[Snort-users] Dynamic Preprocessor install (PE Hunter) help

Tommy Cansanay toortog at ...11827...
Fri Aug 15 10:54:20 EDT 2008


Anybody successfully install PE Hunter from
http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm
not familiar with configuring preprocessors and was wondering if anybody
could help.

Questions:
1.) "Then modify the autoconf stuff to include the module in
the build process." -- How?

2.) "Add a 'debug' option to the above line to produce verbose logging." --
how?


Thanks
   Tom

PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
Windows executables (files in PE format) from the network stream.

It first spots a PE header and then uses a simple heuristic to calculate the
file length. Starting at the header offset in a stream, the resulting number
of
This technique does not work for some specially crafted binaries, e.g.,
self-
extracting archives or programs with additional data after the end of the
last
section since there is no way to passively identify such data in a stream.

Compiling and Installation
--------------------------

Copy the pehunter source directory to src/dynamic-preprocessors in the snort
source tree. You have to add a line like

        #define PP_PEHUNTER             28

to src/preprocids.h. Then modify the autoconf stuff to include the module in
the build process. The usual configure [opts] && make && make install places
installs snort with PEHunter preprocessor.

Use snort in inline mode (configure with --enable-inline on Linux) to make
sure
that no packet gets missed. This quarantees full and fault-free stream
reassembly and is the recommended mode for PEHunter.


Configuration
-------------

Files are stored as their md5 checksum of the corresponding data in a
configurable location. Snort must be configured to use PE Hunter. Please
include
the following lines in your snort.conf:


        # make sure to load the stream4 preprocessor first
        dynamicpreprocessor file /location/of/libsf_smtp_preproc.so

        # Configure PE Hunter module
        # --------------------------
        preprocessor pehunter: dump_dir /var/log/snort/binaries


Add a 'debug' option to the above line to produce verbose logging.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080815/3277d30a/attachment.html>


More information about the Snort-users mailing list