Tuesday, February 8, 2011

Snort 2.9.0.4 is coming this week!

Snort 2.9.0.4 is currently slated for release on Thursday.  It brings about several improvements to the Snort code and documentation (thanks to those members of the Snort Community who submitted bugs for both the code and documentation!), as well as the inclusion of SaaC (Snort as a Collector) code for Razorback.

Below are the 2.9.0.4 release notes, along with some inline bullet points on the improvements, (thanks to Russ providing the information below to me):

[*] Improvements
  * Added the Razorback "Snort as a Collector" (SaaC) dynamic preprocessor.
    This is for experimental use only! Enable it by compiling with
    --enable-rzb-saac.

  * Fixed false positives in HTTP traffic, which were caused by large HTTP
    chunks split across two packets.
* When there is a large chunk length (not in the first packet), and the packet size is less than the chunk length, copy fails and hence the DecodeBuffer is not overwritten. Any subsequent packets uses the decode buffer without overwriting it and hence the false positive.  The fix was to extract the packet size when packet size is less than the chunk length.

  * Made several updates to the Snort manual and READMEs.

  * Fixed a false positive on Stream5 rule 129:15, caused by a RST following
    a FIN.
* When a TCP FIN was processed the FIN pseudo-octet was not always accounted for in the sequence number tracking within the stream5 preprocessor.  A subsequent TCP RST in the FIN-Wait-1 or FIN-Wait-2 states could then lead to a false positive for 129:15.  The fix is to ensure proper accounting of the TCP FIN pseudo-octet.  This problem did not affect TCP RSTs while the session was fully established.

* Fixed a bug in HTTP_STAT_MSG
* HTTP STATUS MSG BUFFER included the CR LF from the status line.  With the fix HTTP STATUS MSG BUFFER now contains the status message from the HTTP response and not the CR LF from the status line.