Tuesday, August 23, 2011

Snort 2.9.1 has been released, including Protocol Aware Flushing and IP Reputation Preprocessor

Snort 2.9.1 has been released!

Now available at our download link here:  http://www.snort.org/snort-downloads/


Please start downloading and using Snort 2.9.1.  You should be aware that you'll get some new alerts and things will behave a bit differently with the file_data rule option now because of PAF.  For more on PAF please read the README.stream5 documentation file.

The Snort 2.9.1 manual will be up on http://manual.snort.org and http://www.snort.org/docs in a few minutes.

Every Friday for the next few weeks we will be posting a new blog post covering the new features of 2.9.1 directly from the Snort Developers.  So stay tuned!

Below are the Release Notes and Changelog for everything since the release of Snort 2.9.0.5:


Snort 2.9.1 introduces the following new capabilities:

* Protocol aware reassembly support for HTTP and DCE/RPC
preprocessors.  Updates to Stream5 allowing Snort to more
intelligently inspect HTTP and DCE/RPC requests and responses.
See README.stream5 subsection related to Protocol Aware Flushing
(PAF).

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords.  Also includes new
preprocessor rules for anomalies in the SIP communications.
See the Snort Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats.  See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Support for reading large pcap files.

* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients to unified2 when Snort generates
events on related traffic.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This preprocessor
is still in an experimental state, so please report any issues
to the Snort team.  See README.reputation for more information.

Additionally, the following updates and improvements have been made:

* Updates to give shared library rules direct access to gzip
decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer.  This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.
To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations.  Obtain pkg-config from freedesktop.org.

* Many updates and improvements to the Snort documentation.  Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.

* Updates to Snort's config parsing to provide more meaningful
error messages relating to snort.conf errors and configuration
display at startup.

* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.
Additional HTTP Inspect alerts for evasion attempts such as small
chunks and excessive whitespace in folded headers.

* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.




2.9.1.0 Changelog:

Snort 2.9.1
* src/build.h:
Updated build number to 71.

* etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
src/decode.h, src/generators.h, src/snort.c,
src/dynamic-plugins/sf_engine/sf_snort_packet.h:
Fixed an issue with decoding large numbers of IPv6 extension headers.
Added rule 116:456 to safeguard against too many IPv6 extension headers.
Thanks to Martin Schutte for reporting the issue.

* src/detection-plugins/sp_urilen_check.c,
src/detection-plugins/sp_urilen_check.h:
Fixed the urilen rule option to look at reassembled packets.
Added an extra parameter to specify whether to check raw or normalized uri buffer. Will check raw uri buffer by default.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/pop/sf_pop.dsp,
dynamic-preprocessors/reputation/sf_reputation.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp:
Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules.

* doc/README.http_inspect, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/utils/hi_paf.c:
Added two HTTP Inspect preprocessor rules:
119:28 - post w/o content-length or transfer-encoding: chunked
120:8 - message with invalid content-length or chunk size

* src/preprocessors/spp_httpinspect.c:
Fixed a bug where Snort wouldn't reload, giving the error that
"Changing decompress_depth requries a restart".

* etc/gen-msg.map:
Commented out four rules from gen-msg.map, 133:44 through 133:47,
because they were not yet implemented.

* preproc_rules/preprocessor.rules:
Added a CVE reference for Rule 119:19.
Added a reference to SMTP preprocessor rule 124:4.
Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
alert that was missing the corresponding rule.

* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
PAF tweak for single-segment full PDUs matching only-stream

* src/snort.c:
Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
Set default paf_max to 16K.

* doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
Added a use case in the IP Reputation preprocessor documentation.

* src/: dynamic-preprocessors/reputation/reputation_config.c,
dynamic-preprocessors/reputation/sf_reputation.dsp,
win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:

Fixed the IP Reputation preprocessor so that it would build on Windows.

* src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
server/hi-server.c, utils/hi_paf.c:
Support up to full 32-bit content-lengths

* src/preprocessors/Stream5/stream5_paf.c:
Fixed compilation with the options "--disable-target-based --enable-paf".

* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed an error in IDS mode when segments overlap and the sequence
number wraps.

* tools/u2spewfoo/Makefile.am:
Added the u2spewfoo Windows project file to the Snort source tarball.

Snort 2.9.1 RC
* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
Added three new SIP preprocessor alerts.

* src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
stream5_paf.h:
Allow multiple preprocs to scan for PDUs on the same port.
This fixes a problem with DCE autodetect using the same
ports as HTTP.

* src/build.h:
Updated build number to 63.

* src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
detection-plugins/sp_tcp_win_check.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
preprocessors/spp_normalize.c:
Fixed some compiler warnings.

* src/: detection-plugins/detection_options.c,
detection-plugins/sp_flowbits.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/examples/Makefile.am,
dynamic-plugins/sf_engine/examples/flowbits_test.c,
dynamic-plugins/sf_engine/examples/rules.c,
dynamic-plugins/sf_engine/examples/web-client_test.c:
Only set/clear/toggle/unset a flowbit when all of the rule
matches, including the IPs and Ports. Thanks to Eoin Miller
for reporting the issue.

* src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
ssh/Makefile.am, ssl/Makefile.am:
Fixed dynamic preprocesor Makefiles so that they can be built
in parallel.

* doc/README.http_inspect, doc/snort_manual.pdf,
doc/snort_manual.tex, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/include/hi_ui_config.h,
src/preprocessors/HttpInspect/include/hi_util.h,
src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
src/sfutil/util_unfold.c:

Added a new HTTP Inspect preprocessor rule, GID 119 SID 26.  This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace.

Added a new configuration option to http_inspect server configuration:
"small_chunk_length { <chunk_size> <num_consec_chunks> }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be generated.

See README.http_inspect for more information.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp,
win32/WIN32-Prj/sf_engine_initialize.dsp,
win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
Fixed the Win32 build to (1) not use .pch, and (2) correct sed
patterns on ipv6_port.h.

* src/output-plugins/spo_alert_sf_socket.c:
Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin.
The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability.

* src/sfutil/: sfrt.c, sfrt.h:
Optimized some memory usage.

* configure.in:
Add check for pkg-config and provide instructions to get it if pkg-config is not installed.

* src/preprocessors/Stream5/: snort_stream5_tcp.c,
stream5_common.h:
Show single segment PAF packets and only short-circuit at
correct sequence.
When aborting PAF, flush at paf_max.
Tweaked retransmission check to use actual sequence numbers
instead of the adjusted sequence numbers.
Changed the pseudo-random flush point after each flush.

* src/snort.c:
Fixed a compilation error when active response is disabled.

* src/snort.h:
Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue.

* src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
spp_perfmonitor.c:
Split out Perfmon submodule Init and Reset, so that everything is
initialized when the Perfmonitor preprocessor is initialized.
Previously, some data was initialized on the first packet.

* src/detection-plugins/sp_tcp_flag_check.c:
Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch.

* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h,
preproc_rules/preprocessor.rules, etc/gen-msg.map:
Added a new SIP preprocessor alert for missing content type headers.
Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.

* etc/unicode.map:
Updated unicode.map to match the unicode standard on Windows 7 SP1.

* etc/snort.conf:
Sync'ed to VRT's latest snort.conf.

* src/: decode.c, detect.c:
Tweaked the preprocessing loop to bypass app preprocs if no app data.

* src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
src/dynamic-preprocessors/reputation/Makefile.am,
src/dynamic-preprocessors/reputation/reputation_config.h,
src/dynamic-preprocessors/reputation/reputation_utils.c,
src/dynamic-preprocessors/reputation/sf_reputation.dsp,
src/dynamic-preprocessors/reputation/spp_reputation.c,
src/dynamic-preprocessors/reputation/spp_reputation.h,
src/dynamic-preprocessors/reputation/reputation_config.c,
src/dynamic-preprocessors/reputation/reputation_debug.h,
src/dynamic-preprocessors/reputation/reputation_utils.h,
doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
doc/snort_manual.tex, preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/Makefile.am, configure.in,
src/preprocids.h, etc/gen-msg.map:
Added the IP Reputation preprocessor. This preprocessor provides the ability to whitelist and blacklist packets based on IP addresses.
See README.reputation for more information.

* src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
dynamic-preprocessors/dcerpc2/Makefile.am,
dynamic-preprocessors/dcerpc2/dce2_config.c,
dynamic-preprocessors/dcerpc2/dce2_debug.h,
dynamic-preprocessors/dcerpc2/dce2_paf.c,
dynamic-preprocessors/dcerpc2/dce2_paf.h,
dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dcerpc2/snort_dce2.c:
Added protocol-aware flushing support for the dcerpc2 preprocessor.

* src/dynamic-plugins/sf_convert_dynamic.c:
Added the ability to convert shared object rules that use the preprocessor rule option.

* src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
Stream5/snort_stream5_tcp.c:
Don't enable paf unless stream ports configured for the given direction; add "(PAF)" to http inspect ports output to indicate when enabled; and only register port for given direction if corresponding flow depth is set.

Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded.

* doc/README.SMTP, doc/snort_manual.tex,
src/dynamic-preprocessors/smtp/smtp_config.h,
src/dynamic-preprocessors/smtp/smtp_util.c,
src/dynamic-preprocessors/smtp/snort_smtp.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/smtp/spp_smtp.c:
Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool).
Added a fatal error when b64_decode_depth is used with enable_mime_decoding.

* src/dynamic-plugins/sf_engine/examples: all rule files:
Fixed compiler warnings.


* configure.in:
Updates to configure.in.
Fix zlib checks to use correctly named variable for checking zlib header and library existence.
Enable IPv6 by default in builds.  Can use --disable-ipv6 to turn it off.
Using --enable-zlib, configure should fail.  snort -V should show IPv6 by default and VRT config should load without modification.

Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB.
Changed the default ./configure options to match the requirements for the bundled snort.conf
* doc/: INSTALL, README.imap, README.pop,
README.SMTP, README.stream5, README.sip, README.tag,
README.http_inspect, README.counts, README.normalize,
snort_manual.pdf, snort_manual.tex:
Updated documentation for Snort 2.9.1:

Added documentation for new SIP, POP and IMAP preprocessors
Updated README.stream5 with documentation for Protocol Aware Flushing (PAF)
Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname".
Fixed a typo in README.counts
Updated "byte_extract" section to reflect syntax changes
Improved the explanation of "max_queued_events"
Added documentation for the ESP decoder, which is now configurable
Improved the explanation of "rawbytes"
Fixed an incorrect example in README.tag.
* etc/snort.conf:
Synced snort.conf with VRT's latest version.

Added configurations for new preprocessors.
* preproc_rules/: decoder.rules, preprocessor.rules
Added new preprocessor rules for SIP, SMTP, POP, and IMAP.

Added decoder rules 116:453, 116:454, and 116:455. These rules
were formerly covered by VRT rules.
* src/build.h: Updated build number to 46
* src/decode.c:
TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored.

ESP decoding is now configurable, and off by default.

The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists.
The Teredo decoder now only processes packets in the Teredo prefix
(2001:0000::/32) or the link-local prefix (fe80::/16).
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin.
* doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
Made some changes to the byte_extract syntax:
Writing "string" without a number type defaults to decimal.
The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc.
Specifying one of "hex", "dec", and "oct" without using "string"
results in an error.
byte_extract options can no longer be delimited by spaces. This does not affect "align <num>" or "multiplier <num>".
* src/: parser.c, util.c, util.h,
detection-plugins/sp_base64_decode.c,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,

dynamic-plugins/sp_dynamic.c,
dynamic-preprocessors/smtp/smtp_util.c,
preprocessors/HttpInspect/client/hi_client.c,
preprocessors/HttpInspect/server/hi_server.c,
sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
Changes include the following:
- Attempt dechunkind only when transfer-encoding: chunked is present.
- Override the content length with transfer encoding
- SnortStrcasestr uses slen now.
- unfolding : trim spaces when required.
* src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
Update Frag3/Stream5 to print bound addresses, better descriptsions of detect anomalies and port lists.
- Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
- Updated Frag3 to print meaningful detect anomalies configuration
- Updated Stream5 to print that there are more ports than those printed.
* src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
sf_decompression.h, sf_snort_detection_engine.c,
sf_snort_plugin_api.h:
Added a Decompression API that wraps Zlib for use with dynamic
plugins. See sf_decompression.h for more details.
* src/: fpcreate.c, fpdetect.c, treenodes.h:
Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.8.2 addition of rule option tree).

Added a warning when max-pattern-len is defined twice.

Packets will no longer be tagged or logged if they are filtered or passed.
* src/preprocessors/Stream5:
Ensured that reassembly doesn't require packet dropping in IPS mode.
The message "additional ports configured but not printed" is only printed when that is actually the case.
* src/snort.c:
fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
-A console:test).

Fixed an issue with reloading Snort while the default output options were used.

When reading several pcap files with --pcap-dir, Snort will move on
to the next file if one fails to load.
* src/output-plugins/spo_alert_full.c:
Update alert_full to print rule references, regardless of whether
there is TCP/UDP/etc.
* src/output-plugins/spo_log_tcpdump.c:
convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
fix 'mixed decls and code' compiler warning
* src/: decode.h, detect.c, detection_util.c, detection_util.h,
fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
rule_option_types.h, detection-plugins/Makefile.am,
detection-plugins/detection_options.c,
detection-plugins/sp_base64_data.c,
detection-plugins/sp_byte_check.c,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_jump.c,
detection-plugins/sp_file_data.c,
detection-plugins/sp_ftpbounce.c,
detection-plugins/sp_isdataat.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
detection-plugins/sp_pkt_data.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_dynamic_common.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_dynamic_engine.h,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,
dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_packet.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
dynamic-preprocessors/ftptelnet/pp_ftp.c,
dynamic-preprocessors/ftptelnet/pp_telnet.c,
dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
dynamic-preprocessors/smtp/smtp_util.c,
dynamic-preprocessors/smtp/snort_smtp.c,
dynamic-preprocessors/smtp/snort_smtp.h,
preprocessors/snort_httpinspect.c,
preprocessors/snort_httpinspect.h,
preprocessors/spp_rpc_decode.c,
preprocessors/HttpInspect/server/hi_server.c,
preprocessors/HttpInspect/server/hi_server_norm.c,
preprocessors/Stream5/snort_stream5_tcp.c:
The "file_data" and "base64_data" rule options now set the buffer
for any rule options that follow them. This applies to both relative and non-relative rule options.

The detection code now uses 3 separate buffers:
- "Alt Detect": set by file_data, base64_data, etc.
- "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
- Raw packet data

The AltDetect buffer can also be set by custom .so rules.
* src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
src/sfutil/Unified2_common.h:
IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data".
* src/dynamic-preprocessors/sip/Makefile.am,
src/dynamic-preprocessors/sip/sf_sip.dsp,
src/dynamic-preprocessors/sip/sip_config.c,
src/dynamic-preprocessors/sip/sip_config.h,
src/dynamic-preprocessors/sip/sip_debug.h,
src/dynamic-preprocessors/sip/sip_dialog.c,
src/dynamic-preprocessors/sip/sip_dialog.h,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/sip_parser.h,
src/dynamic-preprocessors/sip/sip_roptions.c,
src/dynamic-preprocessors/sip/spp_sip.c,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/sip/sip_roptions.h,
src/dynamic-preprocessors/sip/sip_utils.c,
src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
src/dynamic-preprocessors/Makefile.am:
Added a new preprocessor for SIP traffic.
See README.sip and the Snort Manual for more information.
* src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
dynamic-preprocessors/dcerpc2/spp_dce2.c,
preprocessors/spp_frag3.c:
Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD).  The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present.

This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occurring regardless of frag policy.
* src/: detection-plugins/Makefile.am,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_extract.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_engine/Makefile.am,

dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
Added support for ByteExtract variables to the .so rule versions of
Content, ByteTest, ByteJump, and isdataat.
* src/: encode.c, preprocessors/spp_normalize.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.c:
Fixed the TTL on encoded response packets.
* src/: fpcreate.c, fpdetect.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pattern_match.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Update to not inspect HTTP method buffer with Snort's fast pattern engine.
Rules with only HTTP method content end up as non-content rules.
This eliminates a short cycle of searches with fast pattern on every initial HTTP request.
* src/dynamic-preprocessors/pop/: all files
Added a new preprocessor for POP traffic.
See README.pop for more information.
* src/dynamic-preprocessors/imap/: all files
Added a new preprocessor for IMAP traffic.
See README.imap for more information.
* src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors.

Added support for uuencoded email attachments.
* src/dynamic-preprocessors/sdf/spp_sdf.c:
The Sensitive Data preprocessor now inspects the "file_data" buffer, used for HTTP response bodies & decoded email attachments.
* src/: snort.c, preprocessors/spp_stream5.c,
preprocessors/stream_api.h:
Update Snort to return a DAQ verdict of whitelist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore.  For DAQ modules and hardware that supports it, this should result in a performance gain because Snort no longer has to decode packets that are part of that connection.
* src/util.c:
Added an error message when opening a pid file fails.
* src/preprocessors/HttpInspect/: client/hi_client.c,
server/hi_server.c:
The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
* configure.in, src/active.c, src/active.h, src/decode.h,
src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
src/sfdaq.h, src/snort.h, src/snort_debug.h,
src/detection-plugins/sp_react.c,
src/detection-plugins/sp_respond3.c,
src/dynamic-plugins/sf_dynamic_define.h,
src/dynamic-plugins/sf_engine/sf_snort_packet.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/spp_httpinspect.c,
src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
src/preprocessors/HttpInspect/Makefile.am,
src/preprocessors/HttpInspect/include/Makefile.am,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
src/preprocessors/HttpInspect/server/hi_server.c,
src/preprocessors/HttpInspect/utils/Makefile.am,
src/preprocessors/HttpInspect/utils/hi_paf.c,
src/preprocessors/Stream5/Makefile.am,
src/preprocessors/Stream5/snort_stream5_icmp.c,
src/preprocessors/Stream5/snort_stream5_session.c,
src/preprocessors/Stream5/snort_stream5_tcp.c,
src/preprocessors/Stream5/snort_stream5_tcp.h,
src/preprocessors/Stream5/snort_stream5_udp.c,
src/preprocessors/Stream5/stream5_common.c,
src/preprocessors/Stream5/stream5_common.h,
src/preprocessors/Stream5/stream5_paf.c,
src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
Added support in Stream5 for Protocol Aware Flushing (PAF). PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation.

Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5.

See README.stream5 for more details.
* src/preprocessors/: stream_ignore.h, stream_ignore.c,
Stream5/snort_stream5_udp.c:
Added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored.
* src/win32/: most files
Updated Snort and its libraries to build/link against MFC.


No comments:

Post a Comment