news

This is the snapshot of Snot Latest Rules

04-06-03   Wow, over a year since the last update.  Well, this is "2.0" but not
           quite the 2.0 we were expecting.  It's vastly more capable than the 
           1.8.x and 1.9.x releases, more stable, audited, well tested in a 
           commericial test environment (thanks to Sourcefire) and generally
           just "better" than what has come before, but it's not the 
           revolutionary leap that I had envisioned.  Will that leap happen
           someday?  Probably, but the timeline will shift and things will 
           look different than we have been talking about for the last 18
           months.

           Snort is pretty high profile now, we've got new open source IDSes 
           nipping at our heels (amazing how they all claim to be "better" than
           Snort, yet usually only encompass a small subset of it's features).
           I continue to be amazed by the robustness of the architecture that
           was developed over three years ago and the latest and greatest
           improvements that have been added, the new detection engine from
           Norton & Roelker has racked up impressive performance numbers, 
           Chris Green's sheparding of the stream4 and frag2 preprocessors as
           I've been out doing "business things" has been great as well.

           Speaking of business, if you like Snort but are interested in a 
           commercially supported version with enterprise scalability, take
           a look at Sourcefire (http://www.sourcefire.com).  There are other
           companies that put "Snort on a box" out there (google for them),
           but Sourcefire is taking Snort in new directions (and I started it).
           Snort is still free (and always will be), but if you find yourself
           saying "I need to deploy and manage [5|10|20|100] Snort sensors,
           is there anyone who can help me?", give us a shout.

           As for features, we've got quite a few new ones for 2.0:

            * Higher performance (due to a new pattern matcher and rebuilt 
              detection engine)
            * Better decoders
            * Enhanced stream reassembly and defragmentation
            * Tons of bug fixes
            * Updated rules
            * Updated snort.conf
            * New detection keywords (byte_test, byte_jump, distance, 
              within) & stateful pattern matching
            * New HTTP flow analyzer
            * Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
            * Better self preservation in stateful subsystems
            * Xrefs fixed
            * Flexresp works faster and more effectively
            * Better chroot()'ing
            * Fixed 802.1q decoding
            * Better async state handling
            * New alerting option: -A cmg!! 
            * Major tagging updates


03-14-02   Ok We're going to start being better about doing this more regularly.

           This release has many many fixes over 1.8.3.  Lots of bugs
           in stream4 have been ironed out thanks to Phil Wood.  The
           ICMP decoders have been rewritten.

           The major "gotcha" with this release will be that rules
           with <- used as the direction operator are no longer
           accepted.  This is a bug fix in that it was assumed to be
           -> before ( unless you compiled with a specific define set
           ).

           * (This is a summary of recent changes -- not all mine)
           * Fixed stream4 offset initialization
           * Double Open of snort log file
           * Lots of new rules
           * Fatal error on problems other than -> and <>
           * Fixed stream4 several low memory conditions
           * Error checking in stream4/frag2 argument parsing
           * snortdb schema updates to 1.05
           * --with-pcap-includes should now look at specified pcap
           * packet statistics now should be more accurate with regards to lost
             packets werwerwerwerwer 
           * double PID file write
           * S4 alignment problems on Sparc fixed
           * new snmptrap code
           * documentation updates
           * Stability fixes in frag2

11-29-01    And the hits keep on coming.  There were some other things broken
            in 1.8.2 that needed to get fixed (flexresp was totally 
            inoperative, crashbug in frag2, etc).  Anyway, this one has had 
            some pretty decent testing done on the core functionality and 
            everything seems to be running nicely now.
            
            Major repairs include a fix to frag2 on Linux platforms, the icmp
            decoder and printout routines were updated to match the data
            structures that I implemented in 1.8.1 and the flexresp code was
            repaired and should now be faster, plus the usual rule updates.  I
            also added a new "-B" command line switch to convert IP addresses 
            in a pcap file to a new specified IP subnet addresses.

            On to 2.0...
            
11-02-01    Ok, I lied.  There was enough little stuff to fix in 1.8.1 that I
            decided to do a 1.8.2 release.  This is just about fully a bugfix
            release, but Snort is now more stable and more usable than it's been
            in quite a while, and should do a good job of tiding people over 
            while we transition to 2.0 and the codebase gets a little more 
            "fluid".

            Here's the list of fixes:

            * fixed UTC timestamps
            * fixed SIGUSR1 handling, should reset properly now after getting 
              a signal
            * fixed PID path generation code, PID files go in the right place 
              now
            * fixed stability problems in stream4
            * fixed stability problems in frag2
            * tweaks to spo_unified for better integration with barnyard
            * added -f switch to turn off fflush() calls in binary logging mode
            * added new config keyword to stream4, "log_flushed_streams", which 
              causes all buffered packets in the stream reassembler for that 
              session to be logged in the event of an event on that stream 
              (must be used in conjunction with spo_log_tcpdump)
            * added packet precacheing for flexresp TCP packets, responses 
              should be generated more quickly
            * fixed rules parser code for various failure modes
            * several new rules files and a new classification system

            After this release we're going to reorganize the whole source tree
            and do a quick 1.9 release with the new code layout.  Once that's 
            done, we're going to begin coding 2.0 in earnest in December, 
            hopefully doing our initial release sometime in the February time
            frame. 

08-14-01    I was planning on getting this release out sooner than this (since
            it's largely a bugfix release) but my wife and I went and had a 
            baby 2 weeks ago, which effected the schedule a little. ;) Anyway,
            barring any major problems the Snort 1.x code will now be going
            into maintenance mode as we begin development on 2.0.

            This version adds the following:

            * SNMP alerts
            * IDMEF XML output (the Silicon Defense plugin is integrated into 
              the main codebase now)
            * Limited regex support in the rules language
            * New packet counters for stream4 and frag2
            * New normalization mode for http_decode

            And a slew of bug fixes.  We should get to work on 2.0 shortly, so
            hopefully the next release of this NEWS file will be talking about
            that!  (knock on wood...)
            
07-09-01    Well, this one was a long time coming, but I think it was worth the
            wait.  Snort can now perform stateful inspection, has improved 
            defragmentation capabilities, uses less memory, leaks less of the
            memory that it does use, is faster, and has a bunch of other good
            stuff.  Truely, this is probably the ultimate development of the
            1.X series of Snort.  After this version we will begin development
            on Snort 2.0, which will have a great many new features, be faster
            and more flexible, and generally be about the finest network 
            intrusion detection system that an open source community can build.

            See the Changelog (read all the way back to January of this year) 
            for changes and additions, there are far to many to list here.  
            Some of the highlights include

            * stateful inspection
            * new tcp stream reassembly code
            * new ip defragmenter
            * new protocol available for the rules language: ip
            * more extensive printouts of cross reference and info in alerts
            * new normalizer preprocessors for telnet, rpc
            * 2 new output plugins (unified, csv)
            * 5 new preprocessors (stream4, frag2, bo, telnet_decode, 
              rpc_decode)
            * 10 new rule options
            * unique rule IDs
            * A whole slew of command line options (7 at last count)
            * Mega bug-fixes from 1.7

            Snort can now leap tall buildings in a single bound.

            The future holds 2.0, which will revisit most of the code in Snort.
            It probably won't be released for another 6 months or so, but for 
            the time being I'm happy with what we've produced here and I think
            most people will be happy with it too.

            Please read the USAGE, FAQ, README, man page and any other docs you
            can before asking your questions, there's a good chance that the
            answer you're looking for is in there.

            Commercial plug: If you decide that you need or want to take your
            Snort installation to the next level, Sourcefire Inc. 
            (http://www.sourcefire.com) is now producing commercial network 
            intrusion detection appliances based on Snort with data analysis,
            management, and rules GUIs built-in.  See the web site for more
            information, if you want to have a commercially supported, 
            professional Snort deployment, Sourcefire is the company to call.
     
01-02-01    Welcome to version 1.7. This version features clean compiles
            on following architectures and platforms:

            * Linux 2.0.X, Linux 2.1.X, Linux 2.2.X (i386)
            * FreeBSD 3.x, 4.x (i386)
            * SunOS/gcc 5.5, 5.5.1, 5.6, 5.7, 5.8 (sparc)
            * OpenBSD 2.7, 2.8
            * Tru64/gcc 
            * HPUX 11.0/gcc

            Other platforms/architectures should be supported as well, we just 
            don't have them available for testing on the moment.  
        
            There are a ton of bug fixes and new features in this version, have
            a look at the ChangeLog to see many of them.  I think that this 
            will be the last full point release of the 1.X codebase, we're 
            starting design work on the 2.0 series and I hope that we'll be 
            putting it out there in the not too distant future (less than six
            months!).  

            It's been a long road to 1.7, the amount of code in the program 
            compared to the initial release over two years ago is incredible.
            We're just getting rolling though, and 2.0 is going to bring a 
            great number of changes including more plugin interfaces (packet
            acquisition and decode), faster/cleaner code (I hope ;) and a
            better design for performing more types of analysis.

            Big changes in this version: snort-lib renamed to snort.conf, IP
            defragmentation plugin now 100% on all architectures, tcp stream
            reassembly, statistical anomaly detection, three new command line
            switches (-L,-I,-X), IP address lists, a cool "automatic variable"
            in the rules file that automatically picks up the IP address and
            netmask of a named interface, more packet header printouts, 
            detection plugins for TOS and the IP fragment bits, as well as a
            plugin that allows reference data to be attached to rules and a 
            completely rewritten active response module, etc.

            I hope everyone likes this release, we've put a ton of work into it
            to make sure that it's functional and stable while still being 
            easy to use for everyone.
            
07-22-00    Welcome to version 1.6.3.  This version features clean compiles
            on all architectures and OS's that I have access to, some 
            elusive bug fixes in the decoders, a little bit better 
            packet printing, full-time ARP packet decoding (instead of only
            when the -a option is spec'd), and an upgraded portscan
            detector.  The moral of the story with the 1.6.1->1.6.2.2 
            release cycle was "don't release when you're working on the
            road".  This will be the last version release until the
            Hiverworld IDS ships as I need to dedicate myself fully to
            that cause.  Please watch http://www.snort.org for information
            on the availability for an upgraded defragmentation 
            preprocessor, the one shipping with this version should be
            treated as *beta* code!  

07-08-00    It wouldn't be a relase without a disaster, and in that vein
            we lost the ability to compile cleanly on Linux boxes with 
            version 1.6.1.  Typical.  Lessons learned: I need to reinstall
            a RedHat box at Snort Labs so that I can do compile tests
            before release.  C'est la vie.

07-06-00    Version 1.6.1 is finally ready to see the light of day.  This
            release is mostly a bug fix with a few minor feature additions
            for runtime security.  Version 1.7 is a few months behind in 
            development due to my busy schedule at Hiverworld where I'm 
            putting together a completely new (not Snort-based) IDS.