Skip to main content

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.

It's a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I'll expand upon them a bit:
* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.

This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3.  It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), so, for example, you want to cut a session off in midstream.  In regular IPS mode, we can drop the connection quietly.  With the new response module we can properly inject a RST (or other close) packet into a dropped stream, resetting the connection so that the end hosts don't have open TCP sockets.  There is also a normalization preprocessor,  (See README.normalize), which, essentially, cleans packets up.  For example here a just a few things that the normalization preprocessor can do to TCP:

  • Remove data on SYN.

  • Clear the reserved bits in the TCP header.

  • Clear the urgent pointer if the urgent flag is not set.

  • Clear the urgent pointer and the urgent flag if there is no payload.

  • Set the urgent pointer to the payload length if it is greater than the payload length.

  • Clear the urgent flag if the urgent pointer is not set.

  • [..]

Flexresp (Flex Response) 1 and 2 are now deprecated and a new Flexresp3 has been introduced.  Flexresp3 supports ALL of the flexresp1 and flexresp2 keywords and syntax.  Easy to move right over.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.

Hooray!  Libpcap 1.0 is now required.  Hooray Libdnet!  As you can read above, Snort 2.9 adds support for nfq and afpacket.  In addition to ipfw, ipq, and dump that they've read already.  IPQ wasn't working as well in past releases, so we replaced it with netfilterq.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

This was a feature requested by one of our community people.  They didn't want to see the IPs of their proxies as Source or Destination IPs in HTTP alerts.  They wanted the ability to see the "real" IPs for those proxies that support "X-Forward-For" and "True-Client-IP" header fields in their packets.  This output is only available if you are using the Unified2 output method.

Those of you that are NOT using Unified2 really, really need to move to it.  Older, slower, output methods are eventually going to be deprecated, so please, start your upgrades.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

This was a feature requested by the community as well, it came from an email I received as a request that we add something like this in Snort.  The ability to yank a value out of a packet and store it for later use with other keywords.  (Unlike byte_test or byte_jump that calculates the value on the fly.)
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

I think that one speaks for itself, but make sure you read README.SMTP in the doc/ directory of the tarball to make sure you fully understand what this does.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.

This was a feature, also requested by our community.  They wanted to know, for a fact, what traffic would have been dropped had the rule in question be set to drop.  Again, this output is only available in Unifed2 and console, so please start moving over!
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule

Nice feature here.  Base64 decoding in a rule.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Also added into README.normalize.  This is to continue to support the United States Government's push to IPv6.  In many environments, this is now mandatory.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology

This optimization is very hardware specific.  Make sure you read the PDF linked above which is a joint research project underway by Sourcefire and Intel.

I'm sure more tweaks and things will be added to 2.9 before it's actual release, so I look forward to these enhancements.

Be sure and check out Snort 2.9's beta code here, at


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button