Updates Snort v-3.0.0-a1 : is a libpcap-based sniffer/logger which can be used as a network intrusion detection and prevention system.

Updates Snort v-3.0.0-a1 : is a libpcap-based sniffer/logger which can be used as a network intrusion detection and prevention system.

This first alpha release is based on early Snort 2.9.6 and excludes all but one of Snort’s dynamic preprocessors (ftp_telnet). Work is underway to
port that functionality and sync with 2.9.7; those updates will be rolled out as they become available.
+ Project = Snort++
+ Binary = snort
+ Version = 3.0.0-a1

Here are some key features in this alpha release:
* Support multiple packet processing threads
* Use a shared configuration and attribute table
* Use a simple, scriptable configuration
* Make key components pluggable
* Autodetect services for portless configuration
* Support sticky buffers in rules
* Autogenerate reference documentation
* Provide better cross platform support

Additional features on the roadmap include:
* Use a shared network map
* Support pipelining of packet processing
* Support hardware offload and data plane integration
* Rewrite critical modules like TCP reassembly and HTTP inspection
* Support proxy mode
* Facilitate component testing
* Simplify memory management
* Provide all of Snort’s functionalit

BUILD SNORTsnortss-470x260

Follow these steps:

1. Set up source directory:

* If you are using a github clone:

cd snort3/

* Otherwise, do this:

tar zxf snort-tarball
cd snort-3.0.0*

2. Setup install path:

export my_path=/path/to/snorty

3. Compile and install:

* To build with autotools, simply do the usual from the top level directory:

./configure –prefix=$my_path
make -j 8 install

* To build with cmake and make, run configure_cmake.sh. It will
automatically create and populate a new subdirectory named ‘build’.

./configure_cmake.sh –prefix=$my_path
cd build
make -j 8 install


* If you are using autotools with a github clone, first do autoreconf -isvf.
* If you can do src/snort -V you built successfully.
* If you are familiar with cmake, you can run cmake/ccmake instead of
* cmake –help will list any available generators, such as Xcode. Feel
free to use one, however help with those will be provided separately.


First set up the environment:
export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort

Then give it a go:
* Snort++ provides lots of help from the command line. Here are some examples:
$my_path/bin/snort –help
$my_path/bin/snort –help-module suppress
$my_path/bin/snort –help-config | grep thread

* Examine and dump a pcap. In the following, replace a.pcap with your
$my_path/bin/snort -r a.pcap
$my_path/bin/snort -K text -d -e -q -r a.pcap

* Verify a config, with or w/o rules:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules

* Run IDS mode. In the following, replace pcaps/ with a path to a directory
with one or more *.pcap files:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000

* Let’s suppress 1:2123. We could edit the conf or just do this:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
-r a.pcap -A alert_test -n 100000 –lua “suppress = { { gid = 1, sid = 2123 } }”

* Go whole hog on a directory with multiple packet threads:
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
–pcap-filter \*.pcap –pcap-dir pcaps/ -A alert_fast –max-packet-threads 8
Download :
snort_extra-1.0.0-a1-130-cmake.tar.gz(190 KB)
Our Post beffore : http://seclist.us/update-snort-v-2-9-5-5-a-network-intrusion-prevention-and-detection-system.html
Source : https://www.snort.org/