Thema: Netzwerk-Schwein Snort ...

[SiLæncer]

Changelog

New additions:

Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
Added support for storing filenames in Unicode for SMB protocol.
Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.

Improvements:

Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
Performance improvement when SYN rate limit has reached and drop is configured as next action
Control-socket and side-channel support for FreeBSD platform.
Fixed issue in file signature lookup for retransmitted FTP packet.
Enhanced the processing of SIP/RTP future flows without ignoring them.
Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
Added a null check to prevent copy unless debugHostIp is configured in AppId.
Fixed issue where FTP file type block doesn't work for retried download.
Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
Performance improvements for SIP/RTP audio and video data flow in AppId.
Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
Stability improvement by resolving valgrind reported issues in AppId.
Improved flushing mechanism for HTTP POST header.
Added changes to display AppId for IPv6 unified events.
Fixed issues with printing of messages for out-of-order packets.
Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
Fixed dynamic preprocessor compilation failure in OpenBSD platform.
Added changes to improve performance of ipvar list comparison.
Enhanced SMTP client detection by allowing line folding and all authentication methods.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New Additions:

Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs.
Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.

Improvements:

Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
Fixed issue of applying new configuration in file inspection after Snort reload.

[close]

http://www.snort.org/

[SiLæncer]

Release Notes

• New Additions

 * Parsing HTTP CONNECT to extract the tunnel IP and port information.
 * Alerting and dechunking for chunked encoding in HTTP1.0 request and response.

• Improvements

 * Fixed an issue where in if we have a junk line before HTTP response header, the header was wrongly parsed.
  * Fixed GZIP evasions wherein a HTTP response with content-encoding:gzip contains a body which has some gzip related anomaly.
 * Fixed an issue in a scenario where BitTorrent pattern is seen only on the 3rd packet of the session because of which we miss our client detection.
 * SMB improvements for file detection and processing.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

New Additions:

Snort now supports reload on snort rules update.
Addition of a scenario to add a packet to blacklist verdict to ensure the new session will be allowed.
Handled a new pre-processor alert in case of the improper end of t HTTP header.

Improvements:

Modified the calculation of file hash for FTP/HTTP with offset values.
Fixed portal authentication connection stuck in half closed state.
Updated UDP global timeout for a non-standard port.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added support for wild card port numbers in host cache and overwriting port service AppId.
    Added new client patterns to prompt client validation.
    Added SMTP Microsoft Outlook client for Mac.
    Added a new preprocessor alert 120:27 to alert if there is no proper end-of-header.

    Improvements:

    Improved appId detection for proxied traffic.
    Fix to ensure Snort is ready for packet commencing before DAQ starts.
    Fix for enabling flow profiling mode without restarting Snort detection engine.

[close]

http://www.snort.org/

[SiLæncer]

Whats new:>>

* src/sfdaq.c :
     Fixed packet drop scenario.

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added new debugs to print detection, file_processing and Preproc time consumption info and verdict.
    Added support to detect new Korean file formats .egg and .alg in the file preprocessor.
    Added support to detect new RAR file-type in the file preprocessor.

    Improvements / Fix:

    Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
    Fix to whitelist ftp data sessions when no file policy exists.
    Fix RTF file magic to a more generic value to prevent evasions.
    Added debug logs during HTTP reload
    Added rule SID check during validation
    Fix an issue where HTTP was processing non-HTTP traffic on port 443
    Added new debugs to print detection, file processing, and Prepro time consumption info and verdicts

[close]

http://www.snort.org/

[SiLæncer]

Changelog

   * src/file-process/file_ss.c :
     Fixed the right order of precedence. Thanks to David Binderman for reporting this.

   * src/dynamic-preprocessors/ssl_common/ssl_config.c :
     Fixed snort core seen during ssl re-configuration.

   * src/fpdetect.c,
     src/log_text.c, src/profiler.h :
     Fixed compiler warnings.

   * src/file-process/file_segment_process.c :
     Fixed file access issues on files from SMB share.

   * configure.in,
     src/reload.c, src/side-channel/sidechannel.c,
     src/snort.c, src/target-based/sftarget_reader.c, src/util.h :
     Added support for glibc version 2.30.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added support for early inspection of HTTP payload before flushing in pre-ack mode.
    This feature can be enabled using fast_blocking in http inspect configuration.
    Added 64-bit support for Windows 10 operating system.
    Added support for glibc version 2.30.

    Improvements / Fix:

    Fixed file policy not working with character prefix in chunk size.
    Updated the file magic to detect ALZ file types.
    Addressed an issue when out-of-order FIN is received by dropping it.
    Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added support for GCC version 10.1.1.

    Improvements / Fix:

    Added packet counters to make sure flows with one-way data don't pend forever.
    Fixed potential race condition between reload and exit path.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

• New Additions

   Added support for s7Commplus protocol.

   Support for allowing common names across rule options.

   Added support to detect TCP Fast Open packets.

• Improvements / Fix

   Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.

   Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.

   Fixed multiple static analysis issues.

   Miscellaneous SMB bug fixes.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

• Improvements / Fix

     Fixed wrong reference to configuration during reload.
     Fixed possible memleak in appid.
     Fixed a race-condition in http preproc and IPS.
     Fixed a race-condition in stream preproc.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added range field support in HTTP preprocessor.
    Added alert for HTTP chunk size mismatch.
    Added support to detect SNMP 'report pdu'.
    Added additional stats for SMB preprocessor.

    Improvements and fixes:

    Fixed a condition in which an alert would not be generated.
    Fixed possible memory corruption in SMB preprocessor.
    Fixed handling ICMP error code -4 .
    Fixed an error when the debugmsgs option enabled in compilation.

[close]

http://www.snort.org/

[SiLæncer]

Whats new:>>

Fixed possible memory corruption in SMB preprocessor.

http://www.snort.org/

[SiLæncer]

Changelog

    New Additions:

    Added support for AppID to detect login success and failure for IMAP and POP3 protocols.

    Improvements / Fix:

    Fixed an issue where the verdict will be applied to the next session when a timeout occurs in some scenarios.
    Removed an excessively flooding log.
    Fixed possible integer overflow.
    Added fix to GCC compiled snort to use AC-BNFA-Q search-method when Intel-CPM is enabled.
    Fixed terminology to be bias-free in log/error messages.
    Fixed a potential race condition.
    Added fix to not to drop packets when the window size is 0 by TCP normalizer and added a new alert with GID 129 and SID 21 when such packets are seen.

[close]

http://www.snort.org/