Friday, December 17, 2010

Snort 2.9.0.3 is coming soon!

Snort 2.9.0.3 is coming soon! This is a bug fix for the 2.9.0 tree.
2.9.0.3 contains the following bug fixes:

[*] Improvements
  • Fixed an issue where "uricontent" didn't behave correctly with "depth", "offset", "distance", and "within" modifiers.
  • Fixed overlapping flags in the Shared Object rule API.
  • Improved error checking for invalid combinations of "depth", "offset", "distance", and "within" modifiers in rules. Rules that mix relative and non-relative options on the same content will now cause errors.
This is another issue found internally while troubleshooting for Emerging-Threats. VRT rules are not affected by this change.

If rule writers have invalid combinations that existed in custom rules (depth with within, or distance with no relative content match, etc) Snort will now error on this. The Snort Manual has been updated to reflect these facts.

Sourcefire would like to thank Dave Bertouille and Daniel Clemens for pointing out the issues here.
  • Updated the documentation to fix some inconsistencies.
Sourcefire would like to thank Joshua Kinard of the US-CERT for the patch to fix these inconsistencies.
  • Updated the INSTALL doc for instructions on how to build Snort for OpenBSD.
  • Updated the IPFW DAQ so that it will compile correctly on OpenBSD
Sourcefire would like to thank Ross Lawrie, Randal Rioux, and many others for bringing this to our attention.
  • Updated the decoder to discriminate between ipv4 and ipv6 raw packets.
Sourcefire would like to thank Gerald Maziarski for reporting the issue.
  • Updated the decoder to deal with ESP traffic correctly.
Sourcefire would like to thank rmkml for reporting the issue.
  • Updated the snort.conf in the etc/ directory to match the VRT distributed snort.conf
Sourcefire is currently targeting 2.9.0.3 for release next week. I will put up another blog post at the time of release.

Thanks!
Joel Esler
Manager, OpenSource Community