[Snort-devel] Snort 2.3.0 RC2 released

Jeremy Hewlett jh at ...402...
Wed Dec 15 08:19:03 EST 2004

Hello all!

Thanks to everyone who tested and commented on the Snort 2.3.0 RC1
release. Your support is, as always, very much appreciated.

Since Snort 2.3.0 RC1 was released, we've added some new functionality,
and wanted to go ahead and do another Release Candidate once more before
final. The main features of this release are some new rule option
features to byte_jump that can be used for advanced SMB exploit
detection. New rules that use this functionality will be available
shortly from http://www.snort.org.

So without further delay, we're pleased to announce the availability of
Snort 2.3.0 RC2. The following bulleted items are the complete release
notes for RC2:

* Added from_beginning and multiplier options for byte_jump.
  from_beginning skips bytes from the beginning of the content,
  instead of from the location immediately following the number
  of bytes to skip.  multiplier takes a numeric argument, and
  skips x times that number of bytes. Thanks Steve Sturges.

* Updated documentation on flow_depth and HTTP headers per
  conversations with Joe Patterson. Thanks Joe!

* Small performance improvement to arpspoof and also fixed a problem
  where the list of configured IP/MAC entries would contain only one
  entry and leaked memory. Thanks Jeff Nathan.

* Fixed a problem affecting MacOS X where linking may fail with
  non-standard libraries when global symbols are encountered multiple
  times. Thanks Jeff Nathan.

* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
  alerts.  Thanks for the report, Sekure. Thanks Dan Roelker for the fix.

* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the
  logdir config will work if the default or command-line logdir does not
  exist on the system. Thanks Dan Roelker.

* Fixed bug when setting the doe_ptr on a successful pcre match.
  It is now set relative to base_ptr. Thanks Steve Sturges for the

* In "fast" output, now log only actual packet contents when UDP
  data length is greater than actual data length. Thanks Brian
  Caswell for spotting this, and Andrew Mullican for working on the fix.

Further details can be found in the ChangeLog. Thanks again for the
support, and please let us know what you think of this release.

The Snort Team

More information about the Snort-devel mailing list