Updates Snort v-2.9.7.2 : is a libpcap-based sniffer/logger which can be used as a network intrusion detection and prevention system.

Updates Snort v-2.9.7.2 : is a libpcap-based sniffer/logger which can be used as a network intrusion detection and prevention system.

changelog Snort 2.9.7.2
[*] New additions
* Support for Cisco FabricPath decoding/encoding.
[*] Improvements
* Resolved an issue where the inline normalization preprocessor incorrectly
resized packets when ‘preprocessor normalize_tcp: trim’ was enabled.
* Resolved crash in file processing of HTTP continuations.snez-gunter

Snort is a libpcap-based sniffer/logger which can be used as a network intrusion detection and prevention system. It uses a rule-based detection language as well as various other detection mechanisms and is highly extensible.

BUILD SNORT

snortss-470x260

Follow these steps:

1. Set up source directory:

* If you are using a github clone:

cd snort3/

* Otherwise, do this:

tar zxf snort-tarball
cd snort-3.0.0*

2. Setup install path:

export my_path=/path/to/snorty

3. Compile and install:

* To build with autotools, simply do the usual from the top level directory:

./configure –prefix=$my_path
make -j 8 install

* To build with cmake and make, run configure_cmake.sh. It will
automatically create and populate a new subdirectory named ‘build’.

./configure_cmake.sh –prefix=$my_path
cd build
make -j 8 install

Note:

* If you are using autotools with a github clone, first do autoreconf -isvf.
* If you can do src/snort -V you built successfully.
* If you are familiar with cmake, you can run cmake/ccmake instead of
configure_cmake.sh.
* cmake –help will list any available generators, such as Xcode. Feel
free to use one, however help with those will be provided separately.

RUN SNORT

First set up the environment:
export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort

Then give it a go:
* Snort++ provides lots of help from the command line. Here are some examples:
$my_path/bin/snort –help
$my_path/bin/snort –help-module suppress
$my_path/bin/snort –help-config | grep thread

* Examine and dump a pcap. In the following, replace a.pcap with your
favorite:
$my_path/bin/snort -r a.pcap
$my_path/bin/snort -K text -d -e -q -r a.pcap

* Verify a config, with or w/o rules:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules

* Run IDS mode. In the following, replace pcaps/ with a path to a directory
with one or more *.pcap files:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000

* Let’s suppress 1:2123. We could edit the conf or just do this:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000 –lua “suppress = { { gid = 1, sid = 2123 } }”

* Go whole hog on a directory with multiple packet threads:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
–pcap-filter \*.pcap –pcap-dir pcaps/ -A alert_fast –max-packet-threads 8

Download : snort-2.9.7.2.tar.gz (6.4 MB)
Source : https://www.snort.org/ | Our Post before