Monday, August 15, 2011

Snort 2.9.1 is coming soon!

Snort 2.9.1 that came out in the RC form last month is getting ready to ship, so I thought I'd put out the Release notes.  There are a lot of changes in there that will effect how certain rules will work, especially when it comes to HTTP and DCE reassembly.  So make sure and read up on PAF!

We've also had a lot of positive feedback about the new IP reputation preprocessor, so we are really looking forward to seeing how users are going to put it to work in their environment.

[*] New Additions
* HTTP aware TCP reassembly support within HTTP Inspect and
Stream5, allowing Snort to more intelligently inspect HTTP
requests and responses. See README.stream5 subsection
related to Protocol Aware Flushing (PAF).

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords. See the Snort
Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats. See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Add support for reading large pcap files.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This
preprocessor is still in an experimental state, so please
report any issues to the Snort team.
See README.reputation for more information.

* DCE aware TCP reassembly has been added to the dcerpc2 preprocessor.
See README.stream5 subsection related to Protocol Aware Flushing (PAF).

[*] Improvements
* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients when Snort generates events
on related traffic.

* Updates to give shared library rules direct access to gzip
decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer. This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.

* Many updates and improvements to the Snort documentation. Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and

* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.

* Updates to Snort's config parsing to give more meaningful
error messages relating to snort.conf errors and configuration
display at startup.

* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.

* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.

* To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations. Obtain pkg-config from

* HTTP Inspect has new options to detect the following anomalies:
- Excessive whitespace in a folded header line
- Series of HTTP chunks with small lengths

* SIP preprocessor has new alerts for the following anomalies:
- Invalid SIP version
- Unknown SIP method
- SIP method mis-match
- Missing content-type header

* Several bug fixes for Stream5's Protocol Aware Flushing

* Fixed a bug where the socket output plugin sent the wrong data when
IPv6 was enabled

* Other bug fixes, see ChangeLog for more details.