Snort 2.9.1 improves protocol handling
The Snort network intrusion detection system has been updated with HTTP and DCE/RPC protocol aware flushing and improved SIP, POP and IMAP3 preprocessors. Updates to the HTTP and DCE/RPC preprocessors now allow Snort to reassemble requests and responses, even when spread over many packets, and to intelligently flush the results. Snort performs realtime analysis on IP network traffic to detect attempts to probe or attack the network by using a user-defined ruleset which characterises those attacks.
The improved SIP preprocessor can identify call channels and detect anomalies in SIP communications. The POP3 and IMAP preprocessors are able to decode email attachments in Base64, Quoted Printable and uuencoded formats and the SMTP preprocessor is now able to handle the latter two formats. An experimental IP Reputation preprocessor allows Snort to blacklist or whitelist packets based on their IP address.
Other improvements include support for reading large pcap files and logging HTTP URLs, attachment filenames and email recipients when generating events. There are also updates to the rules and options, better build portability and enhanced documentation. More details of these and other changes are available in the release notes and change log included in the announcement. Snort 2.9.1 is available to download as source or binaries for RHEL6, Fedora 13 and Windows. The Snort source code is licensed under the GPLv2.
- Snort creator talks Razorback and ClamAV, a report from The H.