[Snort-devel] Snort 1.8 status update
roesch at ...48...
Tue Apr 17 14:24:38 EDT 2001
Sorry I've been so quiet for the past couple weeks, I've been
traveling a lot. While I've been unable to answer a lot of email, I
*have* had time to write a lot of code and integrate some fun features,
so I'll just take a few minutes here to go over the new stuff and
First, I've decided that the next release will be 1.8 instead of
1.7.1. We've got something like 10 new plugins, 3 or so new command
line switches, new rule options for the pattern matcher, bug fixes, and
something like 12000 new lines of code, so rather than calling it a bug
fix release I thought we should give it a full point increment.
Therefore (and as you've probably noticed from the past few weeks) we're
going to annoint this next release version 1.8. It should be noted that
I did a lot but by no means all of this work. Fyodor, Phil Wood, Chris
Cramer, Erek Adams, Brian Caswell and the rest of the gang have been
putting in a lot of work lately too.
There have been a bunch of additions in the past two weeks. Here's
a quick list:
- Added new protocol to the rules language: "ip". The IP header can be
inspected by rules exclusively using this protocol, including the
fragbits "MF" value. Example:
alert ip any any -> $HOME_NET any (fragbits: M; dsize: <128; msg: "Tiny
- Added "config" directives for most of the command line switches. This
means that you can now put things like "config logdir: /var/log/snort"
into the conf file and Snort will treat it as if you added a "-l
/var/log/snort" at the command line. This is very useful for the next
- If no command line arguments are given to Snort, it looks for
/etc/snort.conf and ./snort.conf. If Snort finds the file, it will
automatically attempt to load the file and configure itself in IDS
mode. Using this feature, you can setup Snort to run automatically with
no command line options, reducing the amount of typing that needs to be
done to get it running in your preferred configuration.
- Added Priority plugin from Brian Caswell.
- Added classification and priority printout to full, fast, syslog and
- Added cross reference link printout to full, fast, syslog and SMB
- Added rpc_decode preprocessor that normalizes fragmented (at the
application layer) rpc datagrams (defeats SideStep-style RPC attacks)
- Added Telnet negotiation string normalization, removed in-line telnet
negotiation strings from telnet and ftp traffic (defeats SideStep-style
- Added sp_bo, automatically detects Back Orifice traffic on the network
by brute forcing the 16-bit keyspace. Add "-nobrute" to the
preprocessor directive to only check the default key of 31337.
- Added sp_ip_proto to check the IP protocol field in rules (allows
rules to be written for protocols that Snort doesn't handle beyond IP
but still have their p->data pointer set)
- Added new "uricontent" keyword to pattern matcher. The http_decode
preprocessor now sets a pointer to the URI portion of HTTP packets so
that the amount of data to be inspected is minimized (this way we don't
check the referrer: field, etc).
- Added new command line switch, "-T". This runs Snort in test mode,
which will make it process all the other commands you give it and go
through it's entire startup routine up to the point where it would
normally begin sniffing. In test mode, it exits when it reaches that
point and tells you that everything checked out ok, otherwise it just
exits with an error message that you would expect to see.
- Added new command line switch, "-L". This lets you set the filename
of the binary output log file when combnied with the -b switch.
- Added new command line switch, "-G". This turns on "ghetto messages"
for people who need backwards msg field reference compatability for old
versions of snortsnarf, etc.
- Added new command line switch, "-I". This one has actually been in
for a while; it prints out the interface name that the alert packet was
- Timestamp formatting problem was fixed.
- Snort can now be run by unprivileged users who can access the sniffing
- Fixed a big bug in the OR pattern matching code, content-lists should
now work properly.
- Added improved UNICODE detection code from Koji Shikata
- Added sp_tcp_win_check so that TCP window size can be inspected from
- Added Caswell's CSV output plugin that only he knows how to
- Added Phil Wood's sp_same_ip_check plugin that allows the IP source
and destintation to be compared for equality (which is usually a DoS
- Added variable lookups to "include" directives. You can now do
"include $RULE_PATH/ftp.rules" or whatever.
- Added variable substitution to the syslog alert plugin arguments.
- Added new checks to transport protocol detection plugins to make sure
they aren't used with "ip" protocol rules.
I think that's the major stuff. We're up to version 1.8-beta2 (Build
11) now, so if the people who are tracking CVS would like to update to
the latest version I'd like to get testing for the release of version
roesch at ...48...
More information about the Snort-devel