[Snort-devel] What really changed in snort 1.9beta?

Larc larc at ...1233...
Wed Aug 28 03:49:01 EDT 2002


I have got some question about what options have been added or removed in snort 1.9. I tried to make a list from all the documentaion that I could find (changlog, manual a snort.conf)
The list below, is it correct or am I missing something?

* add -R <id> to change pid filename.
* rawbytes;  can u use (content= "..."; rawbytes; content: "..."; uri_content: "...."; rawbytes;) or just one time rawbytes?
* distance: xxx; & within: xxx; ( Also for every content option different?)
* flow:[to_client|to_server|from_client|from_server|established|stateless|no_stream|only_stream]
* Stateless; (Since the keyword is used in flow, can you still use it like before?)
* flags: S,12
* stream4: Added min_ttl & ttl_limit (The keepstats option, does it still support [machine|binary]? You only mention it on snort.conf and not in the 1.9 manual) 
* stream4_reassemble: the 'both' option, is it still used? You only mention it on snort.conf and not in the 1.9 manual.
* telnet_decode: add port list support
* added spp conversation
* added portscan2
* added ASN1Decode
* http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace (this is in the snort.conf)
		-> now, in the changlog file you also mention 'abort_invalid_hex' & 'drop_url_parm' (can we use them?)
		-> the older '-unicode' '-cginull' are thay removed?

* From the changelog file:
	>2002-05-20  Chris Green  <cmg at ...402...>
	>* src/preprocessors/spp_http_decode.c:
	>	  - added newer unidecode function from rfp
	Is the old unidecode preprocessor removed? or is the new unicode function implemented in the new http_decode preprocessor?
	>	  - added "internal_alerts" keyword
	is it a keyword that belongs to the http-decode preprocessor?

Can someone explane these things for me?

Stefan Dens

More information about the Snort-devel mailing list