Friday, October 28, 2011

Snort 2.9.2 Beta has been released

I personally view this as a big day in Snort history.  Snort 2.9.2, including the features below, is a large step forward in detection and development.  Let me paste the release notes, and I'll expand upon them a bit:

2011-10-28 - Snort 2.9.2 Beta
[*] New Additions
* SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors
to support writing rules for detecting attacks for control systems.
New rule keywords are supported, and DNP3 leverages Stream5 PAF
support for TCP reassembly. See the Snort Manual, README.dnp3 and
README.modbus for details of the configurations and new rule
options.


Two SCADA preprocessors. We've had these under development now for awhile, but this is the first time the public has seen them, so we're excited about what's going to happen here. We are welcoming a few new Snort keywords into the family.

dnp3_func
dnp3_ind
dnp3_obj
dnp3_data

and

modbus_func
modbus_unit
modbus_data


* GTP decoding and preprocessor. Updated the Snort packet decoders
and added a preprocessor to support detecting attacks over GTP (GPRS
Tunneling Protocol). Snort's GTP support handles multiple versions
of GTP and has a rich configuration set. See the Snort Manual and
README.GTP for details.


GTP (GPRS Tunneling Protocol) is used in core communication networks to establish
a channel between GSNs (GPRS Serving Node). GTP decoding & preprocessor provides
ways to tackle intrusion attempts to those networks through GTP. It also makes
detecting new attacks easier.
And a couple new keywords a well:

gtp_type
gtp_info
gtp_version


* Updates to the HTTP preprocessor to normalize HTTP responses that
include javascript escaped data in the HTTP response body. This
expands Snort's coverage in detecting HTTP client-side attacks.
See the Snort Manual and README.http_inspect for configuration
details.


Yes, ladies and gentlemen, you read that right javascript normalization. This will require a couple keyword changes to your http_inspect configuration:

- normalize_javascript
- max_javascript_whitespaces


From the README:
When this option is turned on, Http Inspect searches for a Javascript within the HTTP response body by searching for the <script> tags and starts normalizing it. When Http Inspect sees the <script> tag without a type, it is considered as a javascript. The obfuscated data within the javascript functions such as unescape, String.fromCharCode, decodeURI, decodeURIComponent will be normalized. The different encodings handled within the unescape/ decodeURI/decodeURIComponent are %XX, %uXXXX, \XX and \uXXXX. Apart from these encodings, Http Inspect will also detect the consecutive whitespaces and normalize it to a single space. Http Inspect will also normalize the plus and concatenate the strings.

At this time, we decode one layer of javascript, in the future, we will expand this.  Any more than one layer will receive a preprocessor alert indicating there is more than one.

[*] Improvements
* Updates to Stream preprocessor to be able to track and store
"stream" data for non TCP/UDP flows. Also improvements to handle
when memory associated with a blocked stream is released and usable
for other connections.


* Updates to dce_stub_data to make it act the same as file_data
and pkt_data rule option keywords in how it interacts with
subsequent content/pcre/etc rule options.


You can grab Snort 2.9.2-beta from https://www.snort.org/downloads and feedback can be submitted to snort-beta [at] sourcefire.com

3 comments:

  1. Great! Could you please be sure to fix the snort.spec file in order to include all the new preprocessors. SIP, IMAP, and POP are not.

    ReplyDelete
  2. Great! Could you please fix the snort.spec file in order to include all the new preprocessors. The beta snort.spec is still missing SIP, POP, and IMAP.

    ReplyDelete
  3. This will be fixed in the next release.

    ReplyDelete