Hi Geeks,
Snort 2.9.0.4 is currently slated for release on Thursday. It brings
about several improvements to the Snort code and documentation (thanks
to those members of the Snort Community who submitted bugs for both
the code and documentation!), as well as the inclusion of SaaC (Snort
as a Collector) code for Razorback.
Below are the 2.9.0.4 release notes, along with some inline bullet
points on the improvements, (thanks to Russ providing the information
below to me):
[*] Improvements
* Added the Razorback "Snort as a Collector" (SaaC) dynamic
preprocessor.
This is for experimental use only! Enable it by compiling with
--enable-rzb-saac.
* Fixed false positives in HTTP traffic, which were caused by large
HTTP
chunks split across two packets.
* When there is a large chunk length (not in the first packet), and
the packet size is less than the chunk length, copy fails and hence
the DecodeBuffer is not overwritten. Any subsequent packets uses the
decode buffer without overwriting it and hence the false positive.
The fix was to extract the packet size when packet size is less than
the chunk length.
* Made several updates to the Snort manual and READMEs.
* Fixed a false positive on Stream5 rule 129:15, caused by a RST
following
a FIN.
* When a TCP FIN was processed the FIN pseudo-octet was not always
accounted for in the sequence number tracking within the stream5
preprocessor. A subsequent TCP RST in the FIN-Wait-1 or FIN-Wait-2
states could then lead to a false positive for 129:15. The fix is to
ensure proper accounting of the TCP FIN pseudo-octet. This problem
did not affect TCP RSTs while the session was fully established.
* Fixed a bug in HTTP_STAT_MSG
* HTTP STATUS MSG BUFFER included the CR LF from the status line.
With the fix HTTP STATUS MSG BUFFER now contains the status message
from the HTTP response and not the CR LF from the status line.
Further Ref: http://blog.snort.org/2011/02/snort-2904-is-coming-this-week.html
Cheers,
0xN41K
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
