base on Snort++ # Snort++ Snort 3 is the next generation Snort IPS (Intrusion Prevention System). This file will show you what Snort++ has to offer and guide you through the steps from download to demo. If you are unfamiliar with Snort you should take a look at the Snort documentation first. We will cover the following topics: --- * [Overview](#overview) * [Dependencies](#dependencies) * [Download](#download) * [Build Snort](#build-snort) * [Run Snort](#run-snort) * [Documentation](#documentation) * [Squeal](#squeal) # OVERVIEW This version of Snort++ includes new features as well as all Snort 2.X features and bug fixes for the base version of Snort except as indicated below: Project = Snort++ Binary = snort Version = 3.0.0 (Build 250) from 2.9.11 Here are some key features of Snort++: * Support multiple packet processing threads * Use a shared configuration and attribute table * Use a simple, scriptable configuration * Make key components pluggable * Autodetect services for portless configuration * Support sticky buffers in rules * Autogenerate reference documentation * Provide better cross platform support * Facilitate component testing * Use a shared network map Additional features on the roadmap include: * Support pipelining of packet processing * Support hardware offload and data plane integration * Support proxy mode * Windows support # DEPENDENCIES If you already build Snort, you may have everything you need. If not, grab the latest: * cmake to build from source * daq from https://github.com/snort3/libdaq for packet IO * dnet from https://github.com/dugsong/libdnet.git for network utility functions * flex >= 2.6.0 from https://github.com/westes/flex for JavaScript syntax parser * g++ >= 7 or other C++17 compiler * hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU affinity management * LuaJIT from http://luajit.org for configuration and scripting * OpenSSL from https://www.openssl.org/source/ for SHA and MD5 file signatures, the protected_content rule option, and SSL service detection * pcap from http://www.tcpdump.org for tcpdump style logging * pcre from http://www.pcre.org for regular expression pattern matching * pkgconfig from https://www.freedesktop.org/wiki/Software/pkg-config/ to locate build dependencies * zlib from http://www.zlib.net for decompression Additional packages provide optional features. Check the manual for more. # DOWNLOAD There is a source tarball available in the Downloads section on snort.org: snort-3.0.0-a3.tar.gz You can also get the code with: git clone https://github.com/snort3/snort3.git There are separate extras packages for cmake that provide additional features and demonstrate how to build plugins. The source for extras is in snort3_extra.git repo. # BUILD SNORT Follow these steps: 1. Set up source directory: * If you are using a github clone: ```shell cd snort3/ ``` * Otherwise, do this: ```shell tar zxf snort-tarball cd snort-3.0.0* ``` 2. Setup install path: ```shell export my_path=/path/to/snorty ``` 3. Compile and install: * To build with cmake and make, run configure_cmake.sh. It will automatically create and populate a new subdirectory named 'build'. ```shell ./configure_cmake.sh --prefix=$my_path cd build make -j $(nproc) install ``` **_Note_**: * If you can do src/snort -V you built successfully. * If you are familiar with cmake, you can run cmake/ccmake instead of configure_cmake.sh. * cmake --help will list any available generators, such as Xcode. Feel free to use one, however help with those will be provided separately. # RUN SNORT Here are some examples. If you are using Talos rules and/or configs, you should first set any needed variables at the top of snort.lua and snort_defaults.lua. * Snort++ provides lots of help from the command line, including: ```shell $my_path/bin/snort --help $my_path/bin/snort --help-module suppress $my_path/bin/snort --help-config | grep thread ``` * Examine and dump a pcap. In the following, replace a.pcap with your favorite: ```shell $my_path/bin/snort -r a.pcap $my_path/bin/snort -L dump -d -e -q -r a.pcap ``` * Verify a config, with or w/o rules: ```shell $my_path/bin/snort -c $my_path/etc/snort/snort.lua $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules ``` * Run IDS mode. In the following, replace pcaps/ with a path to a directory with one or more *.pcap files: ```shell $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r a.pcap -A alert_test -n 100000 ``` * Let's suppress 1:2123. We could edit the conf or just do this: ```shell $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r a.pcap -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }" ``` * Go whole hog on a directory with multiple packet threads: ```shell $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ --pcap-filter \*.pcap --pcap-dir pcaps/ -A alert_fast --max-packet-threads 8 ``` Additional examples are given in doc/usage.txt. # DOCUMENTATION Take a look at the manual, parts of which are generated by the code so it stays up to date: ```shell $my_path/share/doc/snort/snort_manual.pdf $my_path/share/doc/snort/snort_manual.html $my_path/share/doc/snort/snort_manual/index.html ``` It does not yet have much on the how and why, but it does have all the currently available configuration, etc. Some key changes to rules: * you must use comma separated content sub options like this: content:"foo", nocase; * buffer selectors must appear before the content and remain in effect until changed * pcre buffer selectors were deleted * check the manual for more on Snort++ vs Snort * check the manual reference section to understand how parameters are defined, etc. It also covers new features not demonstrated here: * snort2lua, a tool to convert Snort 2.X conf and rules to the new form * a new HTTP inspector * a binder, for mapping configuration to traffic * a wizard for port-independent configuration * improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments * local and remote command line shell # SQUEAL `o")~` We hope you are as excited about Snort++ as we are. Let us know what you think on the snort-users list. In the meantime, we'll keep our snout to the grindstone. ", Assign "at most 3 tags" to the expected json: {"id":"10247","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"