Snort Pre-Release 2.7.0 Beta2 available .

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes

such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient

Changelog for this release:

  • Remove smp_flags from spec file to not parallelize building.
  • Added ability for Snort to track fragmented ICMPv6 to check for the remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
  • Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks.
  • Fix issue with printing rule information twice.
  • Fix miscalculation of processor time attributable
  • Added hasXXX functions for Content, ByteTest, and PCRE.
  • Code cleanup to perform bounds checking, validation of memcpy
  • success, remove potential memory leak. Code readability improvements and update DCE endianness checks.
  • Code cleanup for initialization of memory allocations and add early termination when at end of packet payload.
  • Code cleanup for initialization of memory allocations and remove dead/unused code for directory and user state tracking.
  • Code cleanup for initialization of memory allocations, fix normalization to prevent read beyond packet payload. Generate SMTP command overflow even if packet payload doesn’t contain complete command (missing LF).
  • Further update to handle iptables (and other datalink layers) that do not have ethernet headers to be included in rebuilt fragment.
  • Add verification of options for ICMP, TCP, UDP configurations are within reasonable limits. Reorganize reassembly flush initialization.
  • Print list of UDP rules that are effectively ignored with ignore_any_rules option. Update session timeout handling.
  • Allow use of limit on number of nodes in hash table instead of relying on memcap for limiting session Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks.
  • Add handling for FatalError not returning for static code analysis tools.
  • Fix memory leak in global config. Thanks Boris Lytochkin for pointing this out.

Post scriptum

Compliance Mandates

  • IDS :

    PCI DSS 10.6, 11.4, SOX A13.2, DS5.10, GLBA 16CFR Part 314.4(b) and (3), HIPAA 164.306(a)(2), 164.308(a)(1) 164.308(a)(6)42, FISMA SI-4, AC-2, ISO 27001/27002 10.6.2,
    10.10.1, 10.10.2, 10.10.4, 15.1.5


Related Articles

Data Sniffer
IDS
Snort