Snort 2.8.5

Snort version 2.8.5 has just been released on September 15, 2009.

Here are the new additions from the previous version :

  • Ability to load a new snort.conf without stopping & restarting Snort.
  • Ability to specify different Snort configurations based on VLAN tags or CIDR blocks.
  • Detection, Rate, and Event filtering. The ‘threshold’ keyword is now deprecated.

Reload Feature

We need to add “–enable-reload” during the configure phase to enable support for reloading configuration. Unfortunately this feature is not available for Windows platform.

But please bear in mind that not all of the Snort configuration options are reloadable (Source : README.reload) :

  • Adding/modifying/removing shared objects via dynamicdetection, dynamicengine and dynamicpreprocessor are not reloadable.
  • Any changes to output.

Multiple Configurations

With this new version of Snort, we can define multiple Snort configuration files and bind each one to a VLAN or subnet. They now can have their own configuration file with different preprocessor, settings and detection rules. (Source : README.multipleconfigs)

Detection, Rate, and Event filtering

In Snort 2.8.5 there are several filters used to control the generation, processing, and logging of events (Source : README.filters) :

  • detection_filter is a new rule option that replaces the current threshold keyword in a rule.  It defines a rate which must be exceeded by a source or destination host before a rule can generate an event.
  • rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded.
  • event_filter is a standalone command which replaces ‘threshold’, which is now  obsolete.  event_filters reduce the amount of data logged.
  • Events can also be completely suppressed with the standalone suppress command.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s