snort-openappid - An open source Network Intrusion Detection System (NIDS) with open AppId support
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. You MUST edit /etc/snort/snort.conf to configure snort before it will work! Please see the documentation in /usr/share/doc/snort-22.214.171.124 for more information on snort features and configuration.
|snort-openappid-126.96.36.199-2.el7.x86_64 [7.7 MiB]||
by Lawrence R. Rogers (2018-03-19):
- Release 188.8.131.52-2 Added PF Ring for CentOS 6 and 7 for the x86_64 architecture.
|snort-openappid-184.108.40.206-1.el7.x86_64 [6.5 MiB]||
by Lawrence R. Rogers (2017-12-06):
- Release 220.127.116.11-1 New Additions * Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs. * Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted. Improvements * Fixed issue to detect RTP up to two SSRC switches in each traffic direction. * Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers. * Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan. * Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets. * Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup. * Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels. * Fixed issue of applying new configuration in file inspection after Snort reload.
|snort-openappid-2.9.11-1.el7.x86_64 [6.5 MiB]||
by Lawrence R. Rogers (2017-09-05):
- Release 2.9.11-1 * src/build.h : updating build number to 125. * src/preprocessors/: spp_session.c, Stream6/snort_stream_tcp.c : Fixed issue with updation of global IPS id before packet processing. * src/output-plugins/spo_unified2.c : Added changes to display AppId for IPv6 unified events. * src/: dynamic-preprocessors/Makefile.am, reload-adjust/appdata_adjuster.c, sfutil/sfmemcap.c, sfutil/sfmemcap.h : Fixed dynamic preprocessor compilation failure in OpenBSD platform. * src/: parser.c, snort.h, detection-plugins/sp_replace.c : Fixed issues while parsing rules in snort reload path. * src/: appIdApi.h, dynamic-preprocessors/appid/appId.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/appIdConfig.h, dynamic-preprocessors/appid/appInfoTable.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/hostPortAppCache.c, dynamic-preprocessors/appid/hostPortAppCache.h : Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent. * src/preprocessors/spp_normalize.c : Fixed incorrect usage of snort configuration in snort reload path. * src/dynamic-preprocessors/appid/: flow.c, flow.h, fw_appid.c : Fixed issues with printing of messages for out-of-order packets. * src/: mempool.c, mempool.h, reg_test.h, reload.c, control/sfcontrol.c, control/sfcontrol.h, preprocessors/spp_session.c, preprocessors/Stream6/snort_stream_tcp.c : Added support for forced allocation of TCP protocol memory pool after maximum limit is reached. * src/reload.c : Fixed synchronisation issue during snort reload. * src/sfutil/: sf_ip.h, sf_ipvar.c, sf_ipvar.h : Added changes to improve performance of ipvar list comparison. * src/: dynamic-output/plugins/output_lib.h, dynamic-output/plugins/output_plugin.c, dynamic-preprocessors/dcerpc2/dce2_smb.c, dynamic-preprocessors/dcerpc2/dce2_smb.h, dynamic-preprocessors/dcerpc2/dce2_smb2.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, dynamic-preprocessors/file/file_event_log.c, file-process/file_api.h, file-process/file_service.c, file-process/file_stats.c, file-process/file_stats.h, sfutil/sf_textlog.c, sfutil/sf_textlog.h : Added support for storing filenames in unicode format for SMB protocol. * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c : Enhanced SMTP client detection by allowing line folding and all authentication methods. * src/: fpcreate.c, sfutil/sfthd.c, sfutil/sfxhash.c : Fixed issue in detection filter counter when rule is used in multiple configurations.
|snort-openappid-18.104.22.168-1.el7.x86_64 [6.3 MiB]||
by Lawrence R. Rogers (2016-12-14):
- Release 22.214.171.124-1 New additions * New rule option for byte_math. See the Snort manual for details. * Added bitmask and from_end operations to byte_test. See the Snort manual for details. * Added a Buffer Dump utility to trace all of the buffers used by snort during inspection. Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details. * Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length. * Added support for SMTP Traffic detection over SSL (SMTPS). Improvements * Fixed an issue which reduces extra service discovery to improve performance. * Fixed multiple issues in AppID. - Reconstructed the call to port-service detection. - Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect. - Preventing third-party application identification for expected connections. * Stability improvement for Stream preprocessor. - Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX. - Fixed an issue where incorrect length argument in memcpy caused out of bound memory access. * Fixed multiple issues in HttpInspect preprocessor. - Handling chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n. - Fixed an issue with LZMA flash decompression. * Fixed mime data processing issue in SMTP stateless inspection. * Added support to decode packets that contains VLAN with Secure Group Tag (SGT). * Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417.
|snort-openappid-126.96.36.199-1.el7.x86_64 [6.5 MiB]||
by Lawrence R. Rogers (2015-11-17):
- Release 188.8.131.52-1 [*] New additions * SMBv2/SMBv3 support for file inspection. * Port override for metadata service in IPS rules. * AppID Lua detector performance profiling. * Perfmon dumps stats at fixed intervals from absolute time. * New preprocessor alert (120:18) to detect SSH tunneling over HTTP * New config option |disable_replace| to disable replace rule option. * New Stream configuration |log_asymmetric_traffic| to control logging to syslog. * New shell script in tools to create simple Lua detectors for AppID. [*] Improvements * sfip_t refactored to use struct in6_addr for all ip addresses. * Post-detection callback for preprocessors. * AppID support for multiple server/client detectors evaluating on same flow. * AppID API for DNS packets. * Memory optimizations throughout. * Support sending UDP active responses. * Fix perfmon tracking of pruned packets. * Stability improvements for AppID. * Stability improvements for Stream6 preprocessor. * Added improved support to block malware in FTP preprocessor. * Added support to differentiate between active and passive FTP connections. * Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue. * Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured. * Added support for multiple expected sessions created per packet * Active response now supports MPLS