Friday, September 2, 2016

Snort++ Update

Pushed build 207 to github (snortadmin/snort3):
  • ported smb file processing
  • ported the 2.9.8 ciscometadata decoder
  • ported the 2.9.8 double and triple vlan tagging changes
  • use sd_pattern as a fast-pattern
  • rewrite and fix the rpc option
  • cleanup fragbits option implementation
  • finish up cutover to the new http_inspect by default
  • added appid counts for rsync
  • added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
  • moved file capture to offload thread
  • numerous fixes, cleanup, and refactoring for appid
  • numerous fixes, cleanup, and refactoring for high availability
  • fixed regex as fast pattern with hyperscan mpse
  • fixed http_inspect and tcp valgrind errors
  • fixed extra auto build from dist

2 comments:

  1. Is the openappid works with snort++? I tried with the Snort 3.0 Alpha 3 and the build 207, as long as openappid is enabled, snort will crash at startup.
    following is the strack trace:

    Defaulting to monitoring all Snort traffic for AppID.
    Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
    Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1

    Program received signal SIGSEGV, Segmentation fault.
    0x00000000004d1752 in ServiceAddPort(RNAServiceValidationPort const*, RNAServiceValidationModule*, Detector*, AppIdConfig*) ()
    (gdb) backtrace
    #0 0x00000000004d1752 in ServiceAddPort(RNAServiceValidationPort const*, RNAServiceValidationModule*, Detector*, AppIdConfig*) ()
    #1 0x00000000004d1981 in CServiceAddPort(RNAServiceValidationPort const*, RNAServiceValidationModule*, AppIdConfig*) ()
    #2 0x00000000004d19f2 in serviceLoadForConfigCallback(void*, AppIdConfig*) ()
    #3 0x00000000004d1b23 in LoadServiceModules(char const**, unsigned int, AppIdConfig*) ()
    #4 0x00000000004ed340 in AppIdConfig::load_modules(unsigned int) ()
    #5 0x00000000004ed777 in AppIdConfig::init_appid() ()
    #6 0x00000000004b935b in AppIdInspector::configure(SnortConfig*) ()
    #7 0x0000000000478bb3 in configure(SnortConfig*, FrameworkPolicy*) ()
    #8 0x0000000000478dd8 in InspectorManager::configure(SnortConfig*) ()
    #9 0x00000000005b5eea in Snort::init(int, char**) ()
    #10 0x00000000005b64c9 in Snort::setup(int, char**) ()
    #11 0x00000000004759bf in main ()

    ReplyDelete
    Replies
    1. Please direct your questions to the Snort mailing lists: http://www.snort.org/community/mailing-lists

      Delete