[Snort-users] Dynamic Preprocessor install (PE Hunter) help

Tim Maletic tmaletic at ...11827...
Thu Aug 28 11:43:00 EDT 2008


Hi Tommy.  Thanks for reminding me about this tool.  I ran across it
months ago and meant to try it out.

I managed to build snort with pehunter (see hints below), and it
worked great on my test system that has practically zero load.  I then
added it to a sensor that sees all traffic to and from the Internet
for my site.  Load increased to a tolerable level, but the
preprocessor fails to detect or capture files.  Enabling debug raised
load enough that I only tested it for small periods of time, but
produced no clues as to the problem.  This sensor has only about a 1%
drop rate.  Has anyone run pehunter successfully on a sensor that's
watching a busy network (as opposed to a sensor that is dedicated to
monitoring honeynet traffic)?

-tm

Build tips.  Yes, the autoconf stuff isn't documented well.  After
editing <snort_src_root>/src/preprocids.h as described in the README,
I then edited <snort_src_root>/configure and configure.in to include
pehunter.  Basically, I searched those files for
"dynamic-preprocessors/ssl", and added in entries for the path to
pehunter wherever I found one for the ssl preprocessor.

The configure step produced the following for me:
config.status: creating src/dynamic-preprocessors/pehunter/Makefile
config.status: WARNING:
src/dynamic-preprocessors/pehunter/Makefile.in seems to ignore the
--datarootdir setting

But I ignored the warning, and make produced a snort binary and
libraries that appeared to contain the new preprocessor, as snort logs
the following on startup:
Loading dynamic preprocessor library
/opt/infosec/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so...
done
PEHunter config:
     Dump Directory:      /opt/snort/var/pehunted
     Debug:               no

I then added the following to my snort.conf:
# Configure PE Hunter module
# --------------------------
dynamicpreprocessor file
/opt/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so
preprocessor pehunter: dump_dir var/pehunted

or optionally:
preprocessor pehunter: dump_dir var/pehunted debug

On Fri, Aug 15, 2008 at 10:54 AM, Tommy Cansanay <toortog at ...11827...> wrote:
> Anybody successfully install PE Hunter from
> http://honeytrap.mwcollect.org/pehunter ? I added the README file below. I'm
> not familiar with configuring preprocessors and was wondering if anybody
> could help.
>
> Questions:
> 1.) "Then modify the autoconf stuff to include the module in
> the build process." -- How?
>
> 2.) "Add a 'debug' option to the above line to produce verbose logging." --
> how?
>
>
> Thanks
>    Tom
>
> PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
> Windows executables (files in PE format) from the network stream.
>
> It first spots a PE header and then uses a simple heuristic to calculate the
> file length. Starting at the header offset in a stream, the resulting number
> of
> This technique does not work for some specially crafted binaries, e.g.,
> self-
> extracting archives or programs with additional data after the end of the
> last
> section since there is no way to passively identify such data in a stream.
>
> Compiling and Installation
> --------------------------
>
> Copy the pehunter source directory to src/dynamic-preprocessors in the snort
> source tree. You have to add a line like
>
>         #define PP_PEHUNTER             28
>
> to src/preprocids.h. Then modify the autoconf stuff to include the module in
> the build process. The usual configure [opts] && make && make install places
> installs snort with PEHunter preprocessor.
>
> Use snort in inline mode (configure with --enable-inline on Linux) to make
> sure
> that no packet gets missed. This quarantees full and fault-free stream
> reassembly and is the recommended mode for PEHunter.
>
>
> Configuration
> -------------
>
> Files are stored as their md5 checksum of the corresponding data in a
> configurable location. Snort must be configured to use PE Hunter. Please
> include
> the following lines in your snort.conf:
>
>
>         # make sure to load the stream4 preprocessor first
>         dynamicpreprocessor file /location/of/libsf_smtp_preproc.so
>
>         # Configure PE Hunter module
>         # --------------------------
>         preprocessor pehunter: dump_dir /var/log/snort/binaries
>
>
> Add a 'debug' option to the above line to produce verbose logging.
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list