[Snort-users] Upgrade from 1.7 to 1.8?
erek at ...577...
Fri Sep 7 15:19:02 EDT 2001
On Fri, 7 Sep 2001, Thomas Porter, Ph.D. wrote:
> Cureently running 1.7 on freebsd 4.2 w/ logging to remote acid on a linux
> box. I'm real pleased w/ this setup. Can anyone suggest what would compell
> me to move to 1.8x? I'm not trying to be a wiseguy - I really want to know.
My personal top 3:
1) Stateful inspection
2) More Stability
3) More Optimization in the codebase.
Now, from the NEWS file:
08-14-01 I was planning on getting this release out sooner than this (since
it's largely a bugfix release) but my wife and I went and had a
baby 2 weeks ago, which effected the schedule a little. ;) Anyway,
barring any major problems the Snort 1.x code will now be going
into maintenance mode as we begin development on 2.0.
This version adds the following:
* SNMP alerts
* IDMEF XML output (the Silicon Defense plugin is integrated into
the main codebase now)
* Limited regex support in the rules language
* New packet counters for stream4 and frag2
* New normalization mode for http_decode
And a slew of bug fixes. We should get to work on 2.0 shortly, so
hopefully the next release of this NEWS file will be talking about
that! (knock on wood...)
07-09-01 Well, this one was a long time coming, but I think it was worth the
wait. Snort can now perform stateful inspection, has improved
defragmentation capabilities, uses less memory, leaks less of the
memory that it does use, is faster, and has a bunch of other good
stuff. Truely, this is probably the ultimate development of the
1.X series of Snort. After this version we will begin development
on Snort 2.0, which will have a great many new features, be faster
and more flexible, and generally be about the finest network
intrusion detection system that an open source community can build.
See the Changelog (read all the way back to January of this year)
for changes and additions, there are far to many to list here.
Some of the highlights include
* stateful inspection
* new tcp stream reassembly code
* new ip defragmenter
* new protocol available for the rules language: ip
* more extensive printouts of cross reference and info in alerts
* new normalizer preprocessors for telnet, rpc
* 2 new output plugins (unified, csv)
* 5 new preprocessors (stream4, frag2, bo, telnet_decode,
* 10 new rule options
* unique rule IDs
* A whole slew of command line options (7 at last count)
* Mega bug-fixes from 1.7
Snort can now leap tall buildings in a single bound.
Convinced yet? I mean, what other version could leap those buildings? ;-)
More information about the Snort-users