Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort 2.8.4 upgrade is out -- Upgrade now!

Published: 2009-04-08
Last Updated: 2009-04-08 13:30:34 UTC
by Joel Esler (Version: 2)
0 comment(s)

We over at Sourcefire (yes, I work for Sourcefire in case you don't know by now!) have been putting the word out for a couple months now about the Snort 2.8.4 upgrade, how it's very important, and you need to go upgrade now.

Well yesterday, after months and months of hard work, Sourcefire released SEU 216 for their Intrusion Prevention System customers and Snort 2.8.4 hit the Open Source community at the same time. 

"Okay, so why is this so important?!"  You may be asking.

For awhile now, a lot of netbios flow tracking has been done with our rules language.  This results in 100's of rules to do flow tracking for a particular exploit.  For example, the rules that detect the exploit that Confiker uses (MS08-067), before the preprocessor, there were 168 rules.  Introduced in 2.8.4 is a new target based DCE/RPC preprocessor, called "DCE/RPC2".  This preprocessor provides a bunch of the flow tracking internally and provides rule options that rule writers can call.  So, after the new netbios rules go out (in the next few days, according to Snort.org), the number of MS08-067 rules will be reduced to 2. 

For instance, the old netbios rule file:

# wc -l  netbios.rules
5828 netbios.rules

The new:

# wc -l netbios.rules
122 netbios.rules

 

So this is great!  However, the warning about this is, VRT is no longer providing the "old" method of rule updates to netbios vulnerabilities.  So, unless you are on Snort 2.8.4, you will no longer receive updates to protect you against the current netbios threats.  So you if you are VRT rules subscriber, who relies on those same-day rule releases, you need to update now.  If you are just a regular subscriber that gives you the rule updates after 30 days, you have 30 days to upgrade.  But I would suggest getting started on it now, as you will have to remodify your snort.conf file.

If you are using a package or port (Debian, Ubuntu, FreeBSD, etc.)  I would suggest downloading Snort from source and compiling the old fashioned way.  Hopefully the package maintainers will update their stuff soon.  (Although Sourcefire does provide some binaries for Linux.

While this is certainly the biggest update to Snort 2.8.4, there are several more (This is brought over from Snort.org):

- Support for IPV6 in Frag3 and all application preprocessors

- Improved Target-based support in preprocessors.

- Option to automatically pre-filter traffic that is not inspected in order to improve performance.

- Plus some other improvements and fixes, for a full changelog, please go here

So in case you haven't heard me say it enough in this diary, Update!

-- Joel Esler http://www.joelesler.net

 

Keywords:
0 comment(s)
Diary Archives