Solution provider takeaway: Solution providers will learn how to set up two Snort 3.0 beta components -- the Snort Security Platform (SnortSP) and the Snort 2.8.2 detection engine on the SnortSP.

In the last Snort Report,

    Requires Free Membership to View

I discussed the architectural basics of Snort 3.0. The new Snort system consists of the Snort Security Platform (SnortSP) plus an assortment of engines. SnortSP is a foundation that provides traffic-inspection functions, like packet acquisition, traffic decoding, flow management and fragment reassembly. Each engine runs as a module on SnortSP. The first available module is a port of Snort 2.8.2 specifically for running on top of SnortSP.

The following diagram, courtesy of Sourcefire founder Marty Roesch, explains the relationship between these components:





In this edition of Snort Report I explain how to start working with SnortSP and the Snort 2.8.2 engine bundled with SnortSP using Debian 4.0r4a as the operating system. In a future article, I will demonstrate installation on FreeBSD. Thanks to helpful documentation (cited at the end of this story), I was able to get Debian working almost immediately. Therefore, it's a good choice for those who wish to spend more time with Snort 3.0 and less with troubleshooting library dependencies.

More on Snort
Check out previous editions of Snort Report by Richard Bejtlich.

I chose a very basic Debian installation -- the "standard" system. We'll manually add the packages Snort 3.0 requires. Consider this tip a guide for trying Snort 3.0, not for deploying production Debian systems.

Download and extract the SnortSP-3.0.0b2.tar.gz archive:

debian40r4a:/usr/local/src# wget http://www.snort.org/dl/prerelease/3.0.0-b2/SnortSP-3.0.0b2.tar.gz

debian40r4a:/usr/local/src# tar -xzf SnortSP-3.0.0b2.tar.gz

Next, install dependencies required to build and run Snort 3.0:

debian40r4a:/usr/local/src# apt-get install build-essential libpcap0.8 libpcap0.8-dev libpcre3 libpcre3-dev libnet1 libnet1-dev libdumbnet-dev libdumbnet1 libncurses5 libncurses5-dev libreadline5 libreadline5-dev liblua5.1-0 liblua5.1-0-dev flex bison uuid uuid-dev

Install SnortSP:

debian40r4a:/usr/local/src# cd SnortSP-3.0.0b2
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# ./configure
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# make
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# make install
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# ldconfig
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# mkdir /etc/SnortSP/
debian40r4a:/usr/local/src/SnortSP-3.0.0b2# cp etc/* /etc/SnortSP/

Test to ensure SnortSP is working as expected:

debian40r4a:/usr/local/src/SnortSP-3.0.0b2# SnortSP -V
SnortSP Version 3.0.0b2

If the version reports properly, the next step is to install the Snort 2.8.2 detection engine:

debian40r4a:/usr/local/src/SnortSP-3.0.0b2# cd src/analysis/snort
debian40r4a:/usr/local/src/SnortSP-3.0.0b2/src/analysis/snort# ./configure --with-platform-libraries=/usr/local/lib/SnortSP/
debian40r4a:/usr/local/src/SnortSP-3.0.0b2/src/analysis/snort# make
debian40r4a:/usr/local/src/SnortSP-3.0.0b2/src/analysis/snort# make install

At this point, SnortSP and the 2.8.2 engine are ready for use.

In the following example, we simply start SnortSP, then shut it down:

debian40r4a:/usr/local/src/SnortSP-3.0.0b2# SnortSP -L /etc/SnortSP/snort.lua
[+] Loaded pcap DAQ
[+] Loaded file DAQ
[+] Loaded afpacket DAQ
[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded gtp
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading SnortSP command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
[!] Loading output command metatable
[!] Loading analyzer command metatable
Executing /etc/SnortSP/snort.lua
,,_ -*> SnortSP! <*-
o" )~ Version 3.0.0b2 (Build 9) [BETA]
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 2008 Sourcefire Inc.
snort> Control thread running - 3083484080 (16972)
snort> ssp.shutdown()

Calling s_list_free_all for decoder_list
Control thread exiting - 3083484080 (16972)

That wasn't very exciting! What just happened? Besides shutting down SnortSP, we started the program by specifying a Lua startup file called /etc/SnortSP/snort.lua. Let's take a look at the comments in that file to see what we have loaded:

-- This function will instantiate a data source and an engine, link
-- them and start sniffing. The only argument is the interface name
-- upon which to sniff specified as a string. For example:
--
-- snort> sniff("eth0")

Restart SnortSP. Now check to see if any data sources have been instantiated:

snort> dsrc.list()
[*] 0 data sources configured

No data sources are configured, so let's create one using the syntax in the Lua startup file:

snort> sniff("eth0")
Creating new data source
Flow manager created with 16384 flow capacity
Engine "e1" created
Linking engine "e1" to data source "src1"
Calling engine_start()
init_pcap: Initializing network interface eth0
[*] Data Source Config:
Name: src1
Type: pcap
Interface: eth0
Filename:
Snaplen: 1514
Flags: 0x00000002
Display: None (0)
Filter command:
DAQ: 0x8079560
User Context: 0x80fc608
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] Flow Manager Config:
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] DAQ config:
Interface: eth0
Snaplen: 1514
Datalink: 1
Count: 0
Packet Count: 0
Promisc flag: 1
File flag: 0
pcap ptr: 0x80fbde0
analysis context ptr: 0xb7257008
[*] Spawning engine thread!
snort> e1 thread running - 3072682928 (2216)

So, we have a data source sniffing traffic on interface eth0. We can verify this by using the built-in command to list data sources:

snort> dsrc.list()
[*] 1 data sources configured
Name: src1 DAQ: pcap interface: eth0 Running

If you aren't sure how data source src1 was configured, you can run the following:

snort> dsrc.show("src1")

Taking another look at the Lua start-up file, there's a function like the following:

-- This function will instantiate a data source and an engine, link
-- them and start sniffing. Arguments are the interface to sniff on
-- and a BPF filter to apply to the session (if any). To send a
-- "NULL" string as the BPF filter simply specify "" as the filter.
function fsniff (interface, bpf)

Let's try it:

snort> fsniff ("eth0", "not port 22")
Creating new data source
Flow manager created with 16384 flow capacity
Engine "e2" created
Linking engine "e2" to data source "src2"
Calling engine_start()
init_pcap: Initializing network interface eth0
[*] Data Source Config:
Name: src2
Type: pcap
Interface: eth0
Filename:
Snaplen: 1514
Flags: 0x00000002
Display: (null) (4)
Filter command: not port 22
DAQ: 0x8079560
User Context: 0x813cd48
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] Flow Manager Config:
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] DAQ config:
Interface: eth0
PCAP filter: not port 22
Snaplen: 1514
Datalink: 1
Count: 0
Packet Count: 0
Promisc flag: 1
File flag: 0
pcap ptr: 0x813ce90
analysis context ptr: 0xb689a008
[*] Spawning engine thread!
snort> e2 thread running - 3062471600 (2216)

Our data source list shows both are running:

snort> dsrc.list()
[*] 2 data sources configured
Name: src2 DAQ: pcap interface: eth0 Running
Name: src1 DAQ: pcap interface: eth0 Running

In a future Snort Report, I will show how to use data sources to provide packets to engines. For now, I'll close by showing how SnortSP can decode packets stored in a pcap trace. Use the gtp_test() function provided in the Lua startup file to read a trace called /root/icmp.pcap. This trace already exists:

snort> gtp_test("/root/icmp.pcap")
Creating new data source
Reading packets from file /root/icmp.pcap
Flow manager created with 16384 flow capacity
Engine "e4" created
Linking engine "e4" to data source "src4"
Reading packets from file /root/icmp.pcap
daq_init: Opening file "/root/icmp.pcap"
[*] Data Source Config:
Name: src4
Type: file
Interface: file
Filename: /root/icmp.pcap
Snaplen: 0
Flags: 0x00000001
Display: (null) (4)
Filter command:
DAQ: 0x80795c0
User Context: 0x80eebb0
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] Flow Manager Config:
Max flows: 16384
Max idle: 60
Memcap: 10000000
[*] DAQ config:
Filename: /root/icmp.pcap
Snaplen: 1514
Datalink: 1
Count: 0
Packet Count: 0
File ptr: 0x813abe0
analysis context ptr: 0xb708c008
[*] Spawning engine thread!
snort> e4 thread running - 3070266288 (2306)
[*] Packet 1 from file /root/icmp.pcap
[*] Packet Info
Serial: 1
Packet Time: 08/14-22:12:47.258184
Packet Bytes: 98
Captured Bytes: 98
Layers: 4
Flags: 80000000
[*] Ethernet (14 bytes)
Source MAC Address: 00:50:56:C0:00:08
Dest MAC Address: 00:0C:29:31:26:90
Encapsulated Protocol: IPv4
[*] Internet Protocol (20 bytes)
Version: 4
Header Length: 5
TOS: 0
Datagram Length: 84
ID: 0
Reserved Bit: UNSET
Dont Fragment Bit: SET
More Fragments Bit: UNSET
Fragment Offset: 0
Time To Live: 64
Protocol: ICMP (1)
Checksum: 53214 (0xCFDE)
Source Address: 192.168.237.1
Dest Address: 192.168.237.134
[*] Internet Control Message Protocol (8 bytes)
Type: 8 (ECHO)
Code: 0 ()
Checksum: 20060
Id: 21527
Seq: 256
[*] Payload (56 bytes)
0x0000: 14 E6 A4 48 EE 1C 00 00 08 09 0A 0B 0C 0D 0E 0F ...H............
0x0010: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
0x0020: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
0x0030: 30 31 32 33 34 35 36 37 01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet 2 from file /root/icmp.pcap
[*] Packet Info
Serial: 2
Packet Time: 08/14-22:12:47.258287
Packet Bytes: 98
Captured Bytes: 98
Layers: 4
Flags: 80000000
[*] Ethernet (14 bytes)
Source MAC Address: 00:0C:29:31:26:90
Dest MAC Address: 00:50:56:C0:00:08
Encapsulated Protocol: IPv4
[*] Internet Protocol (20 bytes)
Version: 4
Header Length: 5
TOS: 0
Datagram Length: 84
ID: 23965
Reserved Bit: UNSET
Dont Fragment Bit: UNSET
More Fragments Bit: UNSET
Fragment Offset: 0
Time To Live: 64
Protocol: ICMP (1)
Checksum: 12993 (0x32C1)
Source Address: 192.168.237.134
Dest Address: 192.168.237.1
[*] Internet Control Message Protocol (8 bytes)
Type: 0 (ECHO REPLY)
Code: 0 ()
Checksum: 22108
Id: 21527
Seq: 256
[*] Payload (56 bytes)
0x0000: 14 E6 A4 48 EE 1C 00 00 08 09 0A 0B 0C 0D 0E 0F ...H............
0x0010: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
0x0020: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
0x0030: 30 31 32 33 34 35 36 37 01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
e4 thread exiting - 3070266288 (2306)

What did this edition of the Snort Report show? First, we got SnortSP running and compiled a detection engine (Snort 2.8.2). Second, we demonstrated how SnortSP can have multiple threads performing various functions, all running simultaneously and without stopping and restarting SnortSP. Third, we showed how to access functions provided via Lua configuration files (in future articles we will learn more about writing these ourselves). Finally, we accessed one of those functions to decode an ICMP echo and an ICMP echo reply.

SnortSP is a fairly radical departure from the world of Snort 1.x and 2.x. I recommend trying the examples in this tip. Thus far, the best documentation available on Snort 3.0 (which served as references for this article) is the following:

SnortSP README

Marty Roesch's blog

Leon Ward's blog (Sourcefire employee)

I recommend asking questions via the blog post at TaoSecurity that I'll create when announcing the publication of this article. You may also want to write to the snort-devel mailing list, or query Marty and Leon via their blogs as well.

About the author
Richard Bejtlich is the founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in September 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.