[Snort-devel] What really changed in snort 1.9beta?
cmg at ...402...
Wed Aug 28 05:29:06 EDT 2002
"Larc" <larc at ...1233...> writes:
> I have got some question about what options have been added or
> removed in snort 1.9. I tried to make a list from all the
> documentaion that I could find (changlog, manual a snort.conf) The
> list below, is it correct or am I missing something?
> * add -R <id> to change pid filename.
> * rawbytes; can u use (content= "..."; rawbytes; content: "...";
> uri_content: "...."; rawbytes;) or just one time rawbytes?
Its an option to the previous content option. It's only useful for
telnet decoded traffic.
> * distance: xxx; & within: xxx; ( Also for every content option
This is pending me getting a drawing package out because explaining it
is a pita without it but it is related to previous content options.
> * flow:[to_client|to_server|from_client|from_server|established|stateless|no_stream|only_stream]
> * Stateless; (Since the keyword is used in flow, can you still use
> it like before?)
That is now deprecated but still usable. Stateless will be removed
in the next go around.
> * flags: S,12
> * stream4: Added min_ttl & ttl_limit (The keepstats option, does it
> still support [machine|binary]? You only mention it on snort.conf and
> not in the 1.9 manual)
It should still work. If it's not in the manaul, it never was in the
Theres also a config min_ttl: <n>
to set the minumum number'd ttl we'll look at for the entire snort
> * stream4_reassemble: the 'both' option, is it still used? You only
> mention it on snort.conf and not in the 1.9 manual.
it can still be used. It's clientonly by default.
> * telnet_decode: add port list support
> * added spp conversation
> * added portscan2
> * added ASN1Decode *
> http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash
> full_whitespace (this is in the snort.conf)
> -> now, in the changlog file you also mention 'abort_invalid_hex' & 'drop_url_parm' (can we use them?)
You can but i recommend against them.
> -> the older '-unicode' '-cginull' are thay removed?
It's a completely different http_decoder. It's the main difficulty in
changing from the old to new.
> * From the changelog file:
> >2002-05-20 Chris Green <cmg at ...402...>
> >* src/preprocessors/spp_http_decode.c:
> > - added newer unidecode function from rfp
> Is the old unidecode preprocessor removed? or is the new unicode function implemented in the new http_decode preprocessor?
> > - added "internal_alerts" keyword
> is it a keyword that belongs to the http-decode preprocessor?
Yes. It alerts on things that it sees on port 80 that don't fit into
it's notion of what a uri should look like. It's quite noisy at the
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel