[Snort-devel] What really changed in snort 1.9beta?

Chris Green cmg at ...402...
Wed Aug 28 05:29:06 EDT 2002

"Larc" <larc at ...1233...> writes:

> Hi,
> I have got some question about what options have been added or
> removed in snort 1.9. I tried to make a list from all the
> documentaion that I could find (changlog, manual a snort.conf) The
> list below, is it correct or am I missing something?
> * add -R <id> to change pid filename.
> * rawbytes;  can u use (content= "..."; rawbytes; content: "...";
> uri_content: "...."; rawbytes;) or just one time rawbytes?

Its an option to the previous content option. It's only useful for
telnet decoded traffic.

> * distance: xxx; & within: xxx; ( Also for every content option
> different?)

This is pending me getting a drawing package out because explaining it
is a pita without it but it is related to previous content options.

> * flow:[to_client|to_server|from_client|from_server|established|stateless|no_stream|only_stream]
> * Stateless; (Since the keyword is used in flow, can you still use
> it like before?)

That is now deprecated but still usable.  Stateless will be removed
in the next go around.

> * flags: S,12


> * stream4: Added min_ttl & ttl_limit (The keepstats option, does it
> still support [machine|binary]? You only mention it on snort.conf and
> not in the 1.9 manual)

It should still work.  If it's not in the manaul, it never was in the
manaul :^).

Theres also a config min_ttl: <n>

to set the minumum number'd ttl we'll look at for the entire snort

>  * stream4_reassemble: the 'both' option, is it still used? You only
> mention it on snort.conf and not in the 1.9 manual. 

it can still be used. It's clientonly by default.

> * telnet_decode: add port list support 

> * added spp conversation
> * added portscan2
> * added ASN1Decode *
> http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash
> full_whitespace (this is in the snort.conf)
> 		-> now, in the changlog file you also mention 'abort_invalid_hex' & 'drop_url_parm' (can we use them?)

You can but i recommend against them.

> 		->  the older '-unicode' '-cginull' are thay removed?

It's a completely different http_decoder. It's the main difficulty in
changing from the old to new.

> * From the changelog file:
> 	>2002-05-20  Chris Green  <cmg at ...402...>
> 	>* src/preprocessors/spp_http_decode.c:
> 	>	  - added newer unidecode function from rfp
> 	Is the old unidecode preprocessor removed? or is the new unicode function implemented in the new http_decode preprocessor?
> 	>	  - added "internal_alerts" keyword
> 	is it a keyword that belongs to the http-decode preprocessor?

Yes.  It alerts on things that it sees on port 80 that don't fit into
it's notion of what a uri should look like. It's quite noisy at the
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-devel mailing list