[Snort-users] Enquiries regarding search engine in Snort 3.0 Extras

Russ rucombs at ...589...
Fri Aug 7 07:45:27 EDT 2015


Hi Siti,

See the responses inline below.

Thanks
Russ

On 8/6/15 4:37 PM, Siti Farhana Binti Lokman wrote:
>
> Hi folks,
>
> I'm a newbie here. I'm planning to implement my search algorithm into 
> Snort++  Extras as it allows us to install plugins with relatively ease.
>
I may be reading too much into this statement, but just to clarify, 
extras is there as an example of how to build outside the source tree.  
You don't need to literally put your new search algorithm in extras.  It 
can be anywhere.
>
> What I understand so far is that there are two searching algorithms in 
> search_engines folder; sfksearch.cc/h and lowmem.cc/h.
>
There are two in extras:  lowmem, and lowmem_q.  You can see what search 
engines are available by running a command like this:

$  ~/Build/auto/src/snort --plugin-path ~/install/auto/lib/snort_extra 
--list-plugins | grep search_engine
piglet::pp_search_engine v0 static
search_engine::ac_banded v0 static
search_engine::ac_bnfa v0 static
search_engine::ac_bnfa_q v0 static
search_engine::ac_full v0 static
search_engine::ac_full_q v0 static
search_engine::ac_sparse v0 static
search_engine::ac_sparse_bands v0 static
search_engine::ac_std v0 static
search_engine::lowmem v0 
/Users/rucombs/install/auto/lib/snort_extra/search_engines/liblowmem.0.dylib
search_engine::lowmem_q v0 
/Users/rucombs/install/auto/lib/snort_extra/search_engines/liblowmem.0.dylib

'static' indicates the plugin was statically linked otherwise the path 
to the dynamically linked plugin is shown.
>
> I tried to build and run the extras with autotools as shown in the 
> blog.snort.org hoping to get the summary result of the default search 
> engines in Snort++ Extras.
>
> But I only got this:
>
That is showing you the startup output.  What additional information 
were you looking for?

I'm seeing a validation error with --lua "search_engine.search_method = 
'lowmem'" (it is using the default set of methods only).  We will get 
that fixed ASAP.
>
> -------------------------------------------------
>
> 0") ~ Snort++ 3.0.0-a1-160
>
> --------------------------------------------------
>
> Loading /opt/snort3/etc/snort/snort.lua:
>
> file_id
>
> ftp_data
>
> back_orifice
>
> ftp_server
>
> http_inspect
>
> ssh
>
> telnet
>
> sip
>
> ssl
>
> pop
>
> classifications
>
> stream_user
>
> rpc_decode
>
> port_scan
>
> stream_tcp
>
> perf_monitor
>
> smtp
>
> arp_spoof
>
> stream_file
>
> stream_icmp
>
> stream_ip
>
> stream
>
> ftp_client
>
> references
>
> stream_udp
>
> wizard
>
> dns
>
> imap
>
> Finished /opt/snort3/etc/snort/snort.lua.
>
> Reading rules until EOF or a line starting with END
>
> Loading stdin:
>
> Finished stdin.
>
> --------------------------------------------------
>
> rule counts
>
>        total rules loaded: 1
>
>                text rules: 1
>
>             option chains: 1
>
>             chain headers: 1
>
> --------------------------------------------------
>
> port rule counts
>
>              tcp     udp    icmp      ip
>
>      dst       1       0       0       0
>
>     slow       1       0       0       0
>
>    total       2       0       0       0
>
>                 instances: 1
>
>                  patterns: 17
>
>             pattern chars: 88
>
>                num states: 81
>
>          num match states: 17
>
>               memory (KB): 4.21387
>
>                  patterns: 0.749023
>
>               match lists: 1.16406
>
>               transitions: 1.90234
>
> ________________________________
>
> After rebuild, I realized there's only lowmem search algorithm in 
> /opt/snort3/lib/snort_extra/search_engines/ but but sfksearch was not 
> included even though initially there were two (sfksearch & lowmem) in 
> the Snort++ extra tarballs.
>
sfksearch is not a search method, it is an implementation algorithm used 
by both lowmem and lowmem_q.  Use the above command to see available 
methods.
>
> So Why is sfksearch is not compiled together after rebuild? Since the 
> only file that were there after built were lowmem files, so I assume 
> that the result generated is for lowmem.
>
It is compiled but it is not a plugin.  It is used by the lowmem plugins.
>
> Is this correct? If I copy the sfksearch file manually into snort 
> extras folder, how do I run the sfksearch algorithm?
>
Run one of the lowmem methods.
>
> From my understanding about snort 2.9.x, search algorithm that will be 
> used is configured in config.h. I can't seems to find any guide on how 
> to set this up in Snort++ Extra.
>
Snort 3X is configured much differently than 2X.  Start with the default 
snort.lua configuration.  You can find out what to configure with a 
command like this:

~/Build/auto/src/snort --plugin-path ~/install/auto/lib/snort_extra 
--help-config | grep search_engine
>
> For the implementation part, the documentation is very limited. Is 
> there any configuration files that I need to modify so that I can set 
> my search algorithm as a default? Do I need to build the plugin or I 
> can just copy the plugin files into respective folder?
>
 From the above output, you will see this:

select search_engine.search_method = ac_bnfa_q: set fast pattern 
algorithm - choose available search engine { ac_banded | ac_bnfa | 
ac_bnfa_q | ac_full | ac_full_q | ac_sparse | ac_sparse_bands | ac_std }

That means that you can add to your snort.lua configuration:

     search_engine = { search_method = 'ac_full_q' }

You should be able to set lowmem here but see above about the bug.
>
> If I need to build it, may I know is there any documentation or 
> complete guide on how I can do it?
>
To build your own, use one of the existing plugin sources in extra/ as a 
guide.
>
> Thanks in advance.
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150807/81139e66/attachment.html>


More information about the Snort-users mailing list