About one month ago, Snort 3.0 Alpha was released for testing in the community. If you want to be on the cutting edge of intrusion detection, packet sniffing, and keeping your system safe, check out this introduction to preparing for the future of intrusion detection.
 Bill Keys |
This first release of Snort 3.0 is currently used for only testing the new features and architecture of the new code base. However, I recommend diving into the new command line interface if you are currently using, or planning on using Snort.
How to install Snort 3.0 Alpha 1?
-
Download Snort 3.0 Alph 1 from
http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz -
untar the download
% tar -xzf snort-03.0.al.4.tar.gz
-
Installing lua-5.1 on Ubuntu
% sudo apt-get install lua-5.1
-
Installing libpcap on Ubuntu
% sudo apt-get install libpcap
-
Installing libdnet-1.11 from source
% cd snort-03.0.0.al.4/3rdparty
% tar -xzf libdnet-1.11.tar.gz
% cd libdnet-1.11
% sudo ./configure && make
-
Installing snort 3.0 alpha 1
% cd snort-03.0.0.al.4
% sudo ./configure
% sudo make
% sudo make install
- Note: install any other dependence's depending on your Linux distribution.
- All done. If you have any problems please read the INSTALL and README files and check if all the dependencies are installed for each program.
Using Snort 3.0 alpha
I was able to compile and install it on EnGarde Secure Linux Community 3.0 and Ubuntu 6.10. This Snort release requires the installation of Lua 5.1, as Snort Alpha will NOT compile with Lua 5.0. After starting Snort 3.0, nothing happens until the user enters a command. Included in the Snort 3.0 alpha code is a file called snort.lua, which provides functions for setting the packet sniffer.
Example of how to use Snort 3.0:
-
Starting Snort 3.0 alpha code base
% sudo src/sfips/snort -
Load the etc/snort.lua:
> dofile (“etc/snort.lua”) -
Note: the dofile function is part of the Lua language
-
Then, do a packet sniff
snort> sniff(“eth0”) - There are some other commands the user can use for example runfile (“filename”), sfips.help(), and sfips.shutdown() while testing the code base.
Lua Programming
Lua is an open-source scripting language, which is designed to be embedded into applications and provides an easy to use C API. I find that embedding the Lua scripting language in Snort is a major change how users can interact with Snort. In addition, syntax of the language is both easy to use and understand. You can find Lua5.1 included in the Snort 3.0 base code tarball in the 3rdparty/ directory. One of its strengths is that it's a lightweight programming language, allowing it to operate without much space, and with only a small reduction in speed. Also, it's used in computer games like World of Warcraft for users to customize their interfaces. The data types are similar to C (int, float, etc). Lua uses the C API, however Lua making it easier to use because it eliminates the need for manual reference management.
It has been around since 1993, so you can count on a strong, involved community of users. There are even plug-ins for Eclipse IDS to make programming with it that much easier. In my opinion, applying the functionality and speed of Lua in Snort is a great addition to the intrusion detection standard. The simplest way to install Lua5.1 is to download a binary package; EnGarde Secure Community 3.0 next release will have a newly created packaged rpm of Lua 5.1 available as of May 8th 2007.
Decoding new protocols
Snort 3.0 Alpha 1 is introducing decoding of IPv6, MPLS, GRE and PPPoE networking protocols. I have tested only IPv6 and found it to work perfectly, and would be interested if other people have tested other protocols successfully.
Threads
Another new feature introduced in this code base release is the ability to use threads. Without threads, users had to make a new instance of Snort for each interface the user wanted Snort to listen on. Using threads will alleviate the problem of losing data normally caused by stopping Snort to make configuration changes.
How to Test Snort 3.0 Alpha 1 for yourself?
First the user needs to download and install the source code from http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz. There are three programs needed by Snort 3.0 Alpha 1; libdnet-1.11, libpcap, and Lua 5.1. Included in the Snorts tartball are libdnet-1.11 and Lua 5.1 source file but there are binary packages of these programs for many Linux Distributions available. If you find any bugs in the code, first read the BUGS file in the codes source before reporting them. There are no rule engines yet, so the main testing will be in the sniffing and decoding of packets across the wire. The team at Snort really wants user's to pound the code by testing the new features, so have fun trying to break it.
Conclusion
This release is designed for user's to test the new code base for Snort 3.0 and get users comfortable with the new Lua command line interface of Snort. The Lua interpreter in Snort is going to change the way people are going to interacts. Also, Snort is looking at the future of the Internet by decoding the IPv6 protocol and other new protocols. I am eager to learn more about the power of using the Lua interpreter and also interested in how using Lua will improve Snort's code base and interface. Also, looking forward to reviewing the new releases of Snort 3.0 Alpha in the future.
Resources
-
Official Snort website
http://www.snort.org -
Download of Snort 3.0 alpha 1
http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz -
Official Lua website
http://www.lua.org/ -
Lua wiki (Tutorials)
http://lua-users.org/wiki/ -
Release Notes
http://www.linuxsecurity.com
By Bill Keys
|
|
Only registered users can write comments.
Please login or register.
Powered by AkoComment!