snort3 / snort3_extra Goto Github PK

External plugins for examples, experimental, and some legacy code.

License: Other

CMake 13.14% Shell 2.57% Ruby 1.31% C++ 71.99% C 9.01% Lua 1.37% HTML 0.60%

snort3_extra's Introduction

Snort++

Snort 3 is the next generation Snort IPS (Intrusion Prevention System). This file will show you what Snort++ has to offer and guide you through the steps from download to demo. If you are unfamiliar with Snort you should take a look at the Snort documentation first. We will cover the following topics:

Overview
Dependencies
Download
Build Snort
Run Snort
Documentation
Squeal

OVERVIEW

This version of Snort++ includes new features as well as all Snort 2.X features and bug fixes for the base version of Snort except as indicated below:

Project = Snort++
Binary = snort
Version = 3.0.0 (Build 250) from 2.9.11

Here are some key features of Snort++:

Support multiple packet processing threads
Use a shared configuration and attribute table
Use a simple, scriptable configuration
Make key components pluggable
Autodetect services for portless configuration
Support sticky buffers in rules
Autogenerate reference documentation
Provide better cross platform support
Facilitate component testing
Use a shared network map

Additional features on the roadmap include:

Support pipelining of packet processing
Support hardware offload and data plane integration
Support proxy mode
Windows support

DEPENDENCIES

If you already build Snort, you may have everything you need. If not, grab the latest:

cmake to build from source
daq from https://github.com/snort3/libdaq for packet IO
dnet from https://github.com/dugsong/libdnet.git for network utility functions
flex >= 2.6.0 from https://github.com/westes/flex for JavaScript syntax parser
g++ >= 5 or other C++14 compiler
hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU affinity management
LuaJIT from http://luajit.org for configuration and scripting
OpenSSL from https://www.openssl.org/source/ for SHA and MD5 file signatures, the protected_content rule option, and SSL service detection
pcap from http://www.tcpdump.org for tcpdump style logging
pcre from http://www.pcre.org for regular expression pattern matching
pkgconfig from https://www.freedesktop.org/wiki/Software/pkg-config/ to locate build dependencies
zlib from http://www.zlib.net for decompression

Additional packages provide optional features. Check the manual for more.

DOWNLOAD

There is a source tarball available in the Downloads section on snort.org:

snort-3.0.0-a3.tar.gz

You can also get the code with:

git clone https://github.com/snort3/snort3.git

There are separate extras packages for cmake that provide additional features and demonstrate how to build plugins. The source for extras is in snort3_extra.git repo.

BUILD SNORT

Follow these steps:

Set up source directory:

If you are using a github clone:
```
cd snort3/
```
Otherwise, do this:
```
tar zxf snort-tarball
cd snort-3.0.0*
```

Setup install path:
```
export my_path=/path/to/snorty
```
Compile and install:

To build with cmake and make, run configure_cmake.sh. It will automatically create and populate a new subdirectory named 'build'.
```
./configure_cmake.sh --prefix=$my_path
cd build
make -j $(nproc) install
```

Note:

If you can do src/snort -V you built successfully.
If you are familiar with cmake, you can run cmake/ccmake instead of configure_cmake.sh.
cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately.

RUN SNORT

Here are some examples. If you are using Talos rules and/or configs, you should first set any needed variables at the top of snort.lua and snort_defaults.lua.

Snort++ provides lots of help from the command line, including:

$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread

Examine and dump a pcap. In the following, replace a.pcap with your favorite:
```
$my_path/bin/snort -r a.pcap
$my_path/bin/snort -L dump -d -e -q -r a.pcap
```

Verify a config, with or w/o rules:

$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules

Run IDS mode. In the following, replace pcaps/ with a path to a directory with one or more *.pcap files:

$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r a.pcap -A alert_test -n 100000

Let's suppress 1:2123. We could edit the conf or just do this:

$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"

Go whole hog on a directory with multiple packet threads:

$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    --pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8

Additional examples are given in doc/usage.txt.

DOCUMENTATION

Take a look at the manual, parts of which are generated by the code so it stays up to date:

$my_path/share/doc/snort/snort_manual.pdf
$my_path/share/doc/snort/snort_manual.html
$my_path/share/doc/snort/snort_manual/index.html

It does not yet have much on the how and why, but it does have all the currently available configuration, etc. Some key changes to rules:

you must use comma separated content sub options like this: content:"foo", nocase;
buffer selectors must appear before the content and remain in effect until changed
pcre buffer selectors were deleted
check the manual for more on Snort++ vs Snort
check the manual reference section to understand how parameters are defined, etc.

It also covers new features not demonstrated here:

snort2lua, a tool to convert Snort 2.X conf and rules to the new form
a new HTTP inspector
a binder, for mapping configuration to traffic
a wizard for port-independent configuration
improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments
local and remote command line shell

SQUEAL

o")~

We hope you are as excited about Snort++ as we are. Let us know what you think on the snort-users list. In the meantime, we'll keep our snout to the grindstone.

snort3_extra's People

Contributors

Stargazers

Watchers

Forkers

tianyulab mahnura wandec rodrigoieh spadalkar jivangonzal prabhat0987 kibana005 moracca frcost chbinousamy dawodu98 seanpm2001 cassimahmedattia

snort3_extra's Issues

New Inspector not recognized by snort3

Hi,
I created a new Inspector by copying most of the dpx inspector file.
I updated the sub-directory in ./inspectors and I am able to build/make/make install the project.
I can also see my custom inspector in the build tree. The "custom_plugin.so" file is also placed in the right location.

Now when I try to execute snort3 with a local pcap file:
sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -r ~/pcap_dir/test.pcap -l /var/log/snort --plugin-path /usr/local/etc/so_rules/ --script-path ~/snort3_extra
It is running without any errors and snort3 is doing what it should do except that my custom inspector was not loaded and did nothing...
I added some print message to check if the methods of my inspector are called.

Btw. I also added the custom inspector to snort.lua:
custom_plugin = { }

I don't know if this information is important but PKG_CONFIG_PATH is pointing to /usr/local/lib/pkgconfig. (It also contains a snort.pc inside)

Would be nice if someone knows what I am missing :/

Issue

Snort3_extra fails to compile on Centos 8. Once compiling reaches 57% , an error terminates the install because a file could not be found.

Custom search engine compiles, but isn't found by snort

I copy-pasted the lowmem search-engine plugin example, and minimally modified it (resulting in a plugin named bruteforce).

The directory layout looks like this:

snort3_extra/src/search_engines/
                                bruteforce/bruteforce.cc
                                           CMakeLists.txt
                                lowmem/...
                                CMakeLists.txt

The modified files from the directory:

bruteforce.cc
The modified CMakeLists.txt file in bruteforce/: CMakeLists.txt
The modified CMakeLists.txt file in search_engines/: CMakeLists.txt

After repeating the 3rd step in the README (Compile and install: ./configure_cmake.sh, cd build, make, make install), the shared object files for both lowmem and bruteforce were generated without any errors:

-- Installing: /usr/local/snort/lib/snort/plugins/extra/search_engines/lowmem.so
-- Installing: /usr/local/snort/lib/snort/plugins/extra/search_engines/bruteforce.so

However, only lowmem is recognized when attempting to list any extra plugins:

> snort --plugin-path /usr/local/snort/lib/snort/plugins/extra --list-plugins | grep search_engine
search_engine::ac_bnfa v0 static
search_engine::ac_full v0 static
search_engine::lowmem v0 /usr/local/snort/lib/snort/plugins/extra/search_engines/lowmem.so

Even if bruteforce.so is in the same folder as lowmem.so:

> ls /usr/local/snort/lib/snort/plugins/extra/search_engines/
bruteforce.so  lowmem.so

I can't figure out what I'm missing. Thank you for helping.

None of the required 'snort>=3' found

I'm installing snort extra as described in the “Snort_3_GA_on_CentOS_8_Stream” but I get some error.There are many errors similar to this.Any help is greatly appreciated.

-- Checking for one of the modules 'snort>=3'
CMake Error at /usr/share/cmake/Modules/FindPkgConfig.cmake:843 (message):
  None of the required 'snort>=3' found
Call Stack (most recent call first):
  src/CMakeLists.txt:13 (pkg_search_module)

issue during 'make' step - get_netbios

Hello,

I'm following the steps to build snort3_extras, and at the 'make' command I have an error that is preventing me from building it.

Below are the following errors.

Using latest version of Snort on Ubuntu 20.04

/home/marko/snort_src/snort3_extra/src/inspectors/appid_listener/appid_listener_event_handler.cc: In member function ‘virtual void AppIdListenerEventHandler::handle(snort::DataEvent&, snort::Flow*)’: /home/marko/snort_src/snort3_extra/src/inspectors/appid_listener/appid_listener_event_handler.cc:81:36: error: ‘const class snort::AppIdSessionApi’ has no member named ‘get_netbios_name’ 81 | const char *netbios_name = api.get_netbios_name(); | ^~~~~~~~~~~~~~~~ /home/marko/snort_src/snort3_extra/src/inspectors/appid_listener/appid_listener_event_handler.cc:82:38: error: ‘const class snort::AppIdSessionApi’ has no member named ‘get_netbios_domain’ 82 | const char *netbios_domain = api.get_netbios_domain(); | ^~~~~~~~~~~~~~~~~~ make[2]: *** [src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/build.make:76: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener_event_handler.cc.o] Error 1 make[1]: *** [CMakeFiles/Makefile2:1054: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/all] Error 2 make: *** [Makefile:152: all] Error 2

Compiling error on CentOS 8: function marked ‘override’, but does not override

Hello,
There occurred two errors when I tried to build snort3_extra on CentOS 8. I followed the instructions from snort-3-0-3-on-centos8, and installed snort3 without problem.
However, when I tried to also install the snort_extra, it couldn't finished compiling.

My building procedures are as follows:

$ git clone https://github.com/snort3/snort3_extra.git

Cloning into 'snort3_extra'...
remote: Enumerating objects: 586, done.
remote: Counting objects: 100% (586/586), done.
remote: Compressing objects: 100% (339/339), done.
remote: Total 3765 (delta 348), reused 465 (delta 245), pack-reused 3179
Receiving objects: 100% (3765/3765), 726.58 KiB | 109.00 KiB/s, done.
Resolving deltas: 100% (2516/2516), done.

$ export PKG_CONFIG_PATH=/usr/local/snort/lib64/pkgconfig:$PKG_CONFIG_PATH

$ echo $PKG_CONFIG_PATH
/usr/local/snort/lib64/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:

./configure_cmake.sh --prefix=/usr/local/snort/extra

Build Directory : build
Source Directory: /home/snrt/sources/snort3_extra
-- The CXX compiler identification is GNU 8.3.1
-- The C compiler identification is GNU 8.3.1
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Found PkgConfig: /usr/bin/pkg-config (found version "1.4.2")
-- Checking for one of the modules 'snort>=3'

snort_extra version 1.0.0
Install options:
prefix: /usr/local/snort/extra
Compiler options:
CC: /usr/bin/cc
CXX: /usr/bin/c++
CFLAGS: -O3 -I/usr/local/include -I/usr/include/luajit-2.1 -I/usr/include -I/usr/local/include -I/usr/include -I/usr/include -I/usr/include -I/usr/include/uuid -DNDEBUG -g -ggdb
CXXFLAGS: -O3 -fno-rtti -I/usr/local/include -I/usr/include/luajit-2.1 -I/usr/include -I/usr/local/include -I/usr/include -I/usr/include -I/usr/include -I/usr/include/uuid -DNDEBUG -g -ggdb
EXE_LDFLAGS:
MODULE_LDFLAGS:
-- Configuring done
-- Generating done
-- Build files have been written to: /home/snrt/sources/snort3_extra/build

$ cd build/ && make -j$(nproc)
and here comes the errors:

[ 96%] Linking CXX shared module lowmem.so
[ 96%] Built target sid_18758
Scanning dependencies of target tp_appid_example
[ 98%] Building CXX object src/tp_appid/CMakeFiles/tp_appid_example.dir/tp_appid_example.cc.o
[ 98%] Built target lowmem
/home/snrt/sources/snort3_extra/src/tp_appid/tp_appid_example.cc:71:10: error: ‘bool ThirdPartyAppIdContextImpl::tfini(bool)’ marked ‘override’, but does not override
bool tfini(bool) override
^~~~~
/home/snrt/sources/snort3_extra/src/tp_appid/tp_appid_example.cc: In function ‘ThirdPartyAppIdContextImpl* tp_appid_create_ctxt(ThirdPartyConfig&)’:
/home/snrt/sources/snort3_extra/src/tp_appid/tp_appid_example.cc:127:95: error: invalid new-expression of abstract class type ‘ThirdPartyAppIdContextImpl’
w ThirdPartyAppIdContextImpl(THIRD_PARTY_APPID_API_VERSION,"third party", cfg);
^
/home/snrt/sources/snort3_extra/src/tp_appid/tp_appid_example.cc:49:7: note: because the following virtual functions are pure within ‘ThirdPartyAppIdContextImpl’:
class ThirdPartyAppIdContextImpl : public ThirdPartyAppIdContext
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /home/snrt/sources/snort3_extra/src/tp_appid/tp_appid_example.cc:41:
/usr/local/snort/include/snort/network_inspectors/appid/tp_appid_module_api.h:63:18: note: ‘virtual bool ThirdPartyAppIdContext::tfini(bool, bool)’
virtual bool tfini(bool reload = false, bool is_idling = false) = 0;
^~~~~
make[2]: *** [src/tp_appid/CMakeFiles/tp_appid_example.dir/build.make:63: src/tp_appid/CMakeFiles/tp_appid_example.dir/tp_appid_example.cc.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:1664: src/tp_appid/CMakeFiles/tp_appid_example.dir/all] Error 2
make: *** [Makefile:152: all] Error 2

It seems to me these are c++ syntax errors instead of any library dependency issue.

Thanks for your help!

[API Question] How to use per rule arguments for a new ips action plugin

Hello,

I'm trying to develop a simple ips_action plugin. I need to use arguments per rule for action.

newaction tcp any any -> any any ( msg: "new action test", newvar: "abc" )

Is it possible to access newvar variable within void NewAction::exec(Packet* p) function?
Or do you suggest another way to pass per rule arguments to action?

Thanks

Cannot build 3.1.0.47 but 3.1.0.42 builds successfully

I am getting an error while building https://github.com/snort3/snort3_extra/releases/tag/3.1.47.0 but https://github.com/snort3/snort3_extra/releases/tag/3.1.42.0 builds without the error.

...
[ 38%] Building CXX object src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener.cc.o
[ 40%] Building CXX object src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener_event_handler.cc.o
/build/snort-extras/src/snort3_extra-3.1.47.0/src/inspectors/appid_listener/appid_listener_event_handler.cc: In member function ‘virtual void AppIdListenerEventHandler::handle(snort::DataEvent&, snort::Flow*)’:
/build/snort-extras/src/snort3_extra-3.1.47.0/src/inspectors/appid_listener/appid_listener_event_handler.cc:39:24: error: ‘APPID_DISCOVERY_FINISHED_BIT’ was not declared in this scope
   39 |     temp_ac_bits.reset(APPID_DISCOVERY_FINISHED_BIT);
      |                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/build.make:90: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener_event_handler.cc.o] Error 1
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[1]: *** [CMakeFiles/Makefile2:964: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/all] Error 2
make[1]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make: *** [Makefile:156: all] Error 2
make: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
...

Entire build log:

export PKG_CONFIG_PATH=/usr/lib/pkgconfig
./configure_cmake.sh
make -j1 -C build
Build Directory : build
Source Directory: /build/snort-extras/src/snort3_extra-3.1.47.0
-- The CXX compiler identification is GNU 12.2.0
-- The C compiler identification is GNU 12.2.0
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Found PkgConfig: /usr/bin/pkg-config (found version "1.8.0") 
-- Checking for one of the modules 'snort>=3'

-------------------------------------------------------
extra version 1.0.0

Install options:
    prefix:     /usr/local/snort

Compiler options:
    CC:             /usr/bin/cc
    CXX:            /usr/bin/c++
    CFLAGS:         -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -flto=auto  -I/usr/include  -I/usr/include/luajit-2.1  -I/usr/include        -I/usr/include  -I/usr/include  -I/usr/include  -I/usr/include/uuid     -DNDEBUG -g -ggdb   
    CXXFLAGS:       -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -Wp,-D_GLIBCXX_ASSERTIONS -flto=auto  -I/usr/include  -I/usr/include/luajit-2.1  -I/usr/include        -I/usr/include  -I/usr/include  -I/usr/include  -I/usr/include/uuid     -DNDEBUG -g -ggdb   
    EXE_LDFLAGS:    -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto    
    MODULE_LDFLAGS: -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto    

-- Configuring done
-- Generating done
-- Build files have been written to: /build/snort-extras/src/snort3_extra-3.1.47.0/build
make: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[1]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[  1%] Building CXX object src/codecs/cd_eapol/CMakeFiles/cd_eapol.dir/cd_eapol.cc.o
[  3%] Linking CXX shared module cd_eapol.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[  3%] Built target cd_eapol
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[  5%] Building CXX object src/codecs/cd_linux_sll/CMakeFiles/cd_linux_sll.dir/cd_linux_sll.cc.o
[  7%] Linking CXX shared module cd_linux_sll.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[  7%] Built target cd_linux_sll
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[  9%] Building CXX object src/codecs/cd_null/CMakeFiles/cd_null.dir/cd_null.cc.o
[ 10%] Linking CXX shared module cd_null.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 10%] Built target cd_null
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 12%] Building CXX object src/codecs/cd_pflog/CMakeFiles/cd_pflog.dir/cd_pflog.cc.o
[ 14%] Linking CXX shared module cd_pflog.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 14%] Built target cd_pflog
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 16%] Building CXX object src/codecs/cd_pbb/CMakeFiles/cd_pbb.dir/cd_pbb.cc.o
[ 18%] Linking CXX shared module cd_pbb.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 18%] Built target cd_pbb
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 20%] Building CXX object src/codecs/cd_ppp/CMakeFiles/cd_ppp.dir/cd_ppp.cc.o
[ 21%] Linking CXX shared module cd_ppp.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 21%] Built target cd_ppp
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 23%] Building CXX object src/codecs/cd_slip/CMakeFiles/cd_slip.dir/cd_slip.cc.o
[ 25%] Linking CXX shared module cd_slip.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 25%] Built target cd_slip
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 27%] Building CXX object src/codecs/cd_token_ring/CMakeFiles/cd_token_ring.dir/cd_token_ring.cc.o
[ 29%] Linking CXX shared module cd_token_ring.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 29%] Built target cd_token_ring
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 30%] Building CXX object src/codecs/cd_wlan/CMakeFiles/cd_wlan.dir/cd_wlan.cc.o
[ 32%] Linking CXX shared module cd_wlan.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 32%] Built target cd_wlan
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 34%] Building C object src/daqs/daq_socket/CMakeFiles/daq_socket.dir/daq_socket.c.o
[ 36%] Linking C shared module daq_socket.so
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 36%] Built target daq_socket
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[2]: Entering directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
[ 38%] Building CXX object src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener.cc.o
[ 40%] Building CXX object src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener_event_handler.cc.o
/build/snort-extras/src/snort3_extra-3.1.47.0/src/inspectors/appid_listener/appid_listener_event_handler.cc: In member function ‘virtual void AppIdListenerEventHandler::handle(snort::DataEvent&, snort::Flow*)’:
/build/snort-extras/src/snort3_extra-3.1.47.0/src/inspectors/appid_listener/appid_listener_event_handler.cc:39:24: error: ‘APPID_DISCOVERY_FINISHED_BIT’ was not declared in this scope
   39 |     temp_ac_bits.reset(APPID_DISCOVERY_FINISHED_BIT);
      |                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/build.make:90: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/appid_listener_event_handler.cc.o] Error 1
make[2]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make[1]: *** [CMakeFiles/Makefile2:964: src/inspectors/appid_listener/CMakeFiles/appid_listener.dir/all] Error 2
make[1]: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'
make: *** [Makefile:156: all] Error 2
make: Leaving directory '/build/snort-extras/src/snort3_extra-3.1.47.0/build'

cannot do httpx per attachment

fatal error: daq/daq_user.h No such file or directory

I keep getting the following error. Any help appreciated.

[ 34%] Built target cd_eapol
[ 34%] Built target cd_linux_sll
[ 34%] Built target cd_null
[ 34%] Built target cd_pflog
[ 34%] Built target cd_pbb
[ 34%] Built target cd_ppp
[ 34%] Built target cd_slip
[ 34%] Built target cd_token_ring
[ 34%] Built target cd_wlan
[ 34%] Building C object src/daqs/daq_socket/CMakeFiles/daq_socket.dir/daq_socket.c.o
/home/ubuntu/snort_src/snort3_extra/src/daqs/daq_socket/daq_socket.c:38:10: fatal error: daq/daq_user.h: No such file or directory
38 | #include <daq/daq_user.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [src/daqs/daq_socket/CMakeFiles/daq_socket.dir/build.make:82: src/daqs/daq_socket/CMakeFiles/daq_socket.dir/daq_socket.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:1067: src/daqs/daq_socket/CMakeFiles/daq_socket.dir/all] Error 2
make: *** [Makefile:171: all] Error 2

data_log inspector logging

Snort Extra 3.1.77 seems not logging to data_log file while snort is running. If you terminate the process, it flushes stream to the file. I assume this is because we have TextLog_Term(tlog); in tterm in data_log.cc. But, we don't have TextLog_Flush(tlog); in void LogHandler::handle(DataEvent& e, Flow* f) in data_log.cc. I have added TextLog_Flush(tlog); at the end of handle method, and looks like it's working for me now.