Monday, October 4, 2010

Snort 2.9.0 is teh outed, must haz bakon!!

Snort 2.9.0 introduces:
  • Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
  • Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
  • Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
  • A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
  • Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
  • Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
  • Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
  • Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
  • Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology:
  • Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.
Snort 2.9.0 is now available at Please see the Release Notes and ChangeLog for more details.

1 comment:

operat0r said...

I been tryign to get FLoP's fpg.c false positive generator tool to compile with windows .. I wondered if you knew any other apps ?

I been trying to get a tool to test IDS systems that uses snort signatures. I managed to get fpg to compile in Linux. I am just trying to get fpg.c to compile statically for windows in cygwin but I think I am having issues with libnet and netinet ? Also the one I have built for Linux does not have libpre for the regex filters so that it works with more signatures.

Here is what I have so far no libpre and for linux :

I would like to have the tool statically compiled for windows to make it easier to use but this is all I have so far. If anybody would like to spoon feed me a binary that would be great. The included has updated snort.conf and is ready to go. I also tried stick,snot, all are really old. This fpg seems to be the most updated in 2007 and it supports the most snort options.

Some compile syntax I need to run right:
gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -c fpg.c

gcc --static -g -O2 -o fpg fpg.o -lnet -lnsl


Fpg src :