New Snortsam patch for Snort

Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ‘normal’ diff. Here is the patch:

Here are the instructions for getting your Snort source patched:

Make sure you have a clean Snort tree, then patch it:

cd snort-
patch -p1 < ../snortsam-

Next, run ‘’ to update the build system (you need to have libtoolize, aclocal, autoheader, autoconf and automake installed). After this, configure and build Snort normally:

./configure <your configure options>
make install

Thats it.

Thanks to Matt Jonkman of Emerging Threats for paying me to do this and CunningPike for doing the first iterations of the patch!

2 thoughts on “New Snortsam patch for Snort

  1. Hi,

    Richard Bejtlich from recommended that I ask this question at this blog. I wasn’t sure where the best place was to post my question so I’m asking via the comments:

    Do you know of any recent updates about running Snort_inline on a FreeBSD bridge? It’s my understanding that FreeBSD as it currently stands isn’t capable of sending packets to Snort_inline when the machine is configured as a bridge.


  2. Snort_inline on FreeBSD uses IPFW’s divert sockets. The problem is that divert sockets don’t work on a FreeBSD bridge. But I’m not a *BSD expert (or even user) so I could have missed other options or recent changes to FreeBSD.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s