Snort mailing list archives
Re: Snort 2.9.7 is now available
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Thu, 23 Oct 2014 20:23:23 +0000
In 2.9.6.2, the on/off part was always ignored. The setting was enabled when ³flush_on_alert" was present, regardless of the ³parameter² following. We added the check in 2.9.7 so it wouldn¹t be a pitfall, but it looks like we missed an update on a portion of the docŠ Your current config actually enables flush_on_alert internally. Thanks for pointing this out, we will fix this! -Carter On 10/23/14, 3:19 PM, "rmkml" <rmkml () yahoo fr> wrote:
Congrats Snort Team! Error with this line on my snort.conf: # on preprocessor stream5_global: flush_on_alert off (previous snort v2.9.6.2 start without error) but with new snort v2.9.7.0 stop with error: ERROR: snort.conf(329) => Too many parameters for option in Session config. Fatal Error, Quitting.. Changed line, new snort 2970 it's ok: (without parameter) flush_on_alert Could you check if this option allow parameter or not please ? snort-2.9.7.0/src/preprocessors/spp_session.c: ... else if(!strcasecmp(stoks[0], "flush_on_alert")) { if (s_toks > 1) //Trailing parameters { FatalError("%s(%d) => Too many parameters for option in Session config.\n", file_name, file_line); } config->flags |= STREAM_CONFIG_FLUSH_ON_ALERT; } ... snort-2.9.6.2/src/preprocessors/spp_stream5.c: ... else if(!strcasecmp(stoks[0], "flush_on_alert")) { config->flags |= STREAM5_CONFIG_FLUSH_ON_ALERT; } ... No diff on snort manual.tex: preprocessor stream5_global: \ [track_tcp <yes|no>], [max_tcp <number>], \ [memcap <number bytes>], \ [track_udp <yes|no>], [max_udp <number>], \ [track_icmp <yes|no>], [max_icmp <number>], \ [track_ip <yes|no>], [max_ip <number>], \ [flush_on_alert], [show_rebuilt_packets], \ [prune_log_max <bytes>], [disabled], \ [flush_on_alert], [show_rebuilt_packets], \ [prune_log_max <num bytes>], [enable_ha] Best Regards @Rmkml On Thu, 23 Oct 2014, Snort Releases wrote:Snort 2.9.7 is now available on snort.org at http://www.snort.org/downloads in the Snort Stable Release section. A new DAQ build is also available that updates support for a few operating systems. Snort 2.9.7 includes a major new feature for Application Identification, our OpenAppID capability. In conjunction with this release, are shifting the license for the OpenAppId content to GPLv2 to encourage more use and submission back to Cisco. If you are interested in learning and writing OpenAppId content, please join us on the OpenAppId mailing list at https://www.snort.org/community. Any submissions to the OpenAppId ecosystem will receive public thanks and perhaps some nice swag! 2014-10-24 - Snort 2.9.7.0 [*] New additions * Application Identification Preprocessor, when used in conjunction with OpenAppID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection. Separate prepackaged RPMs with App Open ID are available. See README.appid for further details. * A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator. * Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments. * Added ability to test normalization behavior without modifying network traffic. When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments. * The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents. * Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Forwarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence. * Added additional support for Heartbleed detection within the SSL preprocessor to improve performance. * Added control socket command to dump packets to a file. See README.snort_dump_packets_control for details. * Added an option to suppress configuration information logging to output. * The Stream5 preprocessor functionality is now split between the new Session and Stream6 preprocessors. [*] Improvements * Maximum IP6 extensions decoded is now configurable. * Update active response to allow for responses of 1500+ bytes that span multiple TCP packets. * Check limits of multiple configurations to not exceed a maximum ID of 4095. * Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule. * Update build and install scripts to install preprocessor and engine libraries into user specified libdir. * Improved performance of IP Reputation preprocessor. * The control socket will now report success when reloading empty IP Reputation whitelists/blacklists. * All TCP normalizations can now be enabled individually. See README.normalize for details on using the new options. For consistency with other options, the "urp" tcp normalization keyword now enables the normalization instead of disabling it. * Lowered memory demand of Unicode -> ASCII mapping in HttpInspect. * Updated profiler output to remove duplicate results when using multiple configurations. * Improved performance of FTP reassembly. * Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD ------------------------------------------------------------------------- ----- _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 2.9.7 is now available Snort Releases (Oct 23)
- Re: Snort 2.9.7 is now available rmkml (Oct 23)
- Re: Snort 2.9.7 is now available Carter Waxman (cwaxman) (Oct 23)
- <Possible follow-ups>
- Snort 2.9.7 is now available Snort Releases (Oct 23)
- Re: Snort 2.9.7 is now available Michael Altizer (Nov 11)
- Re: Snort 2.9.7 is now available rmkml (Oct 23)