure with --enable-inline on Linux) to make
that no packet gets missed. This quarantees full and fault-free stream
reassembly and is the recommended mode for PEHunter.
Files are stored as their md5 checksum of the corresponding data in a
configurable location. Snort must be configured to use PE Hunter. Please
the following lines in your snort.conf:
# make sure to load the stream4 preprocessor first
dynamicpreprocessor file /location/of/libsf_smtp_preproc.so
# Configure PE Hunter module
preprocessor pehunter: dump_dir /var/log/snort/binaries
Add a 'debug' option to the above line to produce verbose logging.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users