Monday, December 3, 2012

Snort 2.9.4 release today and the dreaded "My SO rules don't work!" phase has begun.

Just in from the snort release team, looks like snort 2.9.4 just went out today:

Snort 2.9.4 is now available on, at in the Latest Release section.

Please note: & later packages are signed with a new PGP key
(that key is signed with the previous key).

Snort 2.9.4 includes changes for the following:

[*] New additions

  * Consolidation of IPv6 -- now only a single build supports both
    IPv4 & IPv6, and removal of the IPv4 "only" code paths.

  * File API and improvements to file processing for HTTP downloads
    and email attachments via SMTP, POP, and IMAP to facilitate
    broader file support

  * Use of address space ID for tracking Frag & Stream connections
    when it is available with the DAQ

  * Logging of packet data that triggers PPM for post-analysis via
    Snort event

  * Decoding of IPv6 with PPPoE

  * Added an API call to add a service to a host in the attribute table.
    Remove the unused live attribute update code.

[*] Improvements

  * Update to Stream5 PAF for handling gaps in the sequence numbers of
    packets being reassembled.

  * Selection of the Stream TCP policy based on the server rather than
    the destination of first packet seen by Snort

  * Allow disabling of global thresholds via a count of -1

  * Prevent blocking duplicate SYNs when using inline normalization

  * Add SSLv3 backwards compatibility support for SSLv2 ClientHello

  * Allow active responses to packets without data (eg, a TCP SYN)

  * Changed logic of option evaluations for shared library rules that
    use a custom evaluation function to match that of the builtin logic
    when the NOT_FLAG is used.  The 'NOT' matching now happens within
    each of the individual rule option evaluation functions.

  * Updated SMTP preprocessor to better handle commands that have
    corresponding data on a subsequent line to reduce false positives.
    3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.

  * Improve support for encapsulated & tunneling protocols to block or
    fastpath a connection within the tunnel rather applying that to
    the whole tunnel.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to

Happy Snorting!
The Snort Release Team
What this means for you:
- autosnort is going to automatically download the latest snort version. This means that if you are new to snort today and you are running autosnort on a fresh OS install, you're getting snort 2.9.4 today.
- you can still use the ruleset for registered users if you don't have a VRT subscription however you've now entered the dreaded "my SO rules don't work" phase:
    - Since the VRT only updates the free rule releases to registered users 30 days *after* the paying users, this means that when a new version of snort comes out you do not have VRT rules tarball for the newest version of snort immediately, and usually will be waiting 30 days for them to release a rule tarball with SO rules that are compatible with the newest version of snort, unless you have a VRT rule subscription.
    - Snort will realize that the SO rules provided do not match the version of snort installed (e.g. you provide the autosnort script a rule tarball) and will refuse to run upon reboot, giving you an error that looks something like this in /var/log/messages or /var/log/syslog depending on your distro:
 snort[1497]: FATAL ERROR: The dynamic detection library "/usr/local/snort/lib/snort_dynamicrules/" version 1.0 compiled with dynamic engine library version 1.16 isn't compatible with the current dynamic engine library "/usr/local/snort/lib/snort_dynamicengine/" version 1.17.
 The only solution I can provide you, snort of purchasing a VRT subscription is for you to delete the SO rules that snort is currently using. Autosnort installs your SO rules in the /usr/local/snort/lib/snort_dynamicrules/ directory. run the command:

rm -rf /usr/local/snort/lib/snort_dynamicrules/*.so
Afterwards either restart snort, via the following command:

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1(or the interface you are sniffing traffic on)
 or simply reboot your sensor and let rc.local take care of things on reboot.

This will mean that you will lose SO rule coverage for the next 30 days, but unfortunately, there's no way around it -- aside from buying a VRT rule subscription.

Some may wonder why the VRT does this? Well, making snort rules is not easy -- At all. I know; I've met the people that write these rules and I know the hours that they keep, the amount of work they put in, and just how little thanks they get in return -- still, Sourcefire and the VRT need to make money somehow, and they do so via provided accurate rules that have to meet strict quality assurance guidelines in a timely manner; you can't really fault them for the amount of effort that goes into making sure the rules work and work well.

With that being said, I hope to have pulledpork integration working in the near future to be able to remedy this. Happy snorting, everyone!

No comments:

Post a Comment