root/pehunter/README

PE Hunter is a plugin for snort (aka dynamic preprocessor) for extracting 
Windows executables (files in PE format) from the network stream.

It first spots a PE header and then uses a simple heuristik to calculate the
file length. Starting at the header offset in a stream, the resulting number of
bytes is then dumped to a file.

This technique does not work for some specially crafted binaries, e.g., self-
extracting archives or programs with additional data after the end of the last
section since there is no way to passively identify such data in a stream.


Compiling and Installation
--------------------------

Copy the pehunter source directory to src/dynamic-preprocessors in the snort
source tree. You have to add a line like

        #define PP_PEHUNTER             28

to src/preprocids.h. Then modify the autoconf stuff to include the module in
the build process. The usual configure [opts] && make && make install places
installs snort with PEHunter preprocessor.

Use snort in inline mode (configure with --enable-inline on Linux) to make sure
that no packet gets missed. This quarantees full and fault-free stream
reassembly and is the recommended mode for PEHunter.


Configuration
-------------

Files are stored as their md5 checksum of the corresponding data in a
configurable location. Snort must be configured to use PE Hunter. Please include
the following lines in your snort.conf:


        # make sure to load the stream4 preprocessor first
        dynamicpreprocessor file /location/of/libsf_smtp_preproc.so

        # Configure PE Hunter module
        # --------------------------
        preprocessor pehunter: dump_dir /var/log/snort/binaries


Add a 'debug' option to the above line to produce verbose logging.


PEHunter is licensed under the GNU General Public License version 2.
Copyright (C) 2007 Tillmann Werner <tillmann.werner@gmx.de>