Testing Snort 2.9.x

The following are proof-of-concept ports of daq and Snort 2.9.2.3. daq is the new data acquisition library that is used by Snort 2.9.x to capture packets. These ports are very hackish and only meant to confirm that Snort can link and run with the new libpcap, so please exercise caution when using them. :)

Also, if anything breaks, please don't bug the current Snort port maintainer because it's not his fault. :) Send feedback and flames to lteo()openbsd.org instead.

Download Links

• daq-0.6.2.tar.gz
• snort-2.9.2.3.tar.gz

Suggested Test Procedure

1. Create the required directories:

   mkdir -p /usr/ports/mystuff/net

2. Extract the daq and Snort ports above to /usr/ports/mystuff/net/
3. Build and install daq and snort:

   cd /usr/ports/mystuff/net/daq && make install
   cd /usr/ports/mystuff/net/snort && make install

4. If you don't have a Snort "oinkcode", get one here.
5. Download the Snort rules using the following command:

   ftp -o snortrules.tar.gz http://www.snort.org/sub-rules/snortrules-snapshot-2922.tar.gz/oinkcode
   (Replace oinkcode with yours)

   Snort rules from Emerging Threats should also work, but I have not tried.
6. Extract snortrules.tar.gz and copy the files in rules/* to /etc/snort/rules/
7. Run Snort:

   /usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log

8. An easy way to test if Snort is capturing packets correctly with the new libpcap is to run:

   ftp http://lteo.net/cmd.exe

   There is no cmd.exe at that URL but this should trigger the "WEB-IIS cmd.exe access" alert in /var/snort/log/alert

The above is just a suggested test method. It would definitely help too if you could test Snort the way you normally run it.