[Snort-devel] Snort 2.9.7 is now available

rmkml rmkml at ...2519...
Thu Oct 23 15:19:03 EDT 2014


Congrats Snort Team!

Error with this line on my snort.conf:
# on preprocessor stream5_global:
  flush_on_alert off

(previous snort v2.9.6.2 start without error)

but with new snort v2.9.7.0 stop with error:
ERROR: snort.conf(329) => Too many parameters for option in Session config.
Fatal Error, Quitting..

Changed line, new snort 2970 it's ok: (without parameter)
  flush_on_alert

Could you check if this option allow parameter or not please ?

snort-2.9.7.0/src/preprocessors/spp_session.c:
...
         else if(!strcasecmp(stoks[0], "flush_on_alert"))
         {
             if (s_toks > 1) //Trailing parameters
             {
                 FatalError("%s(%d) => Too many parameters for option in Session config.\n",
                         file_name, file_line);
             }
             config->flags |= STREAM_CONFIG_FLUSH_ON_ALERT;
         }
...

snort-2.9.6.2/src/preprocessors/spp_stream5.c:
...
         else if(!strcasecmp(stoks[0], "flush_on_alert"))
         {
             config->flags |= STREAM5_CONFIG_FLUSH_ON_ALERT;
         }
...

No diff on snort manual.tex:
     preprocessor stream5_global: \
         [track_tcp <yes|no>], [max_tcp <number>], \
         [memcap <number bytes>], \
         [track_udp <yes|no>], [max_udp <number>], \
         [track_icmp <yes|no>], [max_icmp <number>], \
         [track_ip <yes|no>], [max_ip <number>], \
         [flush_on_alert], [show_rebuilt_packets], \
         [prune_log_max <bytes>], [disabled], \
         [flush_on_alert], [show_rebuilt_packets], \
         [prune_log_max <num bytes>], [enable_ha]

Best Regards
@Rmkml



On Thu, 23 Oct 2014, Snort Releases wrote:

> Snort 2.9.7 is now available on snort.org at
> http://www.snort.org/downloads in the Snort Stable Release section.
>
> A new DAQ build is also available that updates support for a few
> operating systems.
>
> Snort 2.9.7 includes a major new feature for Application Identification,
> our OpenAppID capability.
>
> In conjunction with this release, are shifting the license for the OpenAppId
> content to GPLv2 to encourage more use and submission back to Cisco.  If
> you are interested in learning and writing OpenAppId content, please join
> us on the OpenAppId mailing list at https://www.snort.org/community.
> Any submissions to the OpenAppId ecosystem will receive public thanks
> and perhaps some nice swag!
>
> 2014-10-24 - Snort 2.9.7.0
> [*] New additions
> * Application Identification Preprocessor, when used in conjunction with
>  OpenAppID detector content, that will identify application protocol,
>  client, server, and web applications (including those using SSL) and
>  include the info in Snort alert data. In addition, a new rule option
>  keyword 'appid' that can be used to constrain Snort rules based on one
>  or more applications that are identified for the connection. Separate
>  prepackaged RPMs with App Open ID are available.  See README.appid
>  for further details.
>
> * A new protected_content rule option that is used to match against a
>  content that is hashed.  It can be used to obscure the full context
>  of the rule from the administrator.
>
> * Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
>  more accurately process different portions of email messages and file
>  attachments.
>
> * Added ability to test normalization behavior without modifying
>  network traffic.  When configured using na_policy_mode:inline-test,
>  statistics will be gathered on packet normalizations that would have
>  occurred, allowing less disruptive testing of inline deployments.
>
> * The HTTP Inspection preprocessor now has the ability to decompress
>  DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
>  content from http responses when configured with the new
>  decompress_swf and decompress_pdf options. This enhancement can be
>  used with existing rule options that already match against
>  decompressed equivalents.
>
> * Added improved XFF support to HttpInspect. It is now possible to
>  specify custom HTTP headers to use in place of 'X-Forwarded-For'. In
>  situations where traffic may contain multiple XFF-like headers, it is
>  possible to specify which headers hold precedence.
>
> * Added additional support for Heartbleed detection within the SSL
>  preprocessor to improve performance.
>
> * Added control socket command to dump packets to a file.  See
>  README.snort_dump_packets_control for details.
>
> * Added an option to suppress configuration information logging to output.
>
> * The Stream5 preprocessor functionality is now split between the new
>  Session and Stream6 preprocessors.
>
> [*] Improvements
> * Maximum IP6 extensions decoded is now configurable.
>
> * Update active response to allow for responses of 1500+ bytes that span
>  multiple TCP packets.
>
> * Check limits of multiple configurations to not exceed a maximum ID of
> 4095.
>
> * Updated the error output of byte_test, byte_jump, byte_extract to
>  including details on offending options for a given rule.
>
> * Update build and install scripts to install preprocessor and engine
>  libraries into user specified libdir.
>
> * Improved performance of IP Reputation preprocessor.
>
> * The control socket will now report success when reloading empty IP
>  Reputation whitelists/blacklists.
>
> * All TCP normalizations can now be enabled individually. See
>  README.normalize for details on using the new options. For
>  consistency with other options, the "urp" tcp normalization keyword
>  now enables the normalization instead of disabling it.
>
> * Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
>
> * Updated profiler output to remove duplicate results when using
>  multiple configurations.
>
> * Improved performance of FTP reassembly.
>
> * Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD,
>  FreeBSD, and DragonFlyBSD
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list