Snort IPS using the DAQ AFPacket installation guide has been posted!

Thanks to one of our community members, Yaser Mansour!  He authored a simple guy to get Snort up and running as an IPS using the AFPacket DAQ.  I've listed it under "Installation Guides" on the docs page:

https://www.snort.org/documents

Thanks Yaser!  You are what makes the Snort Community wonderful!

Snort 2.9.1 has been released, including Protocol Aware Flushing and IP Reputation Preprocessor

Snort 2.9.1 has been released!

Now available at our download link here:  https://www.snort.org/downloads


Please start downloading and using Snort 2.9.1.  You should be aware that you'll get some new alerts and things will behave a bit differently with the file_data rule option now because of PAF.  For more on PAF please read the README.stream5 documentation file.

The Snort 2.9.1 manual will be up on http://manual.snort.org and http://www.snort.org/docs in a few minutes.

Every Friday for the next few weeks we will be posting a new blog post covering the new features of 2.9.1 directly from the Snort Developers.  So stay tuned!

Below are the Release Notes and Changelog for everything since the release of Snort 2.9.0.5:


Snort 2.9.1 introduces the following new capabilities:

* Protocol aware reassembly support for HTTP and DCE/RPC
preprocessors.  Updates to Stream5 allowing Snort to more
intelligently inspect HTTP and DCE/RPC requests and responses.
See README.stream5 subsection related to Protocol Aware Flushing
(PAF).

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords.  Also includes new
preprocessor rules for anomalies in the SIP communications.
See the Snort Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats.  See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Support for reading large pcap files.

* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients to unified2 when Snort generates
events on related traffic.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This preprocessor
is still in an experimental state, so please report any issues
to the Snort team.  See README.reputation for more information.

Additionally, the following updates and improvements have been made:

* Updates to give shared library rules direct access to gzip
decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer.  This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.
To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations.  Obtain pkg-config from freedesktop.org.

* Many updates and improvements to the Snort documentation.  Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.

* Updates to Snort's config parsing to provide more meaningful
error messages relating to snort.conf errors and configuration
display at startup.

* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.
Additional HTTP Inspect alerts for evasion attempts such as small
chunks and excessive whitespace in folded headers.

* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.



2.9.1.0 Changelog:

Snort 2.9.1
* src/build.h:
Updated build number to 71.

* etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
src/decode.h, src/generators.h, src/snort.c,
src/dynamic-plugins/sf_engine/sf_snort_packet.h:
Fixed an issue with decoding large numbers of IPv6 extension headers.
Added rule 116:456 to safeguard against too many IPv6 extension headers.
Thanks to Martin Schutte for reporting the issue.

* src/detection-plugins/sp_urilen_check.c,
src/detection-plugins/sp_urilen_check.h:
Fixed the urilen rule option to look at reassembled packets.
Added an extra parameter to specify whether to check raw or normalized uri buffer. Will check raw uri buffer by default.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/pop/sf_pop.dsp,
dynamic-preprocessors/reputation/sf_reputation.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp:
Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules.

* doc/README.http_inspect, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/utils/hi_paf.c:
Added two HTTP Inspect preprocessor rules:
119:28 - post w/o content-length or transfer-encoding: chunked
120:8 - message with invalid content-length or chunk size

* src/preprocessors/spp_httpinspect.c:
Fixed a bug where Snort wouldn't reload, giving the error that
"Changing decompress_depth requries a restart".

* etc/gen-msg.map:
Commented out four rules from gen-msg.map, 133:44 through 133:47,
because they were not yet implemented.

* preproc_rules/preprocessor.rules:
Added a CVE reference for Rule 119:19.
Added a reference to SMTP preprocessor rule 124:4.
Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
alert that was missing the corresponding rule.

* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
PAF tweak for single-segment full PDUs matching only-stream

* src/snort.c:
Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
Set default paf_max to 16K.

* doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
Added a use case in the IP Reputation preprocessor documentation.

* src/: dynamic-preprocessors/reputation/reputation_config.c,
dynamic-preprocessors/reputation/sf_reputation.dsp,
win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:

Fixed the IP Reputation preprocessor so that it would build on Windows.

* src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
server/hi-server.c, utils/hi_paf.c:
Support up to full 32-bit content-lengths

* src/preprocessors/Stream5/stream5_paf.c:
Fixed compilation with the options "--disable-target-based --enable-paf".

* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed an error in IDS mode when segments overlap and the sequence
number wraps.

* tools/u2spewfoo/Makefile.am:
Added the u2spewfoo Windows project file to the Snort source tarball.

Snort 2.9.1 RC
* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
Added three new SIP preprocessor alerts.

* src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
stream5_paf.h:
Allow multiple preprocs to scan for PDUs on the same port.
This fixes a problem with DCE autodetect using the same
ports as HTTP.

* src/build.h:
Updated build number to 63.

* src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
detection-plugins/sp_tcp_win_check.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
preprocessors/spp_normalize.c:
Fixed some compiler warnings.

* src/: detection-plugins/detection_options.c,
detection-plugins/sp_flowbits.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/examples/Makefile.am,
dynamic-plugins/sf_engine/examples/flowbits_test.c,
dynamic-plugins/sf_engine/examples/rules.c,
dynamic-plugins/sf_engine/examples/web-client_test.c:
Only set/clear/toggle/unset a flowbit when all of the rule
matches, including the IPs and Ports. Thanks to Eoin Miller
for reporting the issue.

* src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
ssh/Makefile.am, ssl/Makefile.am:
Fixed dynamic preprocesor Makefiles so that they can be built
in parallel.

* doc/README.http_inspect, doc/snort_manual.pdf,
doc/snort_manual.tex, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/include/hi_ui_config.h,
src/preprocessors/HttpInspect/include/hi_util.h,
src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
src/sfutil/util_unfold.c:

Added a new HTTP Inspect preprocessor rule, GID 119 SID 26.  This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace.

Added a new configuration option to http_inspect server configuration:
"small_chunk_length { <chunk_size> <num_consec_chunks> }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be generated.

See README.http_inspect for more information.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp,
win32/WIN32-Prj/sf_engine_initialize.dsp,
win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
Fixed the Win32 build to (1) not use .pch, and (2) correct sed
patterns on ipv6_port.h.

* src/output-plugins/spo_alert_sf_socket.c:
Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin.
The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability.

* src/sfutil/: sfrt.c, sfrt.h:
Optimized some memory usage.

* configure.in:
Add check for pkg-config and provide instructions to get it if pkg-config is not installed.

* src/preprocessors/Stream5/: snort_stream5_tcp.c,
stream5_common.h:
Show single segment PAF packets and only short-circuit at
correct sequence.
When aborting PAF, flush at paf_max.
Tweaked retransmission check to use actual sequence numbers
instead of the adjusted sequence numbers.
Changed the pseudo-random flush point after each flush.

* src/snort.c:
Fixed a compilation error when active response is disabled.

* src/snort.h:
Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue.

* src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
spp_perfmonitor.c:
Split out Perfmon submodule Init and Reset, so that everything is
initialized when the Perfmonitor preprocessor is initialized.
Previously, some data was initialized on the first packet.

* src/detection-plugins/sp_tcp_flag_check.c:
Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch.

* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h,
preproc_rules/preprocessor.rules, etc/gen-msg.map:
Added a new SIP preprocessor alert for missing content type headers.
Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.

* etc/unicode.map:
Updated unicode.map to match the unicode standard on Windows 7 SP1.

* etc/snort.conf:
Sync'ed to VRT's latest snort.conf.

* src/: decode.c, detect.c:
Tweaked the preprocessing loop to bypass app preprocs if no app data.

* src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
src/dynamic-preprocessors/reputation/Makefile.am,
src/dynamic-preprocessors/reputation/reputation_config.h,
src/dynamic-preprocessors/reputation/reputation_utils.c,
src/dynamic-preprocessors/reputation/sf_reputation.dsp,
src/dynamic-preprocessors/reputation/spp_reputation.c,
src/dynamic-preprocessors/reputation/spp_reputation.h,
src/dynamic-preprocessors/reputation/reputation_config.c,
src/dynamic-preprocessors/reputation/reputation_debug.h,
src/dynamic-preprocessors/reputation/reputation_utils.h,
doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
doc/snort_manual.tex, preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/Makefile.am, configure.in,
src/preprocids.h, etc/gen-msg.map:
Added the IP Reputation preprocessor. This preprocessor provides the ability to whitelist and blacklist packets based on IP addresses.
See README.reputation for more information.

* src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
dynamic-preprocessors/dcerpc2/Makefile.am,
dynamic-preprocessors/dcerpc2/dce2_config.c,
dynamic-preprocessors/dcerpc2/dce2_debug.h,
dynamic-preprocessors/dcerpc2/dce2_paf.c,
dynamic-preprocessors/dcerpc2/dce2_paf.h,
dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dcerpc2/snort_dce2.c:
Added protocol-aware flushing support for the dcerpc2 preprocessor.

* src/dynamic-plugins/sf_convert_dynamic.c:
Added the ability to convert shared object rules that use the preprocessor rule option.

* src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
Stream5/snort_stream5_tcp.c:
Don't enable paf unless stream ports configured for the given direction; add "(PAF)" to http inspect ports output to indicate when enabled; and only register port for given direction if corresponding flow depth is set.

Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded.

* doc/README.SMTP, doc/snort_manual.tex,
src/dynamic-preprocessors/smtp/smtp_config.h,
src/dynamic-preprocessors/smtp/smtp_util.c,
src/dynamic-preprocessors/smtp/snort_smtp.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/smtp/spp_smtp.c:
Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool).
Added a fatal error when b64_decode_depth is used with enable_mime_decoding.

* src/dynamic-plugins/sf_engine/examples: all rule files:
Fixed compiler warnings.


* configure.in:
Updates to configure.in.
Fix zlib checks to use correctly named variable for checking zlib header and library existence.
Enable IPv6 by default in builds.  Can use --disable-ipv6 to turn it off.
Using --enable-zlib, configure should fail.  snort -V should show IPv6 by default and VRT config should load without modification.
Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB.
Changed the default ./configure options to match the requirements for the bundled snort.conf
* doc/: INSTALL, README.imap, README.pop,
README.SMTP, README.stream5, README.sip, README.tag,
README.http_inspect, README.counts, README.normalize,
snort_manual.pdf, snort_manual.tex:
Updated documentation for Snort 2.9.1:
Added documentation for new SIP, POP and IMAP preprocessors
Updated README.stream5 with documentation for Protocol Aware Flushing (PAF)
Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname".
Fixed a typo in README.counts
Updated "byte_extract" section to reflect syntax changes
Improved the explanation of "max_queued_events"
Added documentation for the ESP decoder, which is now configurable
Improved the explanation of "rawbytes"
Fixed an incorrect example in README.tag.
* etc/snort.conf:
Synced snort.conf with VRT's latest version.

Added configurations for new preprocessors.
* preproc_rules/: decoder.rules, preprocessor.rules
Added new preprocessor rules for SIP, SMTP, POP, and IMAP.

Added decoder rules 116:453, 116:454, and 116:455. These rules
were formerly covered by VRT rules.
* src/build.h: Updated build number to 46
* src/decode.c:
TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored.

ESP decoding is now configurable, and off by default.

The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists.
The Teredo decoder now only processes packets in the Teredo prefix
(2001:0000::/32) or the link-local prefix (fe80::/16).
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin.
* doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
Made some changes to the byte_extract syntax:
Writing "string" without a number type defaults to decimal.
The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc.
Specifying one of "hex", "dec", and "oct" without using "string"
results in an error.
byte_extract options can no longer be delimited by spaces. This does not affect "align <num>" or "multiplier <num>".
* src/: parser.c, util.c, util.h,
detection-plugins/sp_base64_decode.c,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,

dynamic-plugins/sp_dynamic.c,
dynamic-preprocessors/smtp/smtp_util.c,
preprocessors/HttpInspect/client/hi_client.c,
preprocessors/HttpInspect/server/hi_server.c,
sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
Changes include the following:
- Attempt dechunkind only when transfer-encoding: chunked is present.
- Override the content length with transfer encoding
- SnortStrcasestr uses slen now.
- unfolding : trim spaces when required.
* src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
Update Frag3/Stream5 to print bound addresses, better descriptsions of detect anomalies and port lists.
- Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
- Updated Frag3 to print meaningful detect anomalies configuration
- Updated Stream5 to print that there are more ports than those printed.
* src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
sf_decompression.h, sf_snort_detection_engine.c,
sf_snort_plugin_api.h:
Added a Decompression API that wraps Zlib for use with dynamic
plugins. See sf_decompression.h for more details.
* src/: fpcreate.c, fpdetect.c, treenodes.h:
Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.8.2 addition of rule option tree).

Added a warning when max-pattern-len is defined twice.

Packets will no longer be tagged or logged if they are filtered or passed.
* src/preprocessors/Stream5:
Ensured that reassembly doesn't require packet dropping in IPS mode.
The message "additional ports configured but not printed" is only printed when that is actually the case.
* src/snort.c:
fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
-A console:test).

Fixed an issue with reloading Snort while the default output options were used.

When reading several pcap files with --pcap-dir, Snort will move on
to the next file if one fails to load.
* src/output-plugins/spo_alert_full.c:
Update alert_full to print rule references, regardless of whether
there is TCP/UDP/etc.
* src/output-plugins/spo_log_tcpdump.c:
convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
fix 'mixed decls and code' compiler warning
* src/: decode.h, detect.c, detection_util.c, detection_util.h,
fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
rule_option_types.h, detection-plugins/Makefile.am,
detection-plugins/detection_options.c,
detection-plugins/sp_base64_data.c,
detection-plugins/sp_byte_check.c,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_jump.c,
detection-plugins/sp_file_data.c,
detection-plugins/sp_ftpbounce.c,
detection-plugins/sp_isdataat.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
detection-plugins/sp_pkt_data.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_dynamic_common.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_dynamic_engine.h,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,
dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_packet.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
dynamic-preprocessors/ftptelnet/pp_ftp.c,
dynamic-preprocessors/ftptelnet/pp_telnet.c,
dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
dynamic-preprocessors/smtp/smtp_util.c,
dynamic-preprocessors/smtp/snort_smtp.c,
dynamic-preprocessors/smtp/snort_smtp.h,
preprocessors/snort_httpinspect.c,
preprocessors/snort_httpinspect.h,
preprocessors/spp_rpc_decode.c,
preprocessors/HttpInspect/server/hi_server.c,
preprocessors/HttpInspect/server/hi_server_norm.c,
preprocessors/Stream5/snort_stream5_tcp.c:
The "file_data" and "base64_data" rule options now set the buffer
for any rule options that follow them. This applies to both relative and non-relative rule options.

The detection code now uses 3 separate buffers:
- "Alt Detect": set by file_data, base64_data, etc.
- "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
- Raw packet data

The AltDetect buffer can also be set by custom .so rules.
* src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
src/sfutil/Unified2_common.h:
IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data".
* src/dynamic-preprocessors/sip/Makefile.am,
src/dynamic-preprocessors/sip/sf_sip.dsp,
src/dynamic-preprocessors/sip/sip_config.c,
src/dynamic-preprocessors/sip/sip_config.h,
src/dynamic-preprocessors/sip/sip_debug.h,
src/dynamic-preprocessors/sip/sip_dialog.c,
src/dynamic-preprocessors/sip/sip_dialog.h,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/sip_parser.h,
src/dynamic-preprocessors/sip/sip_roptions.c,
src/dynamic-preprocessors/sip/spp_sip.c,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/sip/sip_roptions.h,
src/dynamic-preprocessors/sip/sip_utils.c,
src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
src/dynamic-preprocessors/Makefile.am:
Added a new preprocessor for SIP traffic.
See README.sip and the Snort Manual for more information.
* src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
dynamic-preprocessors/dcerpc2/spp_dce2.c,
preprocessors/spp_frag3.c:
Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD).  The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present.

This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occurring regardless of frag policy.
* src/: detection-plugins/Makefile.am,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_extract.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_engine/Makefile.am,

dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
Added support for ByteExtract variables to the .so rule versions of
Content, ByteTest, ByteJump, and isdataat.
* src/: encode.c, preprocessors/spp_normalize.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.c:
Fixed the TTL on encoded response packets.
* src/: fpcreate.c, fpdetect.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pattern_match.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Update to not inspect HTTP method buffer with Snort's fast pattern engine.
Rules with only HTTP method content end up as non-content rules.
This eliminates a short cycle of searches with fast pattern on every initial HTTP request.
* src/dynamic-preprocessors/pop/: all files
Added a new preprocessor for POP traffic.
See README.pop for more information.
* src/dynamic-preprocessors/imap/: all files
Added a new preprocessor for IMAP traffic.
See README.imap for more information.
* src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors.

Added support for uuencoded email attachments.
* src/dynamic-preprocessors/sdf/spp_sdf.c:
The Sensitive Data preprocessor now inspects the "file_data" buffer, used for HTTP response bodies & decoded email attachments.
* src/: snort.c, preprocessors/spp_stream5.c,
preprocessors/stream_api.h:
Update Snort to return a DAQ verdict of whitelist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore.  For DAQ modules and hardware that supports it, this should result in a performance gain because Snort no longer has to decode packets that are part of that connection.
* src/util.c:
Added an error message when opening a pid file fails.
* src/preprocessors/HttpInspect/: client/hi_client.c,
server/hi_server.c:
The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
* configure.in, src/active.c, src/active.h, src/decode.h,
src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
src/sfdaq.h, src/snort.h, src/snort_debug.h,
src/detection-plugins/sp_react.c,
src/detection-plugins/sp_respond3.c,
src/dynamic-plugins/sf_dynamic_define.h,
src/dynamic-plugins/sf_engine/sf_snort_packet.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/spp_httpinspect.c,
src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
src/preprocessors/HttpInspect/Makefile.am,
src/preprocessors/HttpInspect/include/Makefile.am,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
src/preprocessors/HttpInspect/server/hi_server.c,
src/preprocessors/HttpInspect/utils/Makefile.am,
src/preprocessors/HttpInspect/utils/hi_paf.c,
src/preprocessors/Stream5/Makefile.am,
src/preprocessors/Stream5/snort_stream5_icmp.c,
src/preprocessors/Stream5/snort_stream5_session.c,
src/preprocessors/Stream5/snort_stream5_tcp.c,
src/preprocessors/Stream5/snort_stream5_tcp.h,
src/preprocessors/Stream5/snort_stream5_udp.c,
src/preprocessors/Stream5/stream5_common.c,
src/preprocessors/Stream5/stream5_common.h,
src/preprocessors/Stream5/stream5_paf.c,
src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
Added support in Stream5 for Protocol Aware Flushing (PAF). PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation.

Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5.

See README.stream5 for more details.
* src/preprocessors/: stream_ignore.h, stream_ignore.c,
Stream5/snort_stream5_udp.c:
Added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored.
* src/win32/: most files
Updated Snort and its libraries to build/link against MFC.


Sourcefire Recognizes Seventh Annual SNORT Cybersecurity Scholarship Winners

Columbia, MD – June 28, 2011 – Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced that it has selected Darcie Cohee and Daniel Freer as the recipients of the 2011 Snort Scholarship. The scholarships, each worth up to $15,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

“As hackers continue to find new ways to access sensitive corporate and customer data, we need to groom a new generation of security professionals to identify and combat these exploits,” said Martin Roesch, CTO and founder of Sourcefire. “Snort and Sourcefire are built on the foundation of community development and these scholarships allow us to recognize the next great security professionals.”

To qualify, applicants must be enrolled in a university that uses Snort or Sourcefire products to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Sourcefire selected Darcie and Daniel from a pool of hundreds of applicants:

• Darcie Cohee is a Bachelor of Science candidate in Information Systems Technologies at Southern Illinois University Carbondale. Darcie has worked on several projects using Snort to protect SharePoint deployments and is interested in the intersection of the Web and security.
• Daniel Freer is a Bachelor of Science candidate in Networking at Indiana Tech. Daniel relied on Snort as an important weapon in his arsenal when he competed in the National Collegiate Cyber Defense Competition and is committed to exploring how Snort can help prevent evolving attacks.

To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. The winners also receive a $10,000 credit to use toward any training course or certification exam in the Sourcefire Security Education Program. The Sourcefire Security Education and Certification Programs deliver training and testing for IT staff on Sourcefire’s products and open source security solutions, either on-site or at dedicated locations around the world.

Sourcefire developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program seven years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. Martin Roesch founded Sourcefire in 2001 to deliver commercial security solutions that leverage his open source innovation, Snort. Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 300,000 registered users and nearly 4 million downloads to date. As the de facto standard for intrusion detection and prevention, Snort is used extensively by Fortune 100 enterprises and government agencies.

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions.  Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, Real-time Network Awareness and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Pcaprr External DAQ has been posted

Today Jeff Murphy submitted to us another external DAQ module for Snort.  I think his email best describes it:

We use Endace DAG cards in our sensors along with regen taps. Those cards don't work with the bonding driver, so merging the two streams from a regen tap isn't possible (unless we use a different tap or fix the drivers to work together). The attached patch creates a new module in the os-daq-modules directory called "pcaprr.c". This module will open multiple devices and then make round-robin reads from the device list (much like the bonding driver would if it worked with the DAG driver).  Modifications made against DAQ 0.5 code.

Thanks Jeff for your contribution, as with any external additions to Snort, it's great to see the community putting code up!

I've placed Jeff's pcaprr DAQ module on the "External-Daq" page on Snort.org.   Enjoy!

Napatech External DAQ Posted

Just posted this morning, Snort community member and the VP of Product Engineering at nPulse Technologies, Randy Caldejon, submitted this External DAQ module for Snort for use with the Napatech Network Adapters.

To build this requires the Napatech ntcommoninterface library, which is bundled with the purchase of each adapter.

I posted it on the "External DAQ" page, ready for your use.

We received a lot of flak when Sourcefire externalized the DAQ out of Snort, however, this is exact reason that we were hoping for!

I'd like to thank Randy for his hard work on this!

Snort 2.9.0.5 setup on Mac OSX Posted

Christoph Murauer, one of the Snort community has written a series of blog posts (in both German and English!) on his site that detail the setup of Snort 2.9.0.5 on Mac OSX.

As always, Sourcefire or Snort.org does not warrantee these results and we have not tested them, so your milage may vary.

We'd like to thank Christoph for the time it took to write these up, and we look forward to seeing even more Snort users on OSX!

PostgreSQL and pgAdmin 3
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/3_EN_PostgreSQL_9.0.3_and_pgAdmin_3_1.12.2.html

DAQ and Snort
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/9_EN_DAQ_0.5_and_Snort_2.9.0.5_with_snort.org_Rulesets.html

ADOdb and BASE
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/14_EN_ADOdb_5.1.1_and_BASE_1.4.5.html

German :

PostgreSQL und pgAdmin 3
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/2_PostgreSQL_9.0.3_und_pgAdmin_3_1.12.2.html

DAQ and Snort
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/8_DAQ_0.5_und_Snort_2.9.0.5_mit_snort.org_Rulesets.html

ADOdb and BASE
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/11_ADOdb_5.1.1_und_BASE_1.4.5.html

2.9.0.5 is available for download!

Now available for download from the link here, 2.9.0.5 brings many improvements to Snort in terms of bug fixes.  Below is a cut and paste from the Changelog.

2011-03-23 Steven Sturges <ssturges@sourcefire.com>
  * src/build.h:
      Increment Snort build number to 134
  * src/: decode.h, encode.c:
  * src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
  * src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
  * src/output-plugins/: spo_alert_fast.c:
  * src/preprocessors/Stream5/: stream5_common.c:
      Updated portscan to set protocol correctly in raw packet for
      IPv6 and changed the encoder to recognize portscan packets as pseudo
 packets so that the checksum isn't calculated
  * src/: sfdaq.c, util.c:
      Improve handling of DAQ failure codes when Snort is shutting down.
  * src/preprocessors/spp_perfmonitor.c:
      Update perfmonitor to create now files prior to dropping privs

2011-03-16 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.5
  * src/build.h:
      Increment Snort build number to 132
  * src/snort.c:
  * src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
    Stream5/snort_stream5_tcp.c:
      TCP timestamp options are only NOPed by the Normalization preprocessor
      if Stream5 has seen a full 3-way handshake, and timestamps weren't
      negotiated.

      The IPS mode reassembly policy has been refactored to do stream
      normalization within the first policy.

      Packets injected by the normalization preprocessor are now counted
      in the packet statistics.
  * doc/snort_manual.tex:
  * src/: parser.c, parser.h:
  * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
      Added a "config vlan_agnostic" setting that globally disables Stream's
      use of vlan tag in session tracking.
  * src/: snort.c, preprocessors/normalize.c,
    preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
    preprocessors/perf-base.c, preprocessors/perf-base.h:
  * doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
      Fixed the normalization preprocessor to call its post-initialization
      config functions during a policy reload.

      Packets can no longer be trimmed below the minimum ethernet frame
      length. Trimming is now configurable with the "normalize_ip4: trim;"
      option. TOS clearing is now configurable with "normalize_ip4: tos;".

      The "normalize_ip4: trim" option is automatically disabled if the
      DAQ can't inject packets. If the DAQ tries and fails to inject
      a given packet, the wire packet is not blocked.

      Updated documentation regarding these changes.
  * src/detection-plugins/sp_cvs.c:
      Fixed a false positive in the CVS detection plugin. It was incorrectly
      parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
  * src/preprocessors/HttpInspect/: client/hi_client.c,
    server/hi_server.c:
      Changed a pointer comparison to a size check for code readability.
      Belated thanks to Dwane Atkins and Parker Crook for reporting a
      related issue that was fixed in Snort 2.9.0.4 build 111.

      Moved the zlib initialization such that gzipped responses are still
      inspected if the zipped data starts after the first Stream-reassembled
      packet is inspected.
  * src/decode.c:
      Fixed an issue with decoding too many IP layers in a single packet. The
      Teredo proto bit was not unset after hitting the limit on IP layers.
      Thanks to Dwane Atkins for reporting this issue.

      IPv6 fragmented packets are no longer inspected unless they have an
      offset of zero and the next layer is UDP. This behavior is consistent
      with IPv4 decoding.
      Thanks to Martin Schütte for reporting an issue where fragged ICMPv6
      packets were being inspected.

      The decoder no longer attempts to decode Teredo packets inside of
      IPv4 fragments, instead waiting for the reassembled packet.
  * src/encode.c:
      Fixed a problem where encoded packets had their lengths calculated
      incorrectly. This caused the active response feature to generate
      incorrect RST packets if the original packet had a VLAN tag.
  * preproc_rules/preprocessor.rules:
      Updated references to rule 125:1:1
  * src/preprocessors/spp_perfmonitor.c:
      Perfmonitor files are now created after Snort changes uid/gid.
  * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Fixed the size formatting of an error message argument when
      compiling with --enable-rzb-saac.
      Thanks to Cleber S. Brandão for reporting this issue.
  * etc/snort.conf:
      Updated the default snort.conf with max compress and decompress
      depths to enable unlimited decompression of gzipped HTTP responses.
  * snort.8:
      Fixed the man page's URL regarding the location of Snort rules.
      Thanks to Michael Scheidell for reporting an out-of-date man page section.
  * doc/README.http_inspect, doc/snort_manual.tex,
    src/preprocessors/snort_httpinspect.c:
      HTTP Inspect's "unlimited_decompress" option now requires that
      "compress_depth" and "decompress_depth" are set to their max values.
  * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
    dynamic-plugins/sf_dynamic_engine.h,
    preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed an error that prevented compiling with --disable-dynamicplugin.
      Thanks to Jason Wallace for reporting this issue.
  * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
    snort_ftptelnet.h, spp_ftptelnet.c:
      Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
      the ftp_telnet preprocessor to avoid a naming conflict with similar
      functions in HTTP Inspect.
      Thanks to Bruce Corwin for reporting this issue.
  * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
    perf-flow.h:
      Fixed comparisons between signed and unsigned int, which lead to
      a faulty length check.
      Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
      issue.

 Please upgrade your version of Snort!

Snort Data Acquisition Library from the Internet Storm Center

Snort Data Acquisition Library

In the above post Handler Guy Bruneau over at the Internet Storm Center has a post that talks about his upgrade from Snort 2.8.6 to Snort 2.9.0.2, and some tweaks he found for DAQ.

Those of you preparing to upgrade or experiencing problems with upgrade to Snort 2.9.0.x may want to take a look at his post and see if it solves any problems for them.

Thanks Guy!

External DAQ module has been released

Have you ever wanted to maintain your own DAQ module outside of the official LibDAQ distribution? Concerned about the official release cycle in relation to your own development? Tired of keeping a source patch for the official distribution up-to-date?

The example-daq-module tarball demonstrates the suggested process for externalizing the DAQ module build process, providing a bare bones example DAQ module and the autotools to support it.

Here is a quick description of the autoconf macros provided in sf.m4:

AC_ENABLE_VISIBILITY() - Default to hidden symbol visibility if the compiler supports it.
AC_SF_COMPILER_SETUP() - Add all of the wonderful compiler and linker flags we'd like to have with GCC or ICC.
AC_CHECK_DAQ_API() - Check for the presence of the DAQ API headers and provide a configuration option to specify their location (--with-libdaq-includes).
AC_CHECK_SFBPF() - Check for the presence of the SFBPF headers and library and provide configuration options to specify their locations (--with-libsfbpf-includes and --with-libsfbpf-libraries respectively).

The basic steps involved in taking example-daq-module and making it your own 
1. Unpack example-daq-module-0.1.tar.gz
2. Rename daq_example.c to daq_<your module name>.c
3. Implement all of the function stubs in the C file (see the daq_api.h for descriptions)
4. Update configure.ac and Makefile.am to reflect your name change (%s/example/<your module name>/g)
5. Add any additional autoconf-foo you want to configure.ac (arguments, header checks, library checks, etc)
6. Regenerate the autoconf files with 'autoreconf -ivf'
7. Configure, make, and make install!

The only caveat with this process is that you CANNOT include your DAQ module with the static DAQ modules when building externally. This should not be an issue for the majority of users. Please check it out if you want to, if you have any questions please feel free to post them to the Snort-devel mailing list.

RPMS for RHEL5 are available from the Community

Vincent Cojot, one of our Snort Community members has taken it upon himself to maintain the list of RHEL5 compatible RPMS and SRPMS in both i386 and x86_64 formats.  These include libpcap, daq, libdnet, and of course Snort itself (2.9.0.3).  DAQ and Snort 2.9.0.x will not work on RHEL5 because of the older libpcap libraries, so you will either have to compile your own libpcap, or use the RPMs below.

So if you are on RHEL5, and you want to upgrade to the latest and greatest version of Snort without compiling, see Vincent's RPMS.

Sourcefire, however, makes no endorsement of Vincent's RPMS or their contents.  Use at your own risk.  Sourcefire will always recommend that you download and compile Snort, from the source code, available at http://www.snort.org.

Take a look:
http://vscojot.free.fr/dist/snort/snort-2.9.0.3

Hopefully this will help those of you at RHEL5.

UPDATE:  We created a page at Snort.org to help you if needed.

Attention Snort Package Maintainers

If you are the maintainer of one of the many packages for Snort/DAQ for different OSes that exist I need you to please email me! Please provide me the following information:

1. Name
2. Email
3. What OS you package for
4. What is the latest release that is distributed for the package you maintain.

I am compiling a list of those maintainers in order to give them some advance notice about when new versions of Snort are coming out in order for them to start to prep (even if it's just sitting aside time) for the new versions. I'm going to give any knowledge to the package maintainers about advanced releases that I'm not going to give to the rest of the community, I just want to be able to touch base with them to ensure they know a new version is coming!

It's come to my attention that one of the biggest problems we have is older packages still floating around out there in distros and OSes, and I'd like to get that part fixed.

Please email me at joel [at] sourcefire {dot} com. Thanks!

Snort 2.9.0.3 is coming soon!

Snort 2.9.0.3 is coming soon! This is a bug fix for the 2.9.0 tree.

2.9.0.3 contains the following bug fixes:

[*] Improvements

• Fixed an issue where "uricontent" didn't behave correctly with "depth", "offset", "distance", and "within" modifiers.

• Fixed overlapping flags in the Shared Object rule API.

• Improved error checking for invalid combinations of "depth", "offset", "distance", and "within" modifiers in rules. Rules that mix relative and non-relative options on the same content will now cause errors.

This is another issue found internally while troubleshooting for Emerging-Threats. VRT rules are not affected by this change.

If rule writers have invalid combinations that existed in custom rules (depth with within, or distance with no relative content match, etc) Snort will now error on this. The Snort Manual has been updated to reflect these facts.

Sourcefire would like to thank Dave Bertouille and Daniel Clemens for pointing out the issues here.

• Updated the documentation to fix some inconsistencies.

Sourcefire would like to thank Joshua Kinard of the US-CERT for the patch to fix these inconsistencies.

• Updated the INSTALL doc for instructions on how to build Snort for OpenBSD.
• Updated the IPFW DAQ so that it will compile correctly on OpenBSD

Sourcefire would like to thank Ross Lawrie, Randal Rioux, and many others for bringing this to our attention.

• Updated the decoder to discriminate between ipv4 and ipv6 raw packets.

Sourcefire would like to thank Gerald Maziarski for reporting the issue.

• Updated the decoder to deal with ESP traffic correctly.

Sourcefire would like to thank rmkml for reporting the issue.

• Updated the snort.conf in the etc/ directory to match the VRT distributed snort.conf

Sourcefire is currently targeting 2.9.0.3 for release next week. I will put up another blog post at the time of release.

Thanks!
Joel Esler
Manager, OpenSource Community

Active Response with Snort 2.9.0

Snort 2.9.0 can take a more active role in securing your network by sending TCP resets and ICMP unreachables to shutdown offending sessions to minimize the chance that Snort is bypassed due to traffic volume, restarts, etc. Changes include:

• block (drop) rules can be configured to send rejects
• responses are encoded based on the headers in the triggering packets
• flexresp3 was added which replaces flexresp and flexresp2 and supports all those keywords
• react rules have a configurable response page

The block rule action was added in 2.9.0 as a synonym to drop to avoid confusion with packets that are not inspected.

To enable these features, use the following when configuring Snort:

./configure --enable-active-response --enable-react --enable-flexresp3

Demo Setup

To run these tests you will need the this tarball: http://labs.snort.org/files/active_blog.tgz.

Follow the setup outlined in the prior post for inline normalization.

You can run these tests in readback mode using the dump DAQ or in playback mode using tcpreplay and an inline sensor. Using a sensor is the ultimate but you may find the dump DAQ to be indispensable for pcap testing.

Configuration

This test demonstrates how Snort can take an active role in shutting down offending sessions. The easiest way to do this is to configure the stream5 preprocessor to take action when when a block (drop) rule fires.

preprocessor stream5_global: max_active_responses 1, min_response_seconds 1

block tcp any any -> 10.9.8.7 80 ( sid:2; msg:"Cheeze Prohibited"; content:"Cheeze"; )

Here we have a simple block rule that will cause TCP resets because max_active_responses has been set. When this rule fires in inline mode, the packet will be blocked and a reset will be sent.

Execution

We will run the test twice, once in inline mode and again in passive mode.

For readback testing:

• From Sensor run: ./readback.sh act_i?s.conf ../Source/act.pcap

For playback testing:

1. On the sensor, run ./inline.sh act_i?s.conf
2. On the sink, run ../recv.sh
3. On the source, run ./send.sh act.pcap
4. Type Ctrl-C on the sensor and sink to terminate.

Passive Mode Results

The results for act_ids.conf are (just showing the reset packet and the ones before and after):

17:14:37.760753 10.1.2.3.48620 -> 10.9.8.7.80: . [tcp sum ok] ack 1 win 256 (ttl 64, id 3, len 40)0x0000   

4500 0028 0003 0000 4006 5cba 0a01 0203        E..(....@.\.....0x0010

0a09 0807 bdec 0050 0000 0002 0000 0002        .......P........0x0020   

5010 0100 d280 0000 0000 0000 0000             P.............

17:14:37.760876 10.1.2.3.48620 -> 10.9.8.7.80: R [tcp sum ok] 2:2(0) win 0 (ttl 5, id 25097, len 40)0x0000   

4500 0028 6209 0000 0506 35b4 0a01 0203        E..(b.....5.....0x0010   

0a09 0807 bdec 0050 0000 0002 0000 0002        .......P........0x0020   

5004 0000 d38c 0000 0000 0000 0000             P.............

17:14:37.760878 10.1.2.3.48620 -> 10.9.8.7.80: . [tcp sum ok] 1:41(40) ack 1 win 256 (ttl 64, id 4, len 80)0x0000   

4500 0050 0004 0000 4006 5c91 0a01 0203        E..P....@.\.....0x0010   

0a09 0807 bdec 0050 0000 0002 0000 0002        .......P........0x0020   

5010 0100 1c7f 0000 4745 5420 2f63 7261        P.......GET./cra0x0030   

7a79 2e63 6769 3f77 6974 6854 6865 4368        zy.cgi?withTheCh0x0040   

6565 7a65 5769 7a20 4854 5450 2f31 2e31        eezeWiz.HTTP/1.1

Inline Mode Results

The results for act_ips.conf are:

17:18:15.377938 10.1.2.3.48620 -> 10.9.8.7.80: . [tcp sum ok] ack 1 win 256 (ttl 64, id 3, len 40)0x0000   

4500 0028 0003 0000 4006 5cba 0a01 0203        E..(....@.\.....0x0010   

0a09 0807 bdec 0050 0000 0002 0000 0002        .......P........0x0020   

5010 0100 d280 0000 0000 0000 0000             P.............

17:18:15.378186 10.1.2.3.48620 -> 10.9.8.7.80: R [tcp sum ok] 2:2(0) win 0 (ttl 5, id 48182, len 40)0x0000   

4500 0028 bc36 0000 0506 db86 0a01 0203        E..(.6..........0x0010   

0a09 0807 bdec 0050 0000 0002 0000 0002        .......P........0x0020   

5004 0000 d38c 0000 0000 0000 0000             P.............

(The above results were captured from a playback test and show only one direction. For a readback test, you would see the reset packet in each direction.)

Packet Counts

For the ids run, we see the whole session plus a TCP reset, but the inline run shows the threeway handshake and a TCP reset. In the latter case, not only was the “Cheeze” attack blocked, but the offending session was shutdown as well. Snort's shutdown counts reflect this. Of the 8 packets analyzed in the ips case, there are 3 allowed, 1 blacklisted, 4 blocked. The 2 injections are 1 TCP reset in each direction.

Packet I/O Totals:

Received:            8

Analyzed:            8 ( 53.333%)

Injected:            2

Here are the ids counts:

Verdicts:

Allow:            8 ( 53.333%)

And here are the ips counts:

Verdicts:

Allow:            3 ( 14.286%)

Block:            4 ( 19.048%)

Blacklist:            1 (  4.762%)

Closing

Note that the passive mode reset may or may not be effective at shutting down the session depending on timing. For a more determined effort at passive IDS sniping, you can set config response: attempts A to specify that multiple resets be sent with varying sequence numbers ("sequence strafing"). But inline IPS will ensure the best results.

For both passive and inline scenarios, you can adjust max_active_responses N and min_response_seconds T to make up to N responses if traffic is still present after T seconds. Beware: when strafing, you will get A packets in each direction configured for each response.

If you only want some block rules to generate active responses, you can change those to reject, react, or resp rules instead of setting max_active_responses.

Please read Russ's other blog post about Inline Normalization with Snort 2.9 here, on the VRT blog.