• Table of contents
• Compiling the complete Snort source tree
  • System-Preparation
  • Compiling
    • download
    • libdaq
    • snort
• Compiling only the Plugin
• Configuration/Rules
  • Necessary Snort configuration to run in $HOME
    • dynamic libraries
    • rules
    • logging
    • Testing Snort
  • Activate Preprocessor
    • Additional Configuration Files
    • Rules/Signatures
    • Testing

Compiling the complete Snort source tree¶

System-Preparation¶

Compiling Snort (and the plugin) requires a GNU toolchain, including the autotools.
Other dependencies are libpcap, libdnet, libpcre und zlib.

To get all requirements on a Debian system:
sudo apt-get install gcc autoconf automake make \
libtool flex bison libpcre3-dev zlib1g-dev \
libdumbnet-dev libpcap-dev subversion gdb

Finally the libdaq and Snort itself are required.

Compiling¶

The example commands use csh syntax and will install Snort to ${HOME}/tmp/snort (using the $PREFIX).

download¶

The Snort and libdaq sources are available from snort.org.

To make things easier the latest development source tree is available under Files. It includes libdaq 0.6.1, Snort 2.9.1 and the IPv6 plugin as part of the Snort source tree:
wget https://redmine.cs.uni-potsdam.de/attachments/download/33/snort_with_spp_ipv6_201111.tar.xz
tar xJf snort_with_spp_ipv6_201111.tar.xz

libdaq¶

setenv PREFIX ${HOME}/tmp/snort

cd daq-0.6.1
./configure --prefix=${PREFIX} --enable-ipv6 --enable-static
make && make install
cd ..

snort¶

setenv PREFIX ${HOME}/tmp/snort
setenv PATH ${PATH}:${PREFIX}/bin

cd snort
libtoolize --automake --copy
aclocal -I m4 -I /usr/share/aclocal
autoheader
automake --add-missing --copy
autoconf
./configure --prefix=${PREFIX} \
--with-daq-libraries=${PREFIX}/lib \
--with-daq-includes=${PREFIX}/include \
--enable-debug --enable-debug-msgs
make && make install
cp -a etc ${PREFIX}/etc
cd ..

Notes:

• the aclocal path is for Linux -- under BSD it should be /usr/local/share/aclocal
• on some of my Linux test systems I get a defect ./configure; to fix it I have to delete the lines 15951--15957 :-/
• in case you try this with Snort < 2.9.1 then the configure option --enable-ipv6 is required

Compiling only the Plugin¶

The Plugin-only version does not use autoconf, but only a simple Makefile.

This Makefile has to be edited to use particular compiler flags (e.g. to build an optimized version without debugging symbols). It also contains a copy of Snort's configuration flags (-DSF_WCHAR -DSUP_IP6 etc.) -- These have to match those flags used for compiling Snort itself.

A make will compile the plugin into the shared library build/spp_ipv6.so. To install the library copy it into Snort's dynamic preprocessor directory as configured by dynamicpreprocessor directory in snort.conf.

To test the correct compilation activate the preprocessor (cf.) and check if it is loaded.

If the configuration flags do not match the configuration flags of your Snort installation then the plugin loading aborts with the following error:

ERROR size 856 != 792
ERROR: Failed to initialize dynamic preprocessor: IPv6 Preprocessor version 1.2.0 (-2)

Configuration/Rules¶

Necessary Snort configuration to run in $HOME¶

dynamic libraries¶

The default snort.conf expects all dynamic libraries in /usr/local/lib -- to run inside a $HOME-directory all paths have to be changed:
sed -i.orig -e "s:/usr/local:${PREFIX}:" ${PREFIX}/etc/snort.conf

rules¶

The default file also includes all rules and a path for dynamic rules, so you either have to register at snort.org and download a ruleset -- or simly remove all rule inclusions:
sed -i -e 's:^include $RULE_PATH:# &:' -e 's:^dynamicdetection :# &:' ${PREFIX}/etc/snort.conf

logging¶

By default Snort tries to write log files to /var/log/snort which is not permitted with normal user access rights.

So either call snort with the -l parameter to change the log path (e.g. -l /tmp) or define a different log path in snort.conf, e.g.:
config logdir: /tmp

Testing Snort¶

After these steps Snort should run in its default configuration. You can use it to read PCAP files:
sudo ${PREFIX}/bin/snort -v -r test.pcap -c ${PREFIX}/etc/snort.conf
or (with admin access) to listen to live network traffic:
sudo ${PREFIX}/bin/snort -v -i eth0 -c ${PREFIX}/etc/snort.conf

Activate Preprocessor¶

Now the second step is to activate and test the IPv6 preprocessor.

The basic change is simple: add the line preprocessor ipv6 to snort.conf.

To verify the preprocessor is active simply run Snort again and check that a) its "Initialization Complete" message contains the line Preprocessor Object: IPv6 Preprocessor and/or b) that the exit statistics contain IPv6 statistics.

Additional Configuration Files¶

Additional files (gen-msg.map, preprocessor.rules) contain the association between SID, generator ID, and event description for more verbose log output.
The snort_with_spp_ipv6_201111.tar.xz already contains modified versions of these files. In order to add the IPv6 plugin to an existing Snort installation, the lines describing the IPv6-plugin should be added.

Rules/Signatures¶

File ipv6.rules contains some rules. To try these include them into your snort.conf:
include ipv6.rules

In an existing installation you should either copy the file into the system's $RULE_PATH or copy its content into $RULE_PATH/local.rules

Testing¶

The Example Output shows Snort's output after this configuration.