Thema: Netzwerk-Schwein Snort ...

[SiLæncer]

Release Notes

New additions:
Application Identification Preprocessor, when used in conjunction with open app ID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection. See README.appid for details.
A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.
Added ability to test normalization behavior without modifying network traffic.
When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.
The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents.
Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.
Added control socket command to dump packets.
The Stream5 preprocessor functionality is now split between the new Session and Stream preprocessors. This makes for easier tracking of sessions independent of TCP stream reassembly.
Improvements:
Update active response to allow for responses of 1500+ bytes that span multiple TCP packets.
Check limits of multiple configurations to not exceed a maximum ID of 4095.
Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule.
Update build and install scripts to install preprocessor and engine libraries into user specified libdir.
Improved performance of IP Reputation preprocessor.
The control socket will now report success when reloading empty IP Reputation whitelists/blacklists.
All TCP normalizations can now be enabled individually. See README.normalize for details on usingthe new options. For consistency with other options, the "urp" tcp normalization keyword nowenables the normalization instead of disabling it.
Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
Updated profiler output to remove duplicate results when using multiple configurations.
Improved performance of FTP reassembly.
Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Snort 2.9.6.2

   * src/build.h:
     updating build number to 77

   * src/: encode.c, encode.h :    
     Fixed handling of ICMPv6 traffic.

   * src/preprocessors/Stream5/snort_stream5_tcp.c :    
     Fixed inline stream reassembly during file processing.

   * src/preprocessors/spp_perfmonitor.c :    
     Fixed race condition in performance monitor.

   * src/preprocessors/:
     snort_httpinspect.c,
     HttpInspect/client/hi_client.c,
     HttpInspect/include/hi_client.h,
     HttpInspect/include/hi_ui_config.h,
     HttpInspect/user_interface/hi_ui_config.c :
     Added the ability to specify additional custom 'x-forwarder-for'
     http field names. A new http inspection configuration element is used to
     specify a set of field names and their respective precedence order. 
    
   * src/preprocessors/Stream5/snort_stream5_session.c :
     Add cache flow timeout for ip.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

Application Identification Preprocessor, when used in conjunction with open app ID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection.
A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.
Added ability to test normalization behavior without modifying network traffic. When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.
The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents.
Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.
Added support for Heartbleed detection.
Added control socket command to dump packets.
Added an option to suppress configuration information logging to output.
The Stream5 preprocessor functionality is now split between the new Session and Stream preprocessors.

Improvements:

Maximum IP6 extensions decoded is now configurable.
Update active response to allow for responses of 1500+ bytes that span multiple TCP packets.
Check limits of multiple configurations to not exceed a maximum ID of 4095.
Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule.
Update build and install scripts to install preprocessor and engine libraries into user specified libdir.
Improved performance of IP Reputation preprocessor.
The control socket will now report success when reloading empty IP Reputation whitelists/blacklists.
All TCP normalizations can now be enabled individually. See README.normalize for details on using the new options. For consistency with other options, the "urp" tcp normalization keyword now enables the normalization instead of disabling it.
Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
Updated profiler output to remove duplicate results when using multiple configurations.
Improved performance of FTP reassembly.
Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD
Stability improvements in Stream6 preprocessor and FTP preprocessor.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

• New additions

* Application Identification Preprocessor, when used in conjunction with
OpenAppID detector content, that will identify application protocol,
client, server, and web applications (including those using SSL) and
include the info in Snort alert data. In addition, a new rule option
keyword 'appid' that can be used to constrain Snort rules based on one
or more applications that are identified for the connection. Separate
prepackaged RPMs with App Open ID are available. See README.appid
for further details.

* A new protected_content rule option that is used to match against a
content that is hashed. It can be used to obscure the full context
of the rule from the administrator.

* Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
more accurately process different portions of email messages and file
attachments.

* Added ability to test normalization behavior without modifying
network traffic. When configured using na_policy_mode:inline-test,
statistics will be gathered on packet normalizations that would have
occurred, allowing less disruptive testing of inline deployments.

* The HTTP Inspection preprocessor now has the ability to decompress
DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
content from http responses when configured with the new
decompress_swf and decompress_pdf options. This enhancement can be
used with existing rule options that already match against
decompressed equivalents.

* Added improved XFF support to HttpInspect. It is now possible to
specify custom HTTP headers to use in place of 'X-Forwarded-For'. In
situations where traffic may contain multiple XFF-like headers, it is
possible to specify which headers hold precedence.

* Added additional support for Heartbleed detection within the SSL
preprocessor to improve performance.

* Added control socket command to dump packets to a file. See
README.snort_dump_packets_control for details.

* Added an option to suppress configuration information logging to
output.

* The Stream5 preprocessor functionality is now split between the new
Session and Stream6 preprocessors.

• Improvements

* Maximum IP6 extensions decoded is now configurable.

* Update active response to allow for responses of 1500+ bytes that span
multiple TCP packets.

* Check limits of multiple configurations to not exceed a maximum ID of
4095.

* Updated the error output of byte_test, byte_jump, byte_extract to
including details on offending options for a given rule.

* Update build and install scripts to install preprocessor and engine
libraries into user specified libdir.

* Improved performance of IP Reputation preprocessor.

* The control socket will now report success when reloading empty IP
Reputation whitelists/blacklists.

* All TCP normalizations can now be enabled individually. See
README.normalize for details on using the new options. For
consistency with other options, the "urp" tcp normalization keyword
now enables the normalization instead of disabling it.

* Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.

* Updated profiler output to remove duplicate results when using
multiple configurations.

* Improved performance of FTP reassembly.

* Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD,
FreeBSD, and DragonFlyBSD

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:


Support for Cisco FabricPath decoding/encoding

Improvements:

Resolved an issue where the inline normalization preprocessor incorrectly
resized packets when 'preprocessor normalize_tcp: trim' was enabled
Resolved crash in file processing of HTTP continuations

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

Added PAF support for SIP based traffic

Improvements:

Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched
Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
Performance improvements for file preprocessor
Stability improvements for ftp_telnet preprocessor

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Added improved support to the Stream preprocessor for asynchronous TCP traffic
Active response no longer sets the FIN flag on the last segment sent

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

AppID is no longer experimental.
SMBv2/SMBv3 support for file inspection.
Port override for metadata service in IPS rules.
AppID Lua detector performance profiling.
Perfmon dumps stats at fixed intervals from absolute time.
New preprocessor alert (18:120) to detect SSH tunneling over HTTP
New config option |disable_replace| to disable replace rule option.
New Stream configraution |log_asymmetric_traffic| to control logging to syslog.
New shell script in tools to create simple Lua detetors for AppID.

Improvements:

sfip_t refactored to use struct in6_addr for all ip addresses.
Post-detection callback for preprocessors.
AppID support for multiple server/client detectors evaluting on same flow.
AppID API for DNS packets.
Memory optimizations throughout.
Support sending UDP active responses.
Fix permon tracking of pruned packets.
Improved support for expected sessions.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Snort 2.9.7.6
    * src/build.h:
     updating build number to 285

    * src/dynamic-preprocessors/reputation/reputation_config.c:
          Fixed unexpected behaviour in reputation config where blacklist is displayed
     in priority field even though whitelist option is set [reported by Mike Cox].   

    * src/preprocessors/Stream6/snort_stream_tcp.c:
     Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox].
     Fixed issue in TCP session deletion when being called from Stream5 HA.

    * src/: active.h, file-process/file_service.c:
     ACTIVE_DROP is changed to ACTIVE_FORCE_DROP when file_verdict is pending.

    * src/dynamic-preprocessors/appid/fw_appid.c:
     Fixed issue where openappid does not provide the Content-Type field for use with CHPAddAction.

    * doc/snort_manual.tex:
     Corrected errors in snort_manual.tex [reported by Gabriel Corre].
    
    * preproc_rules/preprocessor.rules
     src/preprocessors/: session_api.h, snort_httpinspect.c,
     HttpInspect/event_output/hi_eo_log.c, HttpInspect/include/hi_eo_events.h
     Stream6/snort_stream_tcp.c:
     Enhancement done to detect 'SSH tunneling over HTTP'.

    * src/sfutil/sfportobject.c:
     Fixed Memory leaks [reported by Bill Parker].

    * doc/snort_manual.tex:
     Corrected the information about unified2 record structure [reported by Avery Rozar].
   
    * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
          src/preprocessors/snort_httpinspect.h,
          src/preprocessors/HttpInspect/client/hi_client.c,
          src/preprocessors/HttpInspect/server/hi_server.c,
          src/preprocessors/Stream6/stream_paf.c:
     Fixed issue where original client IP in intrusion event is incorrectly
     populated with XFF of the last GET request.

    * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
          HttpInspect/server/hi_server.c,
          snort_httpinspect.c, snort_httpinspect.h,
          HttpInspect/server/hi_server.c:
     Http unlimited decompression will now decompress the entire stream.

    * src/decode.c:
     Added a check so that min_ttl decoder do not drop packet in alert mode.
    
    * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
          src/preprocessors/snort_httpinspect.h,
          src/preprocessors/HttpInspect/client/hi_client.c,
          src/preprocessors/HttpInspect/server/hi_server.c
     Fixed issue where original client IP in intrusion event is incorrectly populated with XFF of the last GET request.   

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

SMBv2/SMBv3 support for file inspection
Port override for metadata service in IPS rules
AppID Lua detector performance profiling
Perfmon dumps stats at fixed intervals from absolute time
New preprocessor alert (18:120) to detect SSH tunneling over HTTP
New config option |disable_replace| to disable replace rule option
New Stream configuration |log_asymmetric_traffic| to control logging to syslog
New shell script in tools to create simple Lua detectors for AppID

Improvements:

sfip_t refactored to use struct in6_addr for all ip addresses
Post-detection callback for preprocessors
AppID support for multiple server/client detectors evaluating on same flow
AppID API for DNS packets
Memory optimizations throughout
Support sending UDP active responses
Fix perfmon tracking of pruned packets
Stability improvements for AppID
Stability improvements for Stream6 preprocessor
Added improved support to block malware in FTP preprocessor
Added support to differentiate between active and passive FTP connections
Improvements done in Stream6 preprocessor to avoid having duplicate packets
in the DAQ retry queue
Resolved an issue where reputation config incorrectly displayed 'blacklist' in
priority field even though 'whitelist' option was configured

[close]

http://www.snort.org/

[SiLæncer]

Changelog

NEW ADDITIONS:

SMBv2/SMBv3 support for file inspection.
Port override for metadata service in IPS rules.
AppID Lua detector performance profiling.
Perfmon dumps stats at fixed intervals from absolute time.
New preprocessor alert (120:18) to detect SSH tunneling over HTTP
New config option |disable_replace| to disable replace rule option.
New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
New shell script in tools to create simple Lua detectors for AppID.

IMPROVEMENTS:

sfip_t refactored to use struct in6_addr for all ip addresses.
Post-detection callback for preprocessors.
AppID support for multiple server/client detectors evaluating on same flow.
AppID API for DNS packets.
Memory optimizations throughout.
Support sending UDP active responses.
Fix perfmon tracking of pruned packets.
Stability improvements for AppID.
Stability improvements for Stream6 preprocessor.
Added improved support to block malware in FTP preprocessor.
Added support to differentiate between active and passive FTP connections.
Improvements done in Stream6 preprocessor to avoid having duplicate packets
in the DAQ retry queue.
Resolved an issue where reputation config incorrectly displayed 'blacklist' in
priority field even though 'whitelist' option was configured.
Added support for multiple expected sessions created per packet
Active response now supports MPLS

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

Future-flow and DNS API exposed to lua detector.
Double VLAN tagging support.

Improvements:

Performance improvements to AppID.
Stability improvements to file and ftp_telnet preprocessor.
Fixed several issues with SDF and obfuscation.
Resolved an issue of improper handling of malformed DNS host
in AppID.
HTTP PAF accepts all tokens between method and version strings in a request URI.
Resolved snort build issue with "--disable-perfprofiling" configure option.
Enhanced mime parsing by adding support for detecting files after unknown headers and no headers.
Fixed issue with gzip decompression. If the server response specifies Content-Encoding as GZIP, but no Content-Length field for HTTP ver 1.0.
End of Header(EOH) identification for HTTP response header spanning multiple packets.
Improved packet reassembly for HTTP.
Fixed Flash LZMA decompression issue.

[close]

http://www.snort.org/

[SiLæncer]

Whats new:>>

*  Stability improvement for Stream6 preprocessor
*  Fixed multiple issues in HttpInspect preprocessor
*  Fixed an issue of incorrect masking of sensitive data

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

New rule option for byte_math. See the Snort manual for details.
Added bitmask and from_end operations to byte_test. See the Snort manual for details.
Added a Buffer Dump utility to trace all of the buffers used by snort during inspection.
Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details.
Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length.
Added support for SMTP Traffic detection over SSL (SMTPS).

Improvements:

Fixed an issue which reduces extra service discovery to improve performance.
Fixed multiple issues in AppID.
Reconstructed the call to port-service detection.
Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect.
Preventing third-party application identification for expected connections.
Stability improvement for Stream preprocessor.
Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
Fixed an issue where incorrect length argument in memcpy caused out of bound memory access.
Fixed multiple issues in HttpInspect preprocessor.
Handling chunk encoding followed by rrrn and nnnrrn.
Fixed an issue with LZMA flash decompression.
Fixed mime data processing issue in SMTP stateless inspection.
Added support to decode packets that contains VLAN with Secure Group Tag (SGT).
Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New additions:

Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.

Improvements:

Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
Performance improvement when SYN rate limit has reached and drop is configured as next action
Control-socket and side-channel support for FreeBSD platform.
Fixed an issue where IoQ driver was getting into bad state due to non-graceful exit.
Fixed issue in file signature lookup for retransmitted FTP packet.
Enhanced the processing of SIP/RTP future flows without ignoring them.
Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
Added a null check to prevent copy unless debugHostIp is configured in AppId.
Fixed issue where FTP file type block doesn't work for retried download.
Resolved issue where Snort is inappropriately handling traffic for which
AppId was creating future flow.
Performance improvements for SIP/RTP audio and video data flow in AppId.
Performance and stability improvements in FTP preprocessor like incorrect
referencing of ftp_data_session after its pruned.
Stability improvement by resolving valgrind reported issues in AppId.
Improved flushing mechanism for HTTP POST header.

[close]

http://www.snort.org/