Sourcefire has released snort 2.8.0 as the new stable production release!! So many cool new features. I don’t have time to go into much of them in depth, but I have a little preview for you. If you would like to read the Change Log it is located here.

[ Port Based Pattern Matching Memory ]
[ LowMem Search-Method Memory Used : 10.4095 MBytes ]
[ Port and Service Based Pattern Matching Memory ]
[ LowMem Search-Method Memory Used : 10.4095 MBytes ]

–== Initialization Complete ==–

,,_ -*> Snort! <*-
o” )~ Version 2.8.0 (Build 67)
‘ ‘ ‘ ‘ By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.4 2007-09-21

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>

Snort sucessfully loaded all rules and checked all rule chains!

WOOOT! .. quite a few bleeding edge rules don’t work right .. shocker. I am trying out stream5 as well. To use stream5 on 2.8.0 you will need to comment out the flow preprocessor, and all stream4 preprocessors.

There are also some interesting new options in the configure script, that I decided to compile into snort this time around.

--enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events

--enable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)

Also added into the example snort.conf file in the tarball (snort-2.8.0/etc/snort.conf) is:

#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules

I haven’t gotten to read in depth into these new options. However, the concept of preprocessor based rules, has my mind running at geek factor 9. I will most definitely post a much longer look into Snort 2.8.0, in the next few days. Until then, try it out for yourself and tell me what you think.

This entry was posted on Thursday, September 27th, 2007 at 9:21 pm and is filed under geek stuff, snort. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.