IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 2.0.3 released !!!!

From: "SILES,RAUL (HP-Spain,ex1)" <raul.siles () hp com>
Date: Thu, 6 Nov 2003 11:28:32 +0100 
Hi all,

**** NEW Snort 2.0.3 version has been released !!!!

It is VERY IMPORTANT to upgrade to the new version because your Snort
sensors could be missing alerts !!!!

If it is not possible for you to upgrade, then change the default search
method (mwm) to "ac" or "lowmem":
See: "http://www.snort.org/";

  config detection: search-method lowmem  OR
  config detection: search-method ac

The bug afects the default search algorithm, MWM:
See: "http://cvs.sourceforge.net/viewcvs.py/snort/snort/ChangeLog?rev=HEAD";

2003-10-28  Marc Norton <mnorton () sourcefire com>
        * src/sfutil/mwm.c:
          fixed bug with search-method mwm resulting in retesting removing
          an active rule on occasion (Thanks to Raul Siles &  David Perez
        for a reproducible test case!)

The different Snort "config detection: search-method"'s are:
- ac: Aho-Corasick based algorithm
- mwm: Mu-Wanber based algorithm
- lowmem: Save memory, using an less effecient algorithm

The implications about all them are summarized in:
See: http://marc.theaimsgroup.com/?l=snort-devel&m=103427225029674&w=2


This is an example associated to the binary log files available in
"http://www.incidents.org/logs/Raw":

$ /opt/snort-2.0.2/src/snort -V

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

$ /opt/snort-2.0.3/src/snort -V

-*> Snort! <*-
Version 2.0.3 (Build 95)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

$ /opt/snort-2.0.3/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r
2002.4.23 -k none -A full -qedUX -N
Run time for packet processing was 0.195137 seconds
$ ll alert
-rw-------    1 rsiles   rsiles      46984 Nov  6 10:51 alert
$ mv alert alert_2.0.3

$ /opt/snort-2.0.2/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r
2002.4.23 -k none -A full -qedUX -N
Run time for packet processing was 0.90856 seconds
$ ll
total 72
-rw-------    1 rsiles   rsiles      22510 Nov  6 10:51 alert
-rw-------    1 rsiles   rsiles      46984 Nov  6 10:51 alert_2.0.3
$ mv alert alert_2.0.2

$ grep -F "[**]" alert_2.0.* | wc -l
    186
$ grep -F "[**]" alert_2.0.2 | wc -l
     61
$ grep -F "[**]" alert_2.0.3 | wc -l
    125
$

As can be seen, using Snort 2.0.2 version "64" alerts are missed compared
with Snort version 2.0.3.
This time the missed alert is:
----
[**] [1:1616:4] DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/23-00:12:58.764488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x48
210.195.43.76:2090 -> 78.37.49.124:53 UDP TTL:46 TOS:0x0 ID:11129 IpLen:20
DgmLen:58
Len: 30
[Xref => http://www.whitehats.com/info/IDS278][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=10028]
----

Regards,
Raúl Siles (raul.siles () hp com)

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: