IDS mailing list archives
Snort 2.0.3 released !!!!
From: "SILES,RAUL (HP-Spain,ex1)" <raul.siles () hp com>
Date: Thu, 6 Nov 2003 11:28:32 +0100
Hi all, **** NEW Snort 2.0.3 version has been released !!!! It is VERY IMPORTANT to upgrade to the new version because your Snort sensors could be missing alerts !!!! If it is not possible for you to upgrade, then change the default search method (mwm) to "ac" or "lowmem": See: "http://www.snort.org/" config detection: search-method lowmem OR config detection: search-method ac The bug afects the default search algorithm, MWM: See: "http://cvs.sourceforge.net/viewcvs.py/snort/snort/ChangeLog?rev=HEAD" 2003-10-28 Marc Norton <mnorton () sourcefire com> * src/sfutil/mwm.c: fixed bug with search-method mwm resulting in retesting removing an active rule on occasion (Thanks to Raul Siles & David Perez for a reproducible test case!) The different Snort "config detection: search-method"'s are: - ac: Aho-Corasick based algorithm - mwm: Mu-Wanber based algorithm - lowmem: Save memory, using an less effecient algorithm The implications about all them are summarized in: See: http://marc.theaimsgroup.com/?l=snort-devel&m=103427225029674&w=2 This is an example associated to the binary log files available in "http://www.incidents.org/logs/Raw": $ /opt/snort-2.0.2/src/snort -V -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch () sourcefire com, www.snort.org) $ /opt/snort-2.0.3/src/snort -V -*> Snort! <*- Version 2.0.3 (Build 95) By Martin Roesch (roesch () sourcefire com, www.snort.org) $ /opt/snort-2.0.3/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r 2002.4.23 -k none -A full -qedUX -N Run time for packet processing was 0.195137 seconds $ ll alert -rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert $ mv alert alert_2.0.3 $ /opt/snort-2.0.2/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r 2002.4.23 -k none -A full -qedUX -N Run time for packet processing was 0.90856 seconds $ ll total 72 -rw------- 1 rsiles rsiles 22510 Nov 6 10:51 alert -rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert_2.0.3 $ mv alert alert_2.0.2 $ grep -F "[**]" alert_2.0.* | wc -l 186 $ grep -F "[**]" alert_2.0.2 | wc -l 61 $ grep -F "[**]" alert_2.0.3 | wc -l 125 $ As can be seen, using Snort 2.0.2 version "64" alerts are missed compared with Snort version 2.0.3. This time the missed alert is: ---- [**] [1:1616:4] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/23-00:12:58.764488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x48 210.195.43.76:2090 -> 78.37.49.124:53 UDP TTL:46 TOS:0x0 ID:11129 IpLen:20 DgmLen:58 Len: 30 [Xref => http://www.whitehats.com/info/IDS278][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10028] ---- Regards, Raúl Siles (raul.siles () hp com) --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- Snort 2.0.3 released !!!! SILES,RAUL (HP-Spain,ex1) (Nov 06)
- Re: Snort 2.0.3 released !!!! Brent Wrisley (Nov 07)