[Snort-devel] Snort 2.9.3 Beta Now Available

Joshua Kinard kumba at ...2185...
Fri May 18 14:58:14 EDT 2012

On 05/18/2012 9:55 AM, Snort Releases wrote:

> Snort 2.9.3 Beta is now available on snort.org, at
> http://www.snort.org/snort-downloads/ in the Latest Development
> Release section.

> [*] New additions
>   * Updates to flowbit rule option to allow for OR and AND
>     of individual bits within a single rule, and allow flowbits
>     to be used in multiple groups.  See README.flowbits and
>     the Snort manual for details.

This will be interesting to play with.  I take it this was designed to
combine multiple uses of the keyword when checking the state of several

>   * Updates to the processing of email attachments for better
>     handling of non-encoded attachments, and improved memory
>     management for attachment processing.

I take it this also fixes the handling of ignore_data with respect to the
fast-pattern matcher?

>   * Fix logging of multiple unified2 alerts with reassembled packets.

Looking at the changed code, I think this will also fix the same issue when
logging with tcpdump output.  I hacked right around that for loop in
snort_stream5_tcp.c and was able to fully log all packets associated with a
stream when using file_data with SMTP.  I suspect this might also fix the
use case with flow:only_stream and flow:only_frag.  I'll have to test, though.


Joshua Kinard
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

More information about the Snort-devel mailing list