The Snort/Visual Studio Experiment

My good friend and mentor, Richard Bejtlich, had asked me in his thread about compiling Snort from source for Windows ( http://taosecurity.blogspot.com/2005/09/compiling-snort-on-windows-many-of-you.html ), to try and compile Snort under Windows and post my results. I figured this is a great opportunity to pass some knowledge back his way since he provides the community with so many great articles.

The observed behavior based on the original article is that Snort is difficult to compile under Windows. When compiling Snort under in Visual Studio, there were numerous errors. The compiler used, however, was Visual Studio .Net. Snort has been compiled and run from Visual C++ 6.0 without any issues in the past. Based on these observations, I hypothesize that due to changes in the architecture, Snort will not compile correctly under the .Net environment.

My testing environment is a Windows 2000 Server SP4 system using Visual Studio 6.0 and Visual Studio .Net. I will use Visual Studio 6.0 as my control variable and .Net as my experimental variable. I did not install Visual Studio Express since it is in a beta stage. I will not use the build scripts for either version. If there are errors with the build I want to be able to troubleshoot what went wrong from within the Visual Studio IDE.

My first step was to download the Snort 2.4.1 source code from http://www.snort.org/. I extracted the file into F:\snort-src in my development environment. I read the README.WIN32 file under the docs folder, which clued me into needing to download and install the WinPCap v3.0 libraries. These are available from http://winpcap.polito.it . I downloaded both the Windows Developer pack and the Source Code for WinPCap just to be safe. The files for the version 3 developers kit were extracted to F:\snort-src\winpcap.

This is the process I used for compiling under the control setup. I opened Visual C++ 6.0. I went to “File”, “Open Workspace”, navigated to the directory where the Snort project is located under F:\snort-src\snort-2.4.1\src\win32\WIN32-prj\snort.dsw. After opening the workspace, I went under “Tools”, “Options”, selected the Directories tab, and added the location for the WinPcap libraries located in “F:\Snort-SRC\WINPCAP\WPDPACK\INCLUDE”. I also changed the build package to SNORT-MYSQL-Release and disabled MySQL since I do not need database support. The pictures for this are below.







Next I went to “Build” and selected “Build snort.exe”. I now have a working Snort executable. I copy the snort.exe file one directory layer down to reside in the same folder as LibnetNT.dll and pcre.dll. I run snort.exe -? And get the familiar help screen for Snort. Satisfied I copy over my directory to a Jumpdrive, and move this effort over to my laptop.



From the laptop, I plug in the Jumpdrive. I am now ready to test Snort to see if it is working. First thing I do is run Snort with the –W switch.

E:\Snort\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -W

,,_ -*> Snort! <*-
o" )~ Version 2.4.1-ODBC-FlexRESP-WIN32 (Build 24)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.


Interface Device Description
-------------------------------------------
1 \Device\NPF_NdisWanIp (NdisWan Adapter)
2 \Device\NPF_{CE9D3D8B-28A1-4EC0-9A4A-180B40A0D886} (VMware Virtual Ethernet Ad
apter)
3 \Device\NPF_{2609FD97-9853-4744-83A4-B1F4DDF47A45} (FE575 Ethernet Adapter)
4 \Device\NPF_{54038C41-56BF-40C1-9699-7D6C5BAF8F18} (VMware Virtual Ethernet Ad
apter)

I now have a list of interfaces for Snort. Next I want to test Snort on the Etherfast adapter, which is interface 3. Below is a transcript of that session.

E:\Snort\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -v -n 3 -i 3
Running in packet dump mode

Initializing Network Interface \Device\NPF_{2609FD97-9853-4744-83A4-B1F4DDF47A45
}

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{2609FD97-9853-4744-83A4-B1F4DDF47A45
}

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.4.1-ODBC-FlexRESP-WIN32 (Build 24)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.

09/20-22:00:14.660476 192.168.100.100:2724 -> 63.209.221.228:80
TCP TTL:127 TOS:0x0 ID:56743 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x9AE1529A Ack: 0x6350200B Win: 0xFBFF TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/20-22:00:17.129746 192.168.100.100:2726 -> 64.4.61.250:80
TCP TTL:127 TOS:0x0 ID:56744 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD676A133 Ack: 0x0 Win: 0xFC00 TcpLen: 28
TCP Options (4) => MSS: 1260 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/20-22:00:17.195600 64.4.61.250:80 -> 192.168.100.100:2726
TCP TTL:113 TOS:0x0 ID:8430 IpLen:20 DgmLen:48
***A**S* Seq: 0x9A597579 Ack: 0xD676A134 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Run time for packet processing was 2.554000 seconds


===============================================================================

Snort received 8 packets
Analyzed: 8(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 3 (37.500%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting

Now, I download the latest Snort rule set and extract to the C:\snort_rule directory. I modify the snort.conf to disable the Snort Performance plug-in, and run Snort with the following command.

snort -c "C:\snort_rules\rules\snort.conf" -l "C:\snort_data" -A full -i 3 -d -e –X

I go visit a few websites and then check the contents of C:\snort_data to see if I am capturing anything.

C:\snort_data>dir
Volume in drive C is Local Disk
Volume Serial Number is C4C0-6A2C

Directory of C:\snort_data

09/20/2005 10:19p <DIR> .
09/20/2005 10:19p <DIR> ..
09/20/2005 10:23p 2,128 alert.ids
09/20/2005 10:07p <DIR> portscans
09/20/2005 10:07p 24 snort.log.1127279242
09/20/2005 10:08p 24 snort.log.1127279321
09/20/2005 10:08p 24 snort.log.1127279334
09/20/2005 10:23p 8,712 snort.log.1127279986
09/20/2005 06:59p <DIR> ssn_logs
5 File(s) 10,912 bytes
4 Dir(s) 4,287,774,720 bytes free

I can see by the files in the snort_data directory that I am capturing data. Now, I want to capture all packets without using an alert mode. I run the following command:

E:\Snort\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -i 3 -l "C:\snort_data"
-b
Running in packet logging mode
Log directory = C:\snort_data

Initializing Network Interface \Device\NPF_{2609FD97-9853-4744-83A4-B1F4DDF47A45
}

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{2609FD97-9853-4744-83A4-B1F4DDF47A45
}

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.4.1-ODBC-FlexRESP-WIN32 (Build 24)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.

Now, lets see what the results of my capture are:

C:\snort_data>dir
Volume in drive C is Local Disk
Volume Serial Number is C4C0-6A2C

Directory of C:\snort_data

09/20/2005 11:01p <DIR> .
09/20/2005 11:01p <DIR> ..
09/20/2005 10:54p 8,457 alert.ids
09/20/2005 10:07p <DIR> portscans
09/20/2005 10:07p 24 snort.log.1127279242
09/20/2005 10:08p 24 snort.log.1127279321
09/20/2005 10:08p 24 snort.log.1127279334
09/20/2005 10:23p 8,712 snort.log.1127279986
09/20/2005 10:33p 1,691 snort.log.1127280774
09/20/2005 10:54p 4,665 snort.log.1127281919
09/20/2005 11:03p 561,373 snort.log.1127282467
09/20/2005 06:59p <DIR> ssn_logs
8 File(s) 584,970 bytes
4 Dir(s) 4,252,270,592 bytes free

Excellent. I decide to view the results of my packet capture in Ethereal. Here is a screen shot.



I delete the contents of the target build directors to get ready to test my experimental group. The procedure for compiling under Visual Studio .Net is similar to 6.0. I moved back over to my development environment, opened VS, went into “File”, “Open Project”, and went to the Snort Source directory. I was prompted to convert the project to the updated Visual Studio .Net format, which I answered “Yes to All”. I proceeded to add the WinPCap libraries by going to “Tool”, “Options”, and “Projects”, selecting the “Include Locations” option and navigating to the WinPcap Include folder. I then go under “Project”, “Properties”, “C/C++”, and “Preprocessor” and disable MySQL support. I then go to “Build” and choose “Build Solution”. My first build fails due to the lack of the MySql Libraries, so I recheck my Pre-Processor options to make sure MySQL is disabled. The ENABLE_MYSQL macro was set again (I could have sworn I changed that) so I changed it to DISABLE_MYSQL and rebuild. The build succeeded. I copy the snort.exe file one level down into the same directory as PCRE.DLL and LibnetNT.dll. Below are the results of the testing session.

F:\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -W

,,_ -*> Snort! <*-
o" )~ Version 2.4.1-ODBC-FlexRESP-WIN32 [DEBUG] (Build 24)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.


Interface Device Description
-------------------------------------------
1 \Device\NPF_{FEBD0677-AC22-4B78-A66C-028BFC31F32C} (Intel(R) PRO/1000 MT Netw
ork Connection)
2 \Device\NPF_{4D8EEEE1-5582-4894-9AAB-19BB83CA16E1} (VMware Virtual Ethernet Ad
apter)


F:\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -b -i 1 -l "F:\temp\snort\"
ERROR: log directory 'F:\temp\snort"' does not exist
Fatal Error, Quitting..

F:\snort-src\snort-2.4.1\src\win32\WIN32-Prj>snort -b -i 1 -l "F:\temp\snort"
Running in packet logging mode
Log directory = F:\temp\snort

Initializing Network Interface \Device\NPF_{FEBD0677-AC22-4B78-A66C-028BFC31F32C
}

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{FEBD0677-AC22-4B78-A66C-028BFC31F32C
}

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.4.1-ODBC-FlexRESP-WIN32 [DEBUG] (Build 24)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.



===============================================================================

Snort received 7099 packets
Analyzed: 7099(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 7056 (99.394%)
UDP: 20 (0.282%)
ICMP: 0 (0.000%)
ARP: 6 (0.085%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 7082
PASSED: 0
===============================================================================
pcap_loop: read error: PacketReceivePacket failed

F:\snort-src\snort-2.4.1\src\win32\WIN32-Prj>cd f:\temp\snort

F:\temp\snort>dir
Volume in drive F is data
Volume Serial Number is 906A-3692

Directory of F:\temp\snort

09/21/2005 10:25a <DIR> .
09/21/2005 10:25a <DIR> ..
09/21/2005 10:27a 4,233,615 snort.log.1127316305
1 File(s) 4,233,615 bytes
2 Dir(s) 16,851,120,128 bytes free

Building in Visual Studio .Net worked. Based on the results of the experiment, I conclude that my original hypothesis that Snort will not compile under Visual Studio .Net was incorrect and that Snort should compile successfully regardless of which version of Visual Studio you use. Hopefully based on the results of this, Rich can go back using Visual C++ .Net Express and confirm that Snort will compile with that version as well.

Update: I went ahead and tried to do the compile with Visual C++ .Net Express. This resulted in a failure. For some odd reason the dialog box to select the include directories was blank and did not allow me to add new directories. It was also missing some basic Windows header files that I am guessing do not come with the Express version. So even if Rich had used the same steps, his efforts would not have succeeded.

Update (03-OCT-2005): I’d like to thank Ronaldo Vasconcellos for notifying me that Snort v2.4.2 was released last week, which included the Windows binaries. Out of curiosity I downloaded the source files and followed my instructions for compiling under 2.4.1, and they do work.

I would also like to thank the Sourcefire/Snort team for all their hard work. Without them, the community would not have such a great tool at our disposal.