Back in February, I wrote about having to upgrade Snort pretty soon. Well, the time is upon us. This week, we will be releasing Snort 2.8.4. When this happens, the only way to stay current with detection for anything DCERPC related will be to upgrade Snort. We will not be releasing detection that does not use the new dcerpc2 preprocessor.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

What this means is, the only version of Snort that will get new rules for anything DCERPC related will be 2.8.4. There will be nothing released that is backwards compatible. It is not possible to do so. On the upside though, the number of rules that will be needed in the NetBIOS category will be reduced greatly. This will make rule management a lot easier. Previously, a lot of detection and decoding was being done with the rules themselves, with the new preprocessor this is no longer necessary. Thus the huge reduction in rules and increase in simplicity of the rules themselves.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

I also wrote a post about the new ruleset available for dcerpc2. We posted a new ruleset for dcerpc2, instructions for using the new preprocessor and the README file for it too.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

Keep an eye on the mailing lists, snort.org and this space. Release is imminent.