[Snort-devel] Snort 2.9.7 is now available

Carter Waxman (cwaxman) cwaxman at ...3461...
Thu Oct 23 16:23:23 EDT 2014


In 2.9.6.2, the on/off part was always ignored. The setting was enabled
when ³flush_on_alert" was present, regardless of the ³parameter²
following. We added the check in 2.9.7 so it wouldn¹t be a pitfall,
but it looks like we missed an update on a portion of the docŠ Your
current config
actually enables flush_on_alert internally.


Thanks for pointing this out, we will fix this!


-Carter



On 10/23/14, 3:19 PM, "rmkml" <rmkml at ...2519...> wrote:

>Congrats Snort Team!
>
>Error with this line on my snort.conf:
># on preprocessor stream5_global:
>  flush_on_alert off
>
>(previous snort v2.9.6.2 start without error)
>
>but with new snort v2.9.7.0 stop with error:
>ERROR: snort.conf(329) => Too many parameters for option in Session
>config.
>Fatal Error, Quitting..
>
>Changed line, new snort 2970 it's ok: (without parameter)
>  flush_on_alert
>
>Could you check if this option allow parameter or not please ?
>
>snort-2.9.7.0/src/preprocessors/spp_session.c:
>...
>         else if(!strcasecmp(stoks[0], "flush_on_alert"))
>         {
>             if (s_toks > 1) //Trailing parameters
>             {
>                 FatalError("%s(%d) => Too many parameters for option in
>Session config.\n",
>                         file_name, file_line);
>             }
>             config->flags |= STREAM_CONFIG_FLUSH_ON_ALERT;
>         }
>...
>
>snort-2.9.6.2/src/preprocessors/spp_stream5.c:
>...
>         else if(!strcasecmp(stoks[0], "flush_on_alert"))
>         {
>             config->flags |= STREAM5_CONFIG_FLUSH_ON_ALERT;
>         }
>...
>
>No diff on snort manual.tex:
>     preprocessor stream5_global: \
>         [track_tcp <yes|no>], [max_tcp <number>], \
>         [memcap <number bytes>], \
>         [track_udp <yes|no>], [max_udp <number>], \
>         [track_icmp <yes|no>], [max_icmp <number>], \
>         [track_ip <yes|no>], [max_ip <number>], \
>         [flush_on_alert], [show_rebuilt_packets], \
>         [prune_log_max <bytes>], [disabled], \
>         [flush_on_alert], [show_rebuilt_packets], \
>         [prune_log_max <num bytes>], [enable_ha]
>
>Best Regards
>@Rmkml
>
>
>
>On Thu, 23 Oct 2014, Snort Releases wrote:
>
>> Snort 2.9.7 is now available on snort.org at
>> http://www.snort.org/downloads in the Snort Stable Release section.
>>
>> A new DAQ build is also available that updates support for a few
>> operating systems.
>>
>> Snort 2.9.7 includes a major new feature for Application Identification,
>> our OpenAppID capability.
>>
>> In conjunction with this release, are shifting the license for the
>>OpenAppId
>> content to GPLv2 to encourage more use and submission back to Cisco.  If
>> you are interested in learning and writing OpenAppId content, please
>>join
>> us on the OpenAppId mailing list at https://www.snort.org/community.
>> Any submissions to the OpenAppId ecosystem will receive public thanks
>> and perhaps some nice swag!
>>
>> 2014-10-24 - Snort 2.9.7.0
>> [*] New additions
>> * Application Identification Preprocessor, when used in conjunction with
>>  OpenAppID detector content, that will identify application protocol,
>>  client, server, and web applications (including those using SSL) and
>>  include the info in Snort alert data. In addition, a new rule option
>>  keyword 'appid' that can be used to constrain Snort rules based on one
>>  or more applications that are identified for the connection. Separate
>>  prepackaged RPMs with App Open ID are available.  See README.appid
>>  for further details.
>>
>> * A new protected_content rule option that is used to match against a
>>  content that is hashed.  It can be used to obscure the full context
>>  of the rule from the administrator.
>>
>> * Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
>>  more accurately process different portions of email messages and file
>>  attachments.
>>
>> * Added ability to test normalization behavior without modifying
>>  network traffic.  When configured using na_policy_mode:inline-test,
>>  statistics will be gathered on packet normalizations that would have
>>  occurred, allowing less disruptive testing of inline deployments.
>>
>> * The HTTP Inspection preprocessor now has the ability to decompress
>>  DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
>>  content from http responses when configured with the new
>>  decompress_swf and decompress_pdf options. This enhancement can be
>>  used with existing rule options that already match against
>>  decompressed equivalents.
>>
>> * Added improved XFF support to HttpInspect. It is now possible to
>>  specify custom HTTP headers to use in place of 'X-Forwarded-For'. In
>>  situations where traffic may contain multiple XFF-like headers, it is
>>  possible to specify which headers hold precedence.
>>
>> * Added additional support for Heartbleed detection within the SSL
>>  preprocessor to improve performance.
>>
>> * Added control socket command to dump packets to a file.  See
>>  README.snort_dump_packets_control for details.
>>
>> * Added an option to suppress configuration information logging to
>>output.
>>
>> * The Stream5 preprocessor functionality is now split between the new
>>  Session and Stream6 preprocessors.
>>
>> [*] Improvements
>> * Maximum IP6 extensions decoded is now configurable.
>>
>> * Update active response to allow for responses of 1500+ bytes that span
>>  multiple TCP packets.
>>
>> * Check limits of multiple configurations to not exceed a maximum ID of
>> 4095.
>>
>> * Updated the error output of byte_test, byte_jump, byte_extract to
>>  including details on offending options for a given rule.
>>
>> * Update build and install scripts to install preprocessor and engine
>>  libraries into user specified libdir.
>>
>> * Improved performance of IP Reputation preprocessor.
>>
>> * The control socket will now report success when reloading empty IP
>>  Reputation whitelists/blacklists.
>>
>> * All TCP normalizations can now be enabled individually. See
>>  README.normalize for details on using the new options. For
>>  consistency with other options, the "urp" tcp normalization keyword
>>  now enables the normalization instead of disabling it.
>>
>> * Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
>>
>> * Updated profiler output to remove duplicate results when using
>>  multiple configurations.
>>
>> * Improved performance of FTP reassembly.
>>
>> * Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD,
>>  FreeBSD, and DragonFlyBSD
>>
>>
>> 
>>-------------------------------------------------------------------------
>>-----
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>





More information about the Snort-devel mailing list