[Snort-users] SnortSnarf version 040701.1

James Hoagland hoagland at ...47...
Sat Apr 7 04:31:54 EDT 2001

Greetings all,

Silicon Defense is pleased to announce the release of version 
040701.1 of SnortSnarf, its popular Snort alert browser.  Here is a 
summary of the changes since the previous version:

+ modularized SnortSnarf (massive modification of code)
   + http://www.silicondefense.com/software/snortsnarf/modularized/
   + interface and HTML produced is largely unchanged
   + old SnortSnarf pieces split into modules
   + ways to select and parameterizes other modules (when they become available)
   still in the works
   + enhanced SISR and text4sel.pl to use alerts from arbitrary input modules
+ enhanced ability to gather reference information to make external links by;
specifically if the -rules* option provides your rules, SnortSnarf will
examine rules in them for reference rule options (e.g.,
"reference:arachnids,212") [by popular demand]
+ signature index page and signature pages now provide links to all known
reference URLs for the signature
+ signature page names should be more consistent across runs since it is now
based on reference information wherever possible
+ updated Princeton DNS lookup link, removed Riherds (was 404'ing)
+ year can now be inferred even when alert does not provide it; mode selected
by new -year option; default is to assume it is from within the previous 12
months; also available is the current year or a specific year
+ year now shown on displayed dates (except perhaps in the displayed alerts)
+ fixed the pop-up menu for annotation access to display correctly on all
browsers [contrib by Yoann Le Corvic]
+ now includes the nmaplog-dns.pl script by HD Moore (linked to by nmap2html)
+ a few wording changes to reflect the fact that alerts (as defined internally
to SnortSnarf) might contain more than one packet (although no input source
provides this type of packet currently)
+ de-tabbed source files for better reader friendliness
+ updated user and some internal documentation

Bullet one is correct, this is the long-promised modularized version 
of SnortSnarf.  Now people can write and use new alert input methods 
(e.g., from a database), storage means (e.g., on disk to reduce 
memory use), and output types (just about anything you can do with a 
set of alerts).  Those interested in writing new modules are 
encouraged to do so; you can use the released modules as a basis and 
are welcome to probe us for ideas.  Go get 'em! :)

And you did read bullet 2 correctly.  (Heads up users of the new 
snort.org ruleset that miss their whitehats.com links.)  There is now 
another way for SnortSnarf to figure out external references about 
alerts it displays.  If you give snortsnarf.pl the location of your 
rules files using -rulesfile (and -rulesdir if needed), it will use 
any "reference" rule information contained in the rules.  SnortSnarf 
can now provide links for arachNIDS, CVE, Bugtraq, McAfee, and 
rule-writer provided URLs.

Good night folks,


P.s. Let me know if are any problems in the distribution, the new 
code, or in the documentation.  There was quite significant changes 
and it is now 1:30am when I am doing this release.
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

More information about the Snort-users mailing list