Intrusion detector Snort now has improved HTTP inspection
According to the Snort developers, the latest 2.8.6 release can now divide HTTP requests into five components – method, URI, header, cookies and body – to allow better analysis. This makes it easier to apply rules to individual components. Decompression of packets zipped using Gzip has been improved and a sensitive data filter, which seeks to detect and prevent the transfer of personal data, implemented. There are a number of additional fixes and stability enhancements.
In a post on its blog, Sourcefire points out a couple of stumbling blocks which arise as a result of the change in rules files version numbers. Version 0.4.1 of Snort rules updater PulledPork is also available and includes a number of improvements.
More details about the release can be found in the release notes (direct download text file). Snort 220.127.116.11 is available to download from the project's web site and is dual licensed under version 2 of the GNU General Public License (GPLv2) and the Non-Commercial Use License for the Proprietary Snort Rules.
- VRT Rules 2010-04-46, Sourcefire Vulnerability Research Team advisory.