Snort 2.8.4 upgrade is out -- Upgrade now!

We over at Sourcefire (yes, I work for Sourcefire in case you don't know by now!) have been putting the word out for a couple months now about the Snort 2.8.4 upgrade, how it's very important, and you need to go upgrade now.

Well yesterday, after months and months of hard work, Sourcefire released SEU 216 for their Intrusion Prevention System customers and Snort 2.8.4 hit the Open Source community at the same time. 

"Okay, so why is this so important?!"  You may be asking.

For awhile now, a lot of netbios flow tracking has been done with our rules language.  This results in 100's of rules to do flow tracking for a particular exploit.  For example, the rules that detect the exploit that Confiker uses (MS08-067), before the preprocessor, there were 168 rules.  Introduced in 2.8.4 is a new target based DCE/RPC preprocessor, called "DCE/RPC2".  This preprocessor provides a bunch of the flow tracking internally and provides rule options that rule writers can call.  So, after the new netbios rules go out (in the next few days, according to, the number of MS08-067 rules will be reduced to 2. 

For instance, the old netbios rule file:

# wc -l  netbios.rules
5828 netbios.rules

The new:

# wc -l netbios.rules
122 netbios.rules


So this is great!  However, the warning about this is, VRT is no longer providing the "old" method of rule updates to netbios vulnerabilities.  So, unless you are on Snort 2.8.4, you will no longer receive updates to protect you against the current netbios threats.  So you if you are VRT rules subscriber, who relies on those same-day rule releases, you need to update now.

If you are using a package (Debian, Ubuntu, etc.)  I would suggest downloading Snort from source and compiling the old fashion way.  Hopefully the package maintainers will update their stuff soon.

While this is certainly the biggest update to Snort 2.8.4, there are several more (This is brought over from

- Support for IPV6 in Frag3 and all application preprocessors

- Improved Target-based support in preprocessors.

- Option to automatically pre-filter traffic that is not inspected in order to improve performance.

- Plus some other improvements and fixes, for a full changelog, please go here

So in case you haven't heard me say it enough in this diary, Update!

-- Joel Esler



454 Posts
Apr 8th 2009

Sign Up for Free or Log In to start participating in the conversation!