Wednesday, July 28

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.

It's a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I'll expand upon them a bit:
* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.

This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3.  It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), so, for example, you want to cut a session off in midstream.  In regular IPS mode, we can drop the connection quietly.  With the new response module we can properly inject a RST (or other close) packet into a dropped stream, resetting the connection so that the end hosts don't have open TCP sockets.  There is also a normalization preprocessor,  (See README.normalize), which, essentially, cleans packets up.  For example here a just a few things that the normalization preprocessor can do to TCP:

  • Remove data on SYN.

  • Clear the reserved bits in the TCP header.

  • Clear the urgent pointer if the urgent flag is not set.

  • Clear the urgent pointer and the urgent flag if there is no payload.

  • Set the urgent pointer to the payload length if it is greater than the payload length.

  • Clear the urgent flag if the urgent pointer is not set.

  • [..]

Flexresp (Flex Response) 1 and 2 are now deprecated and a new Flexresp3 has been introduced.  Flexresp3 supports ALL of the flexresp1 and flexresp2 keywords and syntax.  Easy to move right over.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.

Hooray!  Libpcap 1.0 is now required.  Hooray Libdnet!  As you can read above, Snort 2.9 adds support for nfq and afpacket.  In addition to ipfw, ipq, and dump that they've read already.  IPQ wasn't working as well in past releases, so we replaced it with netfilterq.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

This was a feature requested by one of our community people.  They didn't want to see the IPs of their proxies as Source or Destination IPs in HTTP alerts.  They wanted the ability to see the "real" IPs for those proxies that support "X-Forward-For" and "True-Client-IP" header fields in their packets.  This output is only available if you are using the Unified2 output method.

Those of you that are NOT using Unified2 really, really need to move to it.  Older, slower, output methods are eventually going to be deprecated, so please, start your upgrades.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

This was a feature requested by the community as well, it came from an email I received as a request that we add something like this in Snort.  The ability to yank a value out of a packet and store it for later use with other keywords.  (Unlike byte_test or byte_jump that calculates the value on the fly.)
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

I think that one speaks for itself, but make sure you read README.SMTP in the doc/ directory of the tarball to make sure you fully understand what this does.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.

This was a feature, also requested by our community.  They wanted to know, for a fact, what traffic would have been dropped had the rule in question be set to drop.  Again, this output is only available in Unifed2 and console, so please start moving over!
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule

Nice feature here.  Base64 decoding in a rule.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Also added into README.normalize.  This is to continue to support the United States Government's push to IPv6.  In many environments, this is now mandatory.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology

This optimization is very hardware specific.  Make sure you read the PDF linked above which is a joint research project underway by Sourcefire and Intel.

I'm sure more tweaks and things will be added to 2.9 before it's actual release, so I look forward to these enhancements.

Be sure and check out Snort 2.9's beta code here, at

No comments: