Re: Snort 2.9.1 Now Available

[Ryan Jordan <ryan.jordan () sourcefire com>]

Hi Vincent,

When I build the Snort packages, I use two build machines: One on CentOS 6,
and one on Fedora 13. They are running different versions of Autoconf.

Normally, each machine produces its own copy of the tarball and source RPM.
I have to pick one and discard the other. Somehow, I managed to get the
tarball from one machine but the source RPM from the other.

The files you list with differences fall into two categories:
1) autoconf's output
2) The Snort manual

The autoconf output is different because the output contains autoconf's
version number. The Snort manual is re-generated as part of the RPM build
process. The manual is stamped with the date on which the PDF was generated,
so sometimes the RPM and the tarball get different dates.

Rest assured, the actual source code is the same.

Regards,
Ryan

On Wed, Aug 24, 2011 at 5:13 AM, <vincent () cojot name> wrote:

> Hi everyone,
>
> There are substantial differences in the snort-2.9.1.tar.gz archive and in
> that extracted from the  snort-2.9.1-1.src.rpm.
> Which one is the correct one?
> Example:
>
> [raistlin@thorbardin 2.9.1.0]$ diff -rqc tarball srpm|head -10
> Files tarball/Makefile.in and srpm/Makefile.in differ
> Files tarball/aclocal.m4 and srpm/aclocal.m4 differ
> Files tarball/config.h.in and srpm/config.h.in differ
> Files tarball/configure and srpm/configure differ
> Files tarball/contrib/Makefile.in and srpm/contrib/Makefile.in differ
> Files tarball/doc/Makefile.in and srpm/doc/Makefile.in differ
> Files tarball/doc/faq.pdf and srpm/doc/faq.pdf differ
> Files tarball/doc/snort_manual.pdf and srpm/doc/snort_manual.pdf differ
> Files tarball/etc/Makefile.in and srpm/etc/Makefile.in differ
> Files tarball/m4/Makefile.in and srpm/m4/Makefile.in differ
>
> [raistlin@thorbardin 2.9.1.0]$ diff -rqc tarball srpm|wc -l
> 58
>
> Example:
> diff -rc tarball/aclocal.m4 srpm/aclocal.m4
> *** tarball/aclocal.m4  Thu Jul 14 22:48:37 2011
> --- srpm/aclocal.m4     Thu Jul 14 22:38:27 2011
> ***************
> *** 13,20 ****
>
>  m4_ifndef([AC_AUTOCONF_**VERSION],
>    [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
> ! m4_if(m4_defn([AC_AUTOCONF_**VERSION]), [2.65],,
> ! [m4_warning([this file was generated for autoconf 2.65.
>  You have another version of autoconf.  It may work, but is not guaranteed
> to.
>  If you have problems, you may need to regenerate the build system
> entirely.
>  To do so, use the procedure documented by the package, typically
> `autoreconf'.])])
> --- 13,20 ----
>
>  m4_ifndef([AC_AUTOCONF_**VERSION],
>    [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
> ! m4_if(m4_defn([AC_AUTOCONF_**VERSION]), [2.63],,
> ! [m4_warning([this file was generated for autoconf 2.63.
>  You have another version of autoconf.  It may work, but is not guaranteed
> to.
>  If you have problems, you may need to regenerate the build system
> entirely.
>  To do so, use the procedure documented by the package, typically
> `autoreconf'.])])
>
> IMHO, there should be no differences. The SRPMS should only distribute the
> tar.gz archive 'as posted' in the download area.
>
> Regards,
>
> Vincent
>
>
> On Tue, 23 Aug 2011, Snort Releases wrote:
>
>  Snort 2.9.1 is now available on snort.org, at
> > http://www.snort.org/snort-**downloads/<http://www.snort.org/snort-downloads/>in the Latest Release section.
> >
> > 2.9.0 RC & later packages are signed with a new PGP key
> > (that is signed with the previous key).
> >
> > ****
> > NOTE: Snort 2.9.1 requires pkg-config be installed for some
> > of its autoconf processing.  See details below.
> > ****
> >
> > Snort 2.9.1 introduces the following new capabilities:
> >
> >  * Protocol aware reassembly support for HTTP and DCE/RPC
> >    preprocessors.  Updates to Stream5 allowing Snort to more
> >    intelligently inspect HTTP and DCE/RPC requests and responses.
> >    See README.stream5 subsection related to Protocol Aware Flushing
> >    (PAF).
> >
> >  * SIP preprocessor to identify SIP call channels and provide
> >    rule access via new rule option keywords.  Also includes new
> >    preprocessor rules for anomalies in the SIP communications.
> >    See the Snort Manual and README.sip for details.
> >
> >  * POP3 & IMAP preprocessors to decode email attachments in
> >    Base64, Quoted Printable, and uuencode formats, and updates
> >    to SMTP preprocessor for decoding email attachments encoded
> >    as Quoted Printable and uuencode formats.  See the Snort
> >    Manual, README.pop, README.imap, and README.SMTP for details.
> >
> >  * Support for reading large pcap files.
> >
> >  * Logging of HTTP URL (host and filename), SMTP attachment
> >    filenames and email recipients to unified2 when Snort generates
> >    events on related traffic.
> >
> >  * IP Reputation preprocessor, allowing Snort to blacklist or
> >    whitelist packets based on their IP addresses. This preprocessor
> >    is still in an experimental state, so please report any issues
> >    to the Snort team.  See README.reputation for more information.
> >
> > Additionally, the following updates and improvements have been made:
> >
> >  * Updates to give shared library rules direct access to gzip
> >    decoding capabilities.
> >
> >  * Rule Option Improvements:
> >
> >    - Updates to content modifier http_cookie to not include
> >      the HTTP header names themselves in the buffer.  This change
> >      may affect existing rules that leverage this keyword.
> >
> >    - Updates to the file_data and base64_data rule option keywords
> >      and added a pkt_data rule option keyword that sets the buffer
> >      to be used for subsequent content/pcre/etc rule options.
> >
> >    - Updates to the tcp flag rule option keyword to support 'C'
> >      and 'E' for CWR and ECN bits.
> >
> >    - Updates to byte_extract rule option keyword to support
> >      the same string formats as with byte_test and byte_jump.
> >
> >  * Updates to Snort's build infrastructure and autoconf script
> >    for portability and improved checks for library dependencies.
> >    To facilitate easier building of Snort on many of the different
> >    platforms supported, Snort now uses pkg-config to check for
> >    certain library locations.  Obtain pkg-config from freedesktop.org.
> >
> >  * Many updates and improvements to the Snort documentation.  Special
> >    thanks to all of the contributors from the Snort community for
> >    working with us and making the documentation more accurate and
> >    usable.
> >
> >  * Updates to the sensitive data preprocessor for handling HTTP
> >    traffic and reducing false positives.
> >
> >  * Updates to Snort's config parsing to provide more meaningful
> >    error messages relating to snort.conf errors and configuration
> >    display at startup.
> >
> >  * Updates to Snort's active response packets whether via response
> >    keyword or part of inline normalization.
> >
> >  * Improvements to HTTP Inspect processing of chunked HTTP data.
> >    Additional HTTP Inspect alerts for evasion attempts such as small
> >    chunks and excessive whitespace in folded headers.
> >
> >  * Updates to the statistics Snort prints to console or syslog
> >    at exit for different preproessors.
> >
> > Please see the Release Notes and ChangeLog for more details.
> >
> > Please submit bugs, questions, and feedback to bugs () snort org.
> >
> > Happy Snorting!
> > The Snort Release Team
> >
> >
> > ------------------------------**------------------------------**
> > ------------------
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-**dev2dev<http://p.sf.net/sfu/emc-vnx-dev2dev>
> > ______________________________**_________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.**net <Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/**lists/listinfo/snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://www.geocrawler.com/**redir-sf.php3?list=snort-users<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> --
> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,.**_.,-*~'`^`'~*-,._.,-*~'`^`'~*-**
> ,._.,-*~'`^`'~*-,
> Vincent S. Cojot, Computer Engineering. STEP project.
> _.,-*~'`^`'~*-,._.,-*~
> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
> _.,-*~'`^`'~*-,.
> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-**
> ,._.,-*~'
> http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote () NOSPAM4cojot name
>
> They cannot scare me with their empty spaces
> Between stars - on stars where no human race is
> I have it in me so much nearer home
> To scare myself with my own desert places.       - Robert Frost
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!