LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
“A Pig(Snort), A Moon (Lua) and one very happy developer (Bill)” Print E-mail
User Rating:      How can I rate this item?
Posted by Bill Keys   
Features About one month ago, Snort 3.0 Alpha was released for testing in the community. If you want to be on the cutting edge of intrusion detection, packet sniffing, and keeping your system safe, check out this introduction to preparing for the future of intrusion detection.


Bill Keys
Snort 3.0 alpha code base was released on April 5, 2007. What caught my eye is the new command line operations, now run through the Lua interpreter. This is a radically different way to interact with Snort. And while the alpha version of Snort 3.0 is still in the development phase, we can still interact with the Snort's command line via the Lua interface and decode packets passing along the wire. Nice feature, much like the Emacs text editor, where they embed the Lisp language interpreter in the editor. Another added feature is the ability to decode Ipv6 packets which is set to become the standard in the coming years.

This first release of Snort 3.0 is currently used for only testing the new features and architecture of the new code base. However, I recommend diving into the new command line interface if you are currently using, or planning on using Snort.

How to install Snort 3.0 Alpha 1?

  • Download Snort 3.0 Alph 1 from
    http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz

  • untar the download
    % tar -xzf snort-03.0.al.4.tar.gz

  • Installing lua-5.1 on Ubuntu
    % sudo apt-get install lua-5.1

  • Installing libpcap on Ubuntu
    % sudo apt-get install libpcap

  • Installing libdnet-1.11 from source
    % cd snort-03.0.0.al.4/3rdparty
    % tar -xzf libdnet-1.11.tar.gz
    % cd libdnet-1.11
    % sudo ./configure && make

  • Installing snort 3.0 alpha 1
    % cd snort-03.0.0.al.4
    % sudo ./configure
    % sudo make
    % sudo make install

  • Note: install any other dependence's depending on your Linux distribution.

  • All done. If you have any problems please read the INSTALL and README files and check if all the dependencies are installed for each program.

Using Snort 3.0 alpha

I was able to compile and install it on EnGarde Secure Linux Community 3.0 and Ubuntu 6.10. This Snort release requires the installation of Lua 5.1, as Snort Alpha will NOT compile with Lua 5.0. After starting Snort 3.0, nothing happens until the user enters a command. Included in the Snort 3.0 alpha code is a file called snort.lua, which provides functions for setting the packet sniffer.

Example of how to use Snort 3.0:

  • Starting Snort 3.0 alpha code base
    % sudo src/sfips/snort

  • Load the etc/snort.lua:
    > dofile (“etc/snort.lua”)

  • Note: the dofile function is part of the Lua language

  • Then, do a packet sniff
    snort> sniff(“eth0”)

  • There are some other commands the user can use for example runfile (“filename”), sfips.help(), and sfips.shutdown() while testing the code base.


Lua Programming

Lua is an open-source scripting language, which is designed to be embedded into applications and provides an easy to use C API. I find that embedding the Lua scripting language in Snort is a major change how users can interact with Snort. In addition, syntax of the language is both easy to use and understand. You can find Lua5.1 included in the Snort 3.0 base code tarball in the 3rdparty/ directory. One of its strengths is that it's a lightweight programming language, allowing it to operate without much space, and with only a small reduction in speed. Also, it's used in computer games like World of Warcraft for users to customize their interfaces. The data types are similar to C (int, float, etc). Lua uses the C API, however Lua making it easier to use because it eliminates the need for manual reference management.

It has been around since 1993, so you can count on a strong, involved community of users. There are even plug-ins for Eclipse IDS to make programming with it that much easier. In my opinion, applying the functionality and speed of Lua in Snort is a great addition to the intrusion detection standard. The simplest way to install Lua5.1 is to download a binary package; EnGarde Secure Community 3.0 next release will have a newly created packaged rpm of Lua 5.1 available as of May 8th 2007.

Decoding new protocols

Snort 3.0 Alpha 1 is introducing decoding of IPv6, MPLS, GRE and PPPoE networking protocols. I have tested only IPv6 and found it to work perfectly, and would be interested if other people have tested other protocols successfully.

Threads

Another new feature introduced in this code base release is the ability to use threads. Without threads, users had to make a new instance of Snort for each interface the user wanted Snort to listen on. Using threads will alleviate the problem of losing data normally caused by stopping Snort to make configuration changes.

How to Test Snort 3.0 Alpha 1 for yourself?

First the user needs to download and install the source code from http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz. There are three programs needed by Snort 3.0 Alpha 1; libdnet-1.11, libpcap, and Lua 5.1. Included in the Snorts tartball are libdnet-1.11 and Lua 5.1 source file but there are binary packages of these programs for many Linux Distributions available. If you find any bugs in the code, first read the BUGS file in the codes source before reporting them. There are no rule engines yet, so the main testing will be in the sniffing and decoding of packets across the wire. The team at Snort really wants user's to pound the code by testing the new features, so have fun trying to break it.

Conclusion

This release is designed for user's to test the new code base for Snort 3.0 and get users comfortable with the new Lua command line interface of Snort. The Lua interpreter in Snort is going to change the way people are going to interacts. Also, Snort is looking at the future of the Internet by decoding the IPv6 protocol and other new protocols. I am eager to learn more about the power of using the Lua interpreter and also interested in how using Lua will improve Snort's code base and interface. Also, looking forward to reviewing the new releases of Snort 3.0 Alpha in the future.

Resources


By Bill Keys

Comments
Nice workWritten by dave on 2007-05-09 18:49:24
Bill, nice work. The lua programming language sounds interesting and sure looks like it adds a lot of flexibility to snort.
Thank youWritten by wkeys on 2007-05-10 14:12:02
Thank you Dave I enjoyed writing this article, Lua is definitively a interesting programming language. It can do a lot in a small package. I think that's why the Snort developer's choose to embed Lua in Snort 3.0.
snortWritten by snort on 2007-08-03 12:43:14
I can't wait until they release the full version of Snort 3.0.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.