Snort 2.0.3 released !!!!

Protecting your Linux box

Snort 2.0.3 released !!!!

Postby LinuxFreaK » Fri Nov 07, 2003 10:12 pm

Dear All PLUCian's,
Salam,

**** NEW Snort 2.0.3 version has been released !!!!

It is VERY IMPORTANT to upgrade to the new version because your Snort
sensors could be missing alerts !!!!

If it is not possible for you to upgrade, then change the default
search
method (mwm) to "ac" or "lowmem":
See: "http://www.snort.org/"

config detection: search-method lowmem OR
config detection: search-method ac

The bug afects the default search algorithm, MWM:
See:
"http://cvs.sourceforge.net/viewcvs.py/snort/snort/ChangeLog?rev=HEAD"

2003-10-28 Marc Norton <mnorton@sourcefire.com>
* src/sfutil/mwm.c:
fixed bug with search-method mwm resulting in retesting removing
an active rule on occasion (Thanks to Raul Siles & David Perez
for a reproducible test case!)

The different Snort "config detection: search-method"'s are:
- ac: Aho-Corasick based algorithm
- mwm: Mu-Wanber based algorithm
- lowmem: Save memory, using an less effecient algorithm

The implications about all them are summarized in:
See: http://marc.theaimsgroup.com/?l=snort-d ... 029674&w=2


This is an example associated to the binary log files available in
"http://www.incidents.org/logs/Raw":

$ /opt/snort-2.0.2/src/snort -V

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

$ /opt/snort-2.0.3/src/snort -V

-*> Snort! <*-
Version 2.0.3 (Build 95)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)

$ /opt/snort-2.0.3/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r
2002.4.23 -k none -A full -qedUX -N
Run time for packet processing was 0.195137 seconds
$ ll alert
-rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert
$ mv alert alert_2.0.3

$ /opt/snort-2.0.2/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r
2002.4.23 -k none -A full -qedUX -N
Run time for packet processing was 0.90856 seconds
$ ll
total 72
-rw------- 1 rsiles rsiles 22510 Nov 6 10:51 alert
-rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert_2.0.3
$ mv alert alert_2.0.2

$ grep -F "[**]" alert_2.0.* | wc -l
186
$ grep -F "[**]" alert_2.0.2 | wc -l
61
$ grep -F "[**]" alert_2.0.3 | wc -l
125
$

As can be seen, using Snort 2.0.2 version "64" alerts are missed
compared
with Snort version 2.0.3.
This time the missed alert is:
----
[**] [1:1616:4] DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/23-00:12:58.764488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800
len:0x48
210.195.43.76:2090 -> 78.37.49.124:53 UDP TTL:46 TOS:0x0 ID:11129
IpLen:20
DgmLen:58
Len: 30
[Xref => http://www.whitehats.com/info/IDS278][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=10028]
----

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron