Software Installation
A development snapshot of the current alert verification implementation is
available as a patch against Snort v2.1.3.
The build environment has been modified to attempt to download
and build a private copy of the requisite Nessus libraries if they aren't already
present on your system. However, we have had problems in certain cases with
library mismatches, so the safest bet is to install your OS vendor's Nessus
packages.
Read on for a step-by-step installation procedure.
Read on for a step-by-step installation procedure.
Patching Snort
To apply the patch to an existing source tree, one can do the following:
$ cd snort-2.1.3
$ zcat snort-av-2.1.3-0.9.6.diff.gz | patch -p1
Building and Installing
Configuring, building, and installing the package can be accomplished by
executing the following:
$ ./configure --prefix=/some/prefix/here
$ make
$ make install
Runtime Configuration
The snort installation process has been modified to install a default snort.conf
and ruleset into your installation tree automatically. To enable alert
verification at runtime, you will need to add the "-a" argument with a verification
mode to the list of arguments you generally would pass to snort on the command
line. So, to suppress alerts the verification subsystem considers as false
positives, one would do:
Another tunable is the verification cache timeout, which controls how long the results of a verified alert are cached. The current default is 120 seconds, which can be modified with the "-K <seconds>" argument on the command line.
A final tunable is the size of the verification thread pool, which allows for the parallelization of verification attempts. The current default is 5 verification threads, which can be modified with the "-H <num>" argument on the command line.
Feel free to contact us with any feedback or questions.
$ ./snort -a suppress [...]
To merely tag alerts with their verification status, one would do instead: $ ./snort -a mark [...]
In addition, snort must be told where to find the verification scripts,
which are a set of links which index into a directory of NASL scripts by CVE
ID. By default, this is set in the snort.conf we provide with the VERIFICATION_SCRIPT_DIR variable, so no action is strictly
necessary on your part. However, you can use the "-x <dir>" argument to
specify an alternate link directory. Another tunable is the verification cache timeout, which controls how long the results of a verified alert are cached. The current default is 120 seconds, which can be modified with the "-K <seconds>" argument on the command line.
A final tunable is the size of the verification thread pool, which allows for the parallelization of verification attempts. The current default is 5 verification threads, which can be modified with the "-H <num>" argument on the command line.
Feel free to contact us with any feedback or questions.
Snort Alert Verification v0.9.6 Changelog
- Update to snort v2.1.3
Snort Alert Verification v0.9.6 Files
| File | Platform | Arch. |
|---|---|---|
| snort-av-2.1.3-0.9.6.diff.gz | All | All |
Snort Alert Verification v0.9.5.1 Changelog
- Update preferred Nessus libraries to v2.0.10
- Fix RPM build error due to missing $(srcdir) variables
Snort Alert Verification v0.9.5.1 Files
| File | Platform | Arch. |
|---|---|---|
| snort-av-2.1.0-0.9.5.1.diff.gz | All | All |
| snort-2.1.0+av-0.9.5.1.tar.gz | All | All |
| snort-av-2.0.6-0.9.5.1.diff.gz | All | All |
| snort-2.0.6+av-0.9.5.1.tar.gz | All | All |
Sections
Recent Project News
Snort alert verification v0.9.6 has been released for snort v2.1.3.
The patch can be downloaded from the project download page.
Snort alert verification v0.9.5.1 has been released, which updates the
preferred Nessus libraries to v2.0.10 and addresses an RPM build error
reported in v0.9.5. The patch and source archive can be downloaded here.
The v0.9.5 snort-av patch has been backported to Snort v2.0.6, and can
be downloaded at the usual
place.
An update to our alert verification patch to Snort has been released
which updates the upstream Snort source to v2.1.0 as well as fixes a
FreeBSD build issue. The current patch and pre-patched Snort source
archive can be fetched from the project software page.
Christopher and I have published a short article on alert verification over at HHWorld. We give
a short description of our implementation as well as an overview of the
categories of alert verification techniques which can be employed by an IDS.