Blog From The Past : Testing Snort 3.0 alpha 1

[Update 15 Nov 2007 : I wrote this blog several months ago, but I haven’t been able to publish it until now]


After a couple of weeks I have been very busy settling things up in my new field, I got a chance to play with Snort 3.0 Subsystem Alpha 1. This release is not for production use yet.

Several features that seems very interesting in this new Snort version are :

  • several new packet decoders
  • it has a command line interface with command processor using Lua scripting language. You can create functions in Lua language and then load them from Snort. It’s a very cool feature although I haven’t test it thoroughly. :D This release comes with a snort.lua file that provides general functions to use Snort 3.0 quickly.

At this moment, Snort 3.0 has three commands (sniff(), fsniff(), and runfile()) and three groups of system commands in this alpha release. They are :

  • sfips : functions that control the operation of the system
  • dsrc : functions to manage data sources
  • eng : functions to manage Snort engines

To install Snort 3.0 alpha to my system (opensuse 10.x), it requires several packages :

  • Lua 5.1.1
  • libdnet version 1.10 or newer
  • libpcap
  • e2fsprogs-devel

The first two packages are also included in the Snort 3.0 alpha package.

To build Snort 3.0, I did the followings :

$ ./configure
$ make

I didn’t install Snort to my system, because I’ve already had a production ready Snort. I don’t want to mess up things.

Then I started Snort :

# src/sfips/snort
[*] DAQ Modules Loaded…
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized…
[*] Flow manager initialized…
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
,,_ -*> Snort! <*-
o” )~ Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA]
”” By Martin Roesch & The Snort Team:
(C) Copyright 2006 Sourcefire Inc.

Then I loaded snort.lua file. If there is no error it will display snort prompt :

> dofile(“etc/snort.lua”)

After that you can use several functions/commands mentioned in the README file. Here are several useful functions/command : sniff(), eng.stop().

Stay tune for my next experiences with Snort 3.0.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s