[Snort-users] Dynamic Preprocessor install (PE Hunter) help
tmaletic at ...11827...
Thu Aug 28 11:43:00 EDT 2008
Hi Tommy. Thanks for reminding me about this tool. I ran across it
months ago and meant to try it out.
I managed to build snort with pehunter (see hints below), and it
worked great on my test system that has practically zero load. I then
added it to a sensor that sees all traffic to and from the Internet
for my site. Load increased to a tolerable level, but the
preprocessor fails to detect or capture files. Enabling debug raised
load enough that I only tested it for small periods of time, but
produced no clues as to the problem. This sensor has only about a 1%
drop rate. Has anyone run pehunter successfully on a sensor that's
watching a busy network (as opposed to a sensor that is dedicated to
monitoring honeynet traffic)?
Build tips. Yes, the autoconf stuff isn't documented well. After
editing <snort_src_root>/src/preprocids.h as described in the README,
I then edited <snort_src_root>/configure and configure.in to include
pehunter. Basically, I searched those files for
"dynamic-preprocessors/ssl", and added in entries for the path to
pehunter wherever I found one for the ssl preprocessor.
The configure step produced the following for me:
config.status: creating src/dynamic-preprocessors/pehunter/Makefile
src/dynamic-preprocessors/pehunter/Makefile.in seems to ignore the
But I ignored the warning, and make produced a snort binary and
libraries that appeared to contain the new preprocessor, as snort logs
the following on startup:
Loading dynamic preprocessor library
Dump Directory: /opt/snort/var/pehunted
I then added the following to my snort.conf:
# Configure PE Hunter module
preprocessor pehunter: dump_dir var/pehunted
preprocessor pehunter: dump_dir var/pehunted debug
On Fri, Aug 15, 2008 at 10:54 AM, Tommy Cansanay <toortog at ...11827...> wrote:
> Anybody successfully install PE Hunter from
> http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm
> not familiar with configuring preprocessors and was wondering if anybody
> could help.
> 1.) "Then modify the autoconf stuff to include the module in
> the build process." -- How?
> 2.) "Add a 'debug' option to the above line to produce verbose logging." --
> PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
> Windows executables (files in PE format) from the network stream.
> It first spots a PE header and then uses a simple heuristic to calculate the
> file length. Starting at the header offset in a stream, the resulting number
> This technique does not work for some specially crafted binaries, e.g.,
> extracting archives or programs with additional data after the end of the
> section since there is no way to passively identify such data in a stream.
> Compiling and Installation
> Copy the pehunter source directory to src/dynamic-preprocessors in the snort
> source tree. You have to add a line like
> #define PP_PEHUNTER 28
> to src/preprocids.h. Then modify the autoconf stuff to include the module in
> the build process. The usual configure [opts] && make && make install places
> installs snort with PEHunter preprocessor.
> Use snort in inline mode (configure with --enable-inline on Linux) to make
> that no packet gets missed. This quarantees full and fault-free stream
> reassembly and is the recommended mode for PEHunter.
> Files are stored as their md5 checksum of the corresponding data in a
> configurable location. Snort must be configured to use PE Hunter. Please
> the following lines in your snort.conf:
> # make sure to load the stream4 preprocessor first
> dynamicpreprocessor file /location/of/libsf_smtp_preproc.so
> # Configure PE Hunter module
> # --------------------------
> preprocessor pehunter: dump_dir /var/log/snort/binaries
> Add a 'debug' option to the above line to produce verbose logging.
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users