Snort version 2.8.5 has just been released on September 15, 2009.
Here are the new additions from the previous version :
- Ability to load a new snort.conf without stopping & restarting Snort.
- Ability to specify different Snort configurations based on VLAN tags or CIDR blocks.
- Detection, Rate, and Event filtering. The ‘threshold’ keyword is now deprecated.
We need to add “–enable-reload” during the configure phase to enable support for reloading configuration. Unfortunately this feature is not available for Windows platform.
But please bear in mind that not all of the Snort configuration options are reloadable (Source : README.reload) :
- Adding/modifying/removing shared objects via dynamicdetection, dynamicengine and dynamicpreprocessor are not reloadable.
- Any changes to output.
With this new version of Snort, we can define multiple Snort configuration files and bind each one to a VLAN or subnet. They now can have their own configuration file with different preprocessor, settings and detection rules. (Source : README.multipleconfigs)
Detection, Rate, and Event filtering
In Snort 2.8.5 there are several filters used to control the generation, processing, and logging of events (Source : README.filters) :
- detection_filter is a new rule option that replaces the current threshold keyword in a rule. It defines a rate which must be exceeded by a source or destination host before a rule can generate an event.
- rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded.
- event_filter is a standalone command which replaces ‘threshold’, which is now obsolete. event_filters reduce the amount of data logged.
- Events can also be completely suppressed with the standalone suppress command.