Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

enable snort inline mode in NST

NST
Paul Tsang
2009-11-19
2012-12-05
  • Paul Tsang
    Paul Tsang
    2009-11-19

    Dear all,

    Currently, I have installed the newest NST in the VMServer and it works ok.

    But what makes me in trouble is I don't know how to  enable snort inline mode ( the snort in intruction detection mode is ok).

    At normal setup snort inline mode, I just need to compile the snort when installing like, ./configure -enable-inline ; make ; make install. And enable snort inline mode just type: snort -Q -c /etc/snort/snort.conf.

    But in NST, it seems not work in inline mode, how can I enable snort inline mode in NST? Does it still need to recompile the snort into inline moed? like ./configure -enable-inline ? if so, where can I find the "configure" file for the snort? 

    Can anyone give me some idea to enable and run snort inline mode in NST?

    Thanks a lot!

     
  • paultsang:

    Unfortunately the version of snort compiled with NST does not support the inline mode (was not compiled in).

    You will need to compile your own version of snort using:  "-enable-inline"  when configuring as you have already pointed out.

    You will need to get the latest snort source code from the source fire site:

    http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz

    The configure script is located within the compressed tar archive…

    --RWH

     
  • Paul Tsang
    Paul Tsang
    2009-11-19

    Dear RWH,

    Thanks your kindly reply.

    In this case, when I have installed the snort, and how can I combine existing function in NST, like BASE, OinkMaster and etc softwares with snort for using?

    And does it mean when I install my own snort in inline mode, I cannot use the browser to view or configure it? As usually, we just need to link like : https://192.168.1.132, then we can view all installed tools.

     
  • Paultsang:

    After compiling replace the following binaries and libraries with your inline version. This should allow the NST WUI to function correctly.

    ***Note: Be ware - if a new RPM is released by the NST project it will overwrite your custom snort inline build. Therefore becarefil when updating your NST system by skipping any snort updates…

    I will take a look at trying to build snort with inline mode enable when we move to F12…

    --RWH

        /usr/lib/snort_dynamicengine
        /usr/lib/snort_dynamicengine/libsf_engine.so
        /usr/lib/snort_dynamicengine/libsf_engine.so.0
        /usr/lib/snort_dynamicengine/libsf_engine.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor
        /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
        /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so.0
        /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0.0.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
        /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
        /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0
        /usr/lib/snort_dynamicrules
        /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so
        /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so.0
        /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so.0.0.0
        /usr/sbin/snort

     
  • Paul Tsang
    Paul Tsang
    2009-11-19

    Dear RWH,

    Really thanks for your information. I will follow your suggestion to implement snort inline mode.

    Paul

     
  • When you build a custom version of snort, there are a couple of approaches you can take. I've outlined the "RPM" approach which should work on a 2.11.0 x86 version of the NST system with snort 2.8.5.1.

    To take the RPM approach, you need to log in as 'root' as it involves installing packages onto the system.

    Download the source RPM:

        yumdownloader -source snort

    This should download the current source RPM from the NST repository. You then install the source using the command:

        rpm -ivh snort-2.8.5.1-4.nst11.src.rpm

    This should extract the code from the source snort RPM and install it under various $HOME/rpmbuild directories.

    Before you will be able to compile snort, you will need to have several development packages installed on your system. You will probably need to experiment a bit, but here are a few critical ones (I'm making a guess here as I've updated my system with other packages over time - you may need to install more):

        yum install gcc make rpmbuild  libnet-devel mysql-devel nst-devel libdnet-devel

    Verify that you can build the current version of snort (if this fails, it means there are more packages you need to install - look for compilation errors for hints).

        rpmbuild -bb $HOME/rpmbuild/SPECS/snort.spec

    Once you can build the current version of snort, edit the $HOME/rpmbuild/SPECS/snort.spec file with the options you would like to include in your build:

         vi $HOME/rpmbuild/SPECS/snort.spec

    Look for the invocation of the configure script (you'll see things like -prefix, -bindir and many other settings). Add the options you want to experiment with, but leave the directory settings alone (so that your build of snort will interact cleanly with the NST system).

    Try building your own custom snort package:

        rpmbuild -bb $HOME/rpmbuild/SPECS/snort.spec

    If the build works, you should get a binary RPM (look under $HOME/rpmbuild/RPMS/i586). If it doesn't work, it means one of the following occurred:

    1. You incorrectly modified the
        snort.spec file.
    2. The options you added require that additional packages/libraries be installed on your system (again look at the output and try to figure out what libraries you need to add to your system).

    Once you get a good build, remove the current snort installation and install your newly built package:

        rpm -erase -nodep snort
        rpm -ivh -force $HOME/rpmbuild/RPMS/i586/snort-2.8.5.1-4.nst11.i586.rpm

    And remember, if you run yum update in the future, your custom build might be clobbered. So, you'll either need to repeat the process, or make sure you don't update snort when using yum (check out the man page for yum or yum.conf - I think there is a way to tell yum not to update certain packages).

    Good Luck,
    Paul Blankenbaker

    PS: If you are successful in accomplishing your goal, could you post a follow up note describing what changes you need to make to snort.spec and what additional packages/libraries you needed to install on the system?