[Snort-users] Upgrade from 1.7 to 1.8?

Erek Adams erek at ...577...
Fri Sep 7 15:19:02 EDT 2001

On Fri, 7 Sep 2001, Thomas Porter, Ph.D. wrote:

> Cureently running 1.7 on freebsd 4.2 w/ logging to remote acid on a linux
> box.  I'm real pleased w/ this setup.  Can anyone suggest what would compell
> me to move to 1.8x?  I'm not trying to be a wiseguy - I really want to know.

My personal top 3:

1)  Stateful inspection
2)  More Stability
3)  More Optimization in the codebase.

Now, from the NEWS file:

08-14-01    I was planning on getting this release out sooner than this (since
            it's largely a bugfix release) but my wife and I went and had a
            baby 2 weeks ago, which effected the schedule a little. ;) Anyway,
            barring any major problems the Snort 1.x code will now be going
            into maintenance mode as we begin development on 2.0.

            This version adds the following:

            * SNMP alerts
            * IDMEF XML output (the Silicon Defense plugin is integrated into
              the main codebase now)
            * Limited regex support in the rules language
            * New packet counters for stream4 and frag2
            * New normalization mode for http_decode

            And a slew of bug fixes.  We should get to work on 2.0 shortly, so
            hopefully the next release of this NEWS file will be talking about
            that!  (knock on wood...)

07-09-01    Well, this one was a long time coming, but I think it was worth the
            wait.  Snort can now perform stateful inspection, has improved
            defragmentation capabilities, uses less memory, leaks less of the
            memory that it does use, is faster, and has a bunch of other good
            stuff.  Truely, this is probably the ultimate development of the
            1.X series of Snort.  After this version we will begin development
            on Snort 2.0, which will have a great many new features, be faster
            and more flexible, and generally be about the finest network
            intrusion detection system that an open source community can build.

            See the Changelog (read all the way back to January of this year)
            for changes and additions, there are far to many to list here.
            Some of the highlights include

            * stateful inspection
            * new tcp stream reassembly code
            * new ip defragmenter
            * new protocol available for the rules language: ip
            * more extensive printouts of cross reference and info in alerts
            * new normalizer preprocessors for telnet, rpc
            * 2 new output plugins (unified, csv)
            * 5 new preprocessors (stream4, frag2, bo, telnet_decode,
            * 10 new rule options
            * unique rule IDs
            * A whole slew of command line options (7 at last count)
            * Mega bug-fixes from 1.7

            Snort can now leap tall buildings in a single bound.

Convinced yet?  I mean, what other version could leap those buildings?  ;-)

Erek Adams

More information about the Snort-users mailing list