Flowbits Update
Flowbits are used to track detection state across multiple packets within a session. To set a flowbit, use flowbits:set,bitname; (often followed by flowbits:noalert;) and to check a flowbit use flowbits:isset,bitname. You can check multiple bits within flowbits:isset,bit1; flowbits:isset,bit2; etc. because multiple isset options form a logical AND as in "bit1&&bit2" if you know a little C syntax. However, prior to 2.9.3.0, there was no easy way to check if at least one of multiple bits was set. You may have resorted to writing rules like this:
( sid:10; flow:to_server; content:"A"; flowbits:set,bitA; flowbits:noalert; ) ( sid:20; flow:to_server; content:"B"; flowbits:set,bitB; flowbits:noalert; ) ( sid:30; flow:to_client; content:"C"; flowbits:isset,bitA; ) ( sid:40; flow:to_client; content:"C"; flowbits:isset,bitB; )Note that 2 rules, sids 30 and 40, were required to handle both possibilities. This gets messier with more options. Snort 2.9.3.0 fixes this with the addition of the logical OR:
( sid:11; flow:to_server; content:"A"; flowbits:set,bitA; flowbits:noalert; ) ( sid:21; flow:to_server; content:"B"; flowbits:set,bitB; flowbits:noalert; ) ( sid:31; flow:to_client; content:"C"; flowbits:isset,bitA|bitB; )In this case sids 30 and 40 are replaced with a single rule, sid 31, which leverages the syntax "bitA|bitB", meaning bitA OR bitB. For even greater flexibility, you can use the optional group as follows:
( sid:12; flow:to_server; content:"A"; flowbits:set,bitA,group; flowbits:noalert; ) ( sid:22; flow:to_server; content:"B"; flowbits:set,bitB,group; flowbits:noalert; ) ( sid:32; flow:to_client; content:"C"; flowbits:isset,any,group; )Now if you add a new bit to the group, say bitC, you don't need to update sid 32.
Snort 2.9.3.0 adds lots of other tweaks to flowbits, like the AND notation "bitA&bitB". So, be sure to review the manual for details.
Changes to Output Plugins
You may have noticed that the postgresql and mysql packages are not among the 2.9.3.0 beta files on Snort.org. You may also have noticed that the source for the aruba, prelude, mysql, oracle, and mssql outputs are gone too. Those outputs were deprecated because of resource constraints that did not allow time to test and maintain the outputs as well as lack of communication from the original developers.
However, in their place dynamic output plugin support was added. For best performance, you will probably want to switch to unified2 logging as described on Snort.org, but you could convert the old outputs to the new plugin structure if that is best for your deployment.
To help you get going with your own custom output, you can start with the dynamic output example package (dox-1.0.4.tar.gz). The README therein explains the 3 simple steps to build and test the dox plugin. You can then modify the source to obtain the output when, where, and how you want it.
There are many other improvements to Snort included with version 2.9.3.0, including an awesome overhaul of the dcerpc2 preprocessor by Todd. Check it out.
Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.