[Snort-users] Enquiries regarding search engine in Snort 3.0 Extras

Siti Farhana Binti Lokman sitifarhana.lokman at ...17225...
Thu Aug 6 16:37:54 EDT 2015


Hi folks,

I'm a newbie here. I'm planning to implement my search algorithm into Snort++  Extras as it allows us to install plugins with relatively ease.
What I understand so far is that there are two searching algorithms in search_engines folder; sfksearch.cc/h and lowmem.cc/h.
I tried to build and run the extras with autotools as shown in the blog.snort.org hoping to get the summary result of the default search engines in Snort++ Extras.
But I only got this:

-------------------------------------------------
0") ~ Snort++ 3.0.0-a1-160
--------------------------------------------------
Loading /opt/snort3/etc/snort/snort.lua:
file_id
ftp_data
back_orifice
ftp_server
http_inspect
ssh
telnet
sip
ssl
pop
classifications
stream_user
rpc_decode
port_scan
stream_tcp
perf_monitor
smtp
arp_spoof
stream_file
stream_icmp
stream_ip
stream
ftp_client
references
stream_udp
wizard
dns
imap
Finished /opt/snort3/etc/snort/snort.lua.
Reading rules until EOF or a line starting with END
Loading stdin:
Finished stdin.
--------------------------------------------------
rule counts
       total rules loaded: 1
               text rules: 1
            option chains: 1
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     dst       1       0       0       0
    slow       1       0       0       0
   total       2       0       0       0
                instances: 1
                 patterns: 17
            pattern chars: 88
               num states: 81
         num match states: 17
              memory (KB): 4.21387
                 patterns: 0.749023
              match lists: 1.16406
              transitions: 1.90234

________________________________

After rebuild, I realized there's only lowmem search algorithm in /opt/snort3/lib/snort_extra/search_engines/ but but sfksearch was not included even though initially there were two (sfksearch & lowmem) in the Snort++ extra tarballs.

So Why is sfksearch is not compiled together after rebuild? Since the only file that were there after built were lowmem files, so I assume that the result generated is for lowmem.
Is this correct? If I copy the sfksearch file manually into snort extras folder, how do I run the sfksearch algorithm?
>From my understanding about snort 2.9.x, search algorithm that will be used is configured in config.h. I can't seems to find any guide on how to set this up in Snort++ Extra.

For the implementation part, the documentation is very limited. Is there any configuration files that I need to modify so that I can set my search algorithm as a default? Do I need to build the plugin or I can just copy the plugin files into respective folder?

If I need to build it, may I know is there any documentation or complete guide on how I can do it?

Thanks in advance.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150806/ef59f9fd/attachment.html>


More information about the Snort-users mailing list