Re: Snort 2.9.7 is now available

["Carter Waxman (cwaxman)" <cwaxman () cisco com>]

In 2.9.6.2, the on/off part was always ignored. The setting was enabled
when ³flush_on_alert" was present, regardless of the ³parameter²
following. We added the check in 2.9.7 so it wouldn¹t be a pitfall,
but it looks like we missed an update on a portion of the docŠ Your
current config
actually enables flush_on_alert internally.


Thanks for pointing this out, we will fix this!


-Carter



On 10/23/14, 3:19 PM, "rmkml" <rmkml () yahoo fr> wrote:

> Congrats Snort Team!
>
> Error with this line on my snort.conf:
> # on preprocessor stream5_global:
>  flush_on_alert off
>
> (previous snort v2.9.6.2 start without error)
>
> but with new snort v2.9.7.0 stop with error:
> ERROR: snort.conf(329) => Too many parameters for option in Session
> config.
> Fatal Error, Quitting..
>
> Changed line, new snort 2970 it's ok: (without parameter)
>  flush_on_alert
>
> Could you check if this option allow parameter or not please ?
>
> snort-2.9.7.0/src/preprocessors/spp_session.c:
> ...
>         else if(!strcasecmp(stoks[0], "flush_on_alert"))
>         {
>             if (s_toks > 1) //Trailing parameters
>             {
>                 FatalError("%s(%d) => Too many parameters for option in
> Session config.\n",
>                         file_name, file_line);
>             }
>             config->flags |= STREAM_CONFIG_FLUSH_ON_ALERT;
>         }
> ...
>
> snort-2.9.6.2/src/preprocessors/spp_stream5.c:
> ...
>         else if(!strcasecmp(stoks[0], "flush_on_alert"))
>         {
>             config->flags |= STREAM5_CONFIG_FLUSH_ON_ALERT;
>         }
> ...
>
> No diff on snort manual.tex:
>     preprocessor stream5_global: \
>         [track_tcp <yes|no>], [max_tcp <number>], \
>         [memcap <number bytes>], \
>         [track_udp <yes|no>], [max_udp <number>], \
>         [track_icmp <yes|no>], [max_icmp <number>], \
>         [track_ip <yes|no>], [max_ip <number>], \
>         [flush_on_alert], [show_rebuilt_packets], \
>         [prune_log_max <bytes>], [disabled], \
>         [flush_on_alert], [show_rebuilt_packets], \
>         [prune_log_max <num bytes>], [enable_ha]
>
> Best Regards
> @Rmkml
>
>
>
> On Thu, 23 Oct 2014, Snort Releases wrote:
>
> > Snort 2.9.7 is now available on snort.org at
> > http://www.snort.org/downloads in the Snort Stable Release section.
> >
> > A new DAQ build is also available that updates support for a few
> > operating systems.
> >
> > Snort 2.9.7 includes a major new feature for Application Identification,
> > our OpenAppID capability.
> >
> > In conjunction with this release, are shifting the license for the
> > OpenAppId
> > content to GPLv2 to encourage more use and submission back to Cisco.  If
> > you are interested in learning and writing OpenAppId content, please
> > join
> > us on the OpenAppId mailing list at https://www.snort.org/community.
> > Any submissions to the OpenAppId ecosystem will receive public thanks
> > and perhaps some nice swag!
> >
> > 2014-10-24 - Snort 2.9.7.0
> > [*] New additions
> > * Application Identification Preprocessor, when used in conjunction with
> >  OpenAppID detector content, that will identify application protocol,
> >  client, server, and web applications (including those using SSL) and
> >  include the info in Snort alert data. In addition, a new rule option
> >  keyword 'appid' that can be used to constrain Snort rules based on one
> >  or more applications that are identified for the connection. Separate
> >  prepackaged RPMs with App Open ID are available.  See README.appid
> >  for further details.
> >
> > * A new protected_content rule option that is used to match against a
> >  content that is hashed.  It can be used to obscure the full context
> >  of the rule from the administrator.
> >
> > * Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
> >  more accurately process different portions of email messages and file
> >  attachments.
> >
> > * Added ability to test normalization behavior without modifying
> >  network traffic.  When configured using na_policy_mode:inline-test,
> >  statistics will be gathered on packet normalizations that would have
> >  occurred, allowing less disruptive testing of inline deployments.
> >
> > * The HTTP Inspection preprocessor now has the ability to decompress
> >  DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
> >  content from http responses when configured with the new
> >  decompress_swf and decompress_pdf options. This enhancement can be
> >  used with existing rule options that already match against
> >  decompressed equivalents.
> >
> > * Added improved XFF support to HttpInspect. It is now possible to
> >  specify custom HTTP headers to use in place of 'X-Forwarded-For'. In
> >  situations where traffic may contain multiple XFF-like headers, it is
> >  possible to specify which headers hold precedence.
> >
> > * Added additional support for Heartbleed detection within the SSL
> >  preprocessor to improve performance.
> >
> > * Added control socket command to dump packets to a file.  See
> >  README.snort_dump_packets_control for details.
> >
> > * Added an option to suppress configuration information logging to
> > output.
> >
> > * The Stream5 preprocessor functionality is now split between the new
> >  Session and Stream6 preprocessors.
> >
> > [*] Improvements
> > * Maximum IP6 extensions decoded is now configurable.
> >
> > * Update active response to allow for responses of 1500+ bytes that span
> >  multiple TCP packets.
> >
> > * Check limits of multiple configurations to not exceed a maximum ID of
> > 4095.
> >
> > * Updated the error output of byte_test, byte_jump, byte_extract to
> >  including details on offending options for a given rule.
> >
> > * Update build and install scripts to install preprocessor and engine
> >  libraries into user specified libdir.
> >
> > * Improved performance of IP Reputation preprocessor.
> >
> > * The control socket will now report success when reloading empty IP
> >  Reputation whitelists/blacklists.
> >
> > * All TCP normalizations can now be enabled individually. See
> >  README.normalize for details on using the new options. For
> >  consistency with other options, the "urp" tcp normalization keyword
> >  now enables the normalization instead of disabling it.
> >
> > * Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
> >
> > * Updated profiler output to remove duplicate results when using
> >  multiple configurations.
> >
> > * Improved performance of FTP reassembly.
> >
> > * Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD,
> >  FreeBSD, and DragonFlyBSD
> >
> >
> >
> > -------------------------------------------------------------------------
> > -----
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!