[Snort-users] Dynamic Preprocessor install (PE Hunter) help

Tommy Cansanay toortog at ...11827...
Thu Aug 28 12:21:20 EDT 2008


Tim,
 Thanks for the response. I was not getting any answers, so I decided to
write the author (Tillman Werner. ;) Here's a "step-by-step how-to" along
with a 2.8.2.2 patch that he sent. Only thing is, I'm running snort
2.8.2.2which might be different from what others may be using. I got
it to compile,
run, and I tried testing it on a dedicated network, but haven't had any hits
either. Curious, do you have the preproc name when it did fire? Btw, I'm
looking at this through BASE (and I'm assuming) that there weren't any other
extra config that needs to be done for it to show up in BASE.


"o  Download snort-2.8.2.2.tar.gz from
<http://www.snort.org/dl/current/snort-2.8.2.2.tar.gz>
o  Change into the directory where you saved the archive
o  Save the patch from my earlier mail in the same dir
o  Extract the source three by running: tar xzf snort-2.8.2.2.tar.gz
o  Patch the source tree: patch -p0 < snort-2.8.2-pehunter.diff"
o  Enter the source directory: cd snort-2.8.2.2
o  Open configure.in in your favorite editor and delete line 967 to 981
o  Save configure.in and close it
o  Run: autoreconf -i (you might need to install the autoconf package
for your platform)
o  Run: ./configure [your options here, --help gives you a list]
o  Run: make
o  Run: make install

If you got this far, you successfully patched, compiled and built snort
with pehunter. If you have further questions, you are invited to join
the #nepenthes channel on the freenode IRC network - the guys that hang
out there are always happy do help."

Thanks
 Tom


On Thu, Aug 28, 2008 at 11:43 AM, Tim Maletic <tmaletic at ...11827...> wrote:

> Hi Tommy.  Thanks for reminding me about this tool.  I ran across it
> months ago and meant to try it out.
>
> I managed to build snort with pehunter (see hints below), and it
> worked great on my test system that has practically zero load.  I then
> added it to a sensor that sees all traffic to and from the Internet
> for my site.  Load increased to a tolerable level, but the
> preprocessor fails to detect or capture files.  Enabling debug raised
> load enough that I only tested it for small periods of time, but
> produced no clues as to the problem.  This sensor has only about a 1%
> drop rate.  Has anyone run pehunter successfully on a sensor that's
> watching a busy network (as opposed to a sensor that is dedicated to
> monitoring honeynet traffic)?
>
> -tm
>
> Build tips.  Yes, the autoconf stuff isn't documented well.  After
> editing <snort_src_root>/src/preprocids.h as described in the README,
> I then edited <snort_src_root>/configure and configure.in to include
> pehunter.  Basically, I searched those files for
> "dynamic-preprocessors/ssl", and added in entries for the path to
> pehunter wherever I found one for the ssl preprocessor.
>
> The configure step produced the following for me:
> config.status: creating src/dynamic-preprocessors/pehunter/Makefile
> config.status: WARNING:
> src/dynamic-preprocessors/pehunter/Makefile.in seems to ignore the
> --datarootdir setting
>
> But I ignored the warning, and make produced a snort binary and
> libraries that appeared to contain the new preprocessor, as snort logs
> the following on startup:
> Loading dynamic preprocessor library
>
> /opt/infosec/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so...
> done
> PEHunter config:
>     Dump Directory:      /opt/snort/var/pehunted
>     Debug:               no
>
> I then added the following to my snort.conf:
> # Configure PE Hunter module
> # --------------------------
> dynamicpreprocessor file
> /opt/snort/lib/snort_dynamicpreprocessor/libsf_pehunter_preproc.so
> preprocessor pehunter: dump_dir var/pehunted
>
> or optionally:
> preprocessor pehunter: dump_dir var/pehunted debug
>
> On Fri, Aug 15, 2008 at 10:54 AM, Tommy Cansanay <toortog at ...11827...>
> wrote:
> > Anybody successfully install PE Hunter from
> > http://honeytrap.mwcollect.org/pehunter ? I added the README file below.
> I'm
> > not familiar with configuring preprocessors and was wondering if anybody
> > could help.
> >
> > Questions:
> > 1.) "Then modify the autoconf stuff to include the module in
> > the build process." -- How?
> >
> > 2.) "Add a 'debug' option to the above line to produce verbose logging."
> --
> > how?
> >
> >
> > Thanks
> >    Tom
> >
> > PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting
> > Windows executables (files in PE format) from the network stream.
> >
> > It first spots a PE header and then uses a simple heuristic to calculate
> the
> > file length. Starting at the header offset in a stream, the resulting
> number
> > of
> > This technique does not work for some specially crafted binaries, e.g.,
> > self-
> > extracting archives or programs with additional data after the end of the
> > last
> > section since there is no way to passively identify such data in a
> stream.
> >
> > Compiling and Installation
> > --------------------------
> >
> > Copy the pehunter source directory to src/dynamic-preprocessors in the
> snort
> > source tree. You have to add a line like
> >
> >         #define PP_PEHUNTER             28
> >
> > to src/preprocids.h. Then modify the autoconf stuff to include the module
> in
> > the build process. The usual configure [opts] && make && make install
> places
> > installs snort with PEHunter preprocessor.
> >
> > Use snort in inline mode (configure with --enable-inline on Linux) to
> make
> > sure
> > that no packet gets missed. This quarantees full and fault-free stream
> > reassembly and is the recommended mode for PEHunter.
> >
> >
> > Configuration
> > -------------
> >
> > Files are stored as their md5 checksum of the corresponding data in a
> > configurable location. Snort must be configured to use PE Hunter. Please
> > include
> > the following lines in your snort.conf:
> >
> >
> >         # make sure to load the stream4 preprocessor first
> >         dynamicpreprocessor file /location/of/libsf_smtp_preproc.so
> >
> >         # Configure PE Hunter module
> >         # --------------------------
> >         preprocessor pehunter: dump_dir /var/log/snort/binaries
> >
> >
> > Add a 'debug' option to the above line to produce verbose logging.
> >
> >
> >
> >
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> > prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080828/547b4f13/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2.8.2.2-pehunter.diff
Type: application/octet-stream
Size: 55404 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080828/547b4f13/attachment.obj>


More information about the Snort-users mailing list