Monday, April 6, 2009

Snort 2.8.4 is nigh

Back in February, I wrote about having to upgrade Snort pretty soon. Well, the time is upon us. This week, we will be releasing Snort 2.8.4. When this happens, the only way to stay current with detection for anything DCERPC related will be to upgrade Snort. We will not be releasing detection that does not use the new dcerpc2 preprocessor.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

What this means is, the only version of Snort that will get new rules for anything DCERPC related will be 2.8.4. There will be nothing released that is backwards compatible. It is not possible to do so. On the upside though, the number of rules that will be needed in the NetBIOS category will be reduced greatly. This will make rule management a lot easier. Previously, a lot of detection and decoding was being done with the rules themselves, with the new preprocessor this is no longer necessary. Thus the huge reduction in rules and increase in simplicity of the rules themselves.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

I also wrote a post about the new ruleset available for dcerpc2. We posted a new ruleset for dcerpc2, instructions for using the new preprocessor and the README file for it too.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

Keep an eye on the mailing lists, and this space. Release is imminent.



  2. A post comparing common snort.conf options for DCERPC in 2.8.3.x versus common or recommended options in DCERPC2 for 2.8.4 would be neat. Although you posted the link to the README.dcerpc2 here, 2.8.4rc1 still appears to only have the README for the old DCERPC preprocessor.

  3. The default recommended configuration will be the following:

    preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
    preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

    This will be in the sample snort.conf in the /etc directory of all the rule-snapshots for 2.8. IE the packages you download from Rules -> Download Rules

  4. Hmmm... Why do I get the feeling I need to upgrade Snort to version 2.84.


    Hey... I'm not even using Snort

  5. I want to upgrade snort 2.8.4 in IPCop, I downloaded snort 2.8.4 and tried to install it in IPCop but can not.
    Can you help me?

  6. Nam, IPCop is not part of the Snort project. We have no information on it at all. Your best course of action is to seek help at

  7. thanks Nigel Houghton!
    because IPCop use snort and I configured IDS/Snort and has Error.Every body said that I should upgrade it to 2.8, but I can't Install it. ^^


Post a Comment

Note: Only a member of this blog may post a comment.