[Snort-devel] What really changed in snort 1.9beta?
larc at ...1233...
Wed Aug 28 03:49:01 EDT 2002
I have got some question about what options have been added or removed in snort 1.9. I tried to make a list from all the documentaion that I could find (changlog, manual a snort.conf)
The list below, is it correct or am I missing something?
* add -R <id> to change pid filename.
* rawbytes; can u use (content= "..."; rawbytes; content: "..."; uri_content: "...."; rawbytes;) or just one time rawbytes?
* distance: xxx; & within: xxx; ( Also for every content option different?)
* Stateless; (Since the keyword is used in flow, can you still use it like before?)
* flags: S,12
* stream4: Added min_ttl & ttl_limit (The keepstats option, does it still support [machine|binary]? You only mention it on snort.conf and not in the 1.9 manual)
* stream4_reassemble: the 'both' option, is it still used? You only mention it on snort.conf and not in the 1.9 manual.
* telnet_decode: add port list support
* added spp conversation
* added portscan2
* added ASN1Decode
* http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace (this is in the snort.conf)
-> now, in the changlog file you also mention 'abort_invalid_hex' & 'drop_url_parm' (can we use them?)
-> the older '-unicode' '-cginull' are thay removed?
* From the changelog file:
>2002-05-20 Chris Green <cmg at ...402...>
> - added newer unidecode function from rfp
Is the old unidecode preprocessor removed? or is the new unicode function implemented in the new http_decode preprocessor?
> - added "internal_alerts" keyword
is it a keyword that belongs to the http-decode preprocessor?
Can someone explane these things for me?
More information about the Snort-devel