Monday, April 6, 2009

Snort 2.8.4 is nigh

Back in February, I wrote about having to upgrade Snort pretty soon. Well, the time is upon us. This week, we will be releasing Snort 2.8.4. When this happens, the only way to stay current with detection for anything DCERPC related will be to upgrade Snort. We will not be releasing detection that does not use the new dcerpc2 preprocessor.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

What this means is, the only version of Snort that will get new rules for anything DCERPC related will be 2.8.4. There will be nothing released that is backwards compatible. It is not possible to do so. On the upside though, the number of rules that will be needed in the NetBIOS category will be reduced greatly. This will make rule management a lot easier. Previously, a lot of detection and decoding was being done with the rules themselves, with the new preprocessor this is no longer necessary. Thus the huge reduction in rules and increase in simplicity of the rules themselves.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

I also wrote a post about the new ruleset available for dcerpc2. We posted a new ruleset for dcerpc2, instructions for using the new preprocessor and the README file for it too.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

Keep an eye on the mailing lists, snort.org and this space. Release is imminent.

7 comments:

  1. YOU NEED TO UPGRADE TO 2.8.4 -- SERIOUSLY

    ReplyDelete
  2. A post comparing common snort.conf options for DCERPC in 2.8.3.x versus common or recommended options in DCERPC2 for 2.8.4 would be neat. Although you posted the link to the README.dcerpc2 here, 2.8.4rc1 still appears to only have the README for the old DCERPC preprocessor.

    ReplyDelete
  3. The default recommended configuration will be the following:

    preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
    preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

    This will be in the sample snort.conf in the /etc directory of all the rule-snapshots for 2.8. IE the packages you download from snort.org Rules -> Download Rules

    ReplyDelete
  4. Hmmm... Why do I get the feeling I need to upgrade Snort to version 2.84.

    <...Upgrading...>

    Hey... I'm not even using Snort

    ReplyDelete
  5. I want to upgrade snort 2.8.4 in IPCop, I downloaded snort 2.8.4 and tried to install it in IPCop but can not.
    Can you help me?

    ReplyDelete
  6. Nam, IPCop is not part of the Snort project. We have no information on it at all. Your best course of action is to seek help at http://www.ipcop.org/

    ReplyDelete
  7. thanks Nigel Houghton!
    because IPCop use snort 2.6.1.5 and I configured IDS/Snort and has Error.Every body said that I should upgrade it to 2.8, but I can't Install it. ^^

    ReplyDelete

Post a Comment