Monday, November 18, 2013

Snort 2.9.6.0 beta has just been posted!

Just released for public testing, the Snort 2.9.6.0 beta can be found at our normal downloads site:
https://www.snort.org/downloads.  The following features and improvements are to be tested, and believe there are several that the Snort community has been asking for:

[*] New additions
* Add support to do file specific processing within DCERPC
preprocessor for files being transferred over SMB.

* File capture and storage -- saves files as they traverse the
network via a new preprocessor that ties in support within
HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and
README.file_server (under tools/file_server) for details.

* Add <= and >= operators to byte_test rule option.

* Update SMTP to detect Cyrus SASL authentication attack.

* Add capability to capture a single session from start to end.

* EXPERIMENTAL: Add support to leverage file type identification in
snort rules. See README.file_ips for details.

[*] Improvements
* Only inject active responses when a TCP session is established.

* Update the POP and IMAP protocols to support simple PAF for improved
identification and capture of files.

* Update SMTP, POP, IMAP to improve inspection when mime boundaries are
split across packets.

* Address issue to address end of line incorrectly for Quoted Printable
email attachments.

* Handle out of order SSL handshake in SMTP when STARTTLS is used and
fix checks for SSL type only within the SSL hand shake.

* Update sensitive data preprocessor to handle a stateful search of
patterns across multiple packets.

* Address a few issues in the Snort manual and other READMEs for
flowbits and tunneling.

* Save off packet data for quicker debugging in case of a SIGABRT or
SIGBUS.

No comments:

Post a Comment