snort-openappid - An open source Network Intrusion Detection System (NIDS) with open AppId support
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. You MUST edit /etc/snort/snort.conf to configure snort before it will work! Please see the documentation in /usr/share/doc/snort-184.108.40.206 for more information on snort features and configuration.
|snort-openappid-220.127.116.11-1.fc20.x86_64 [6.2 MiB]||
by Lawrence R. Rogers (2016-12-14):
- Release 18.104.22.168-1 New additions * New rule option for byte_math. See the Snort manual for details. * Added bitmask and from_end operations to byte_test. See the Snort manual for details. * Added a Buffer Dump utility to trace all of the buffers used by snort during inspection. Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details. * Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length. * Added support for SMTP Traffic detection over SSL (SMTPS). Improvements * Fixed an issue which reduces extra service discovery to improve performance. * Fixed multiple issues in AppID. - Reconstructed the call to port-service detection. - Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect. - Preventing third-party application identification for expected connections. * Stability improvement for Stream preprocessor. - Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX. - Fixed an issue where incorrect length argument in memcpy caused out of bound memory access. * Fixed multiple issues in HttpInspect preprocessor. - Handling chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n. - Fixed an issue with LZMA flash decompression. * Fixed mime data processing issue in SMTP stateless inspection. * Added support to decode packets that contains VLAN with Secure Group Tag (SGT). * Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417.
|snort-openappid-22.214.171.124-1.fc20.x86_64 [5.4 MiB]||
by Lawrence R. Rogers (2016-04-26):
- Release 126.96.36.199-1 2016-04-26 Rahul Burman <email@example.com> Snort 188.8.131.52 * src/build.h: updating build number to 383 * configure.in, src/preprocessors/HttpInspect/server/hi_server.c: Modified Http header parsing of multiline content-encoding header. * src/preprocessors/: snort_httpinspect.c, HttpInspect/server/hi_server.c: Fixed an issue where file position pointer was incorrectly set for HTTP response containing chunked and gzip data. * src/preprocessors/Stream6/: snort_stream_tcp.c Added sanity check to TCP trimming in out-of-order FIN case. * src/parser.c: Disabled port groups that are not useful unless adapative profiling is enabled. * src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c: Fixed an issue of incorrect masking of sensitive data. 2016-03-18 Gaurav Nagare <firstname.lastname@example.org> Snort 184.108.40.206 * src/build.h: updating build number to 335 * src/dynamic-plugins/: sf_engine/examples/detection_lib_meta.h, sf_dynamic_meta.h: Updated detection API version to 2.6 to use the latest snort SO rules. * src/: dynamic-preprocessors/sdf/spp_sdf.c, preprocessors/Stream6/snort_stream_tcp.c, obfuscation.c: Fixed several issues with SDF and obfuscation. * src/: profiler.h, preprocessors/perf_indicators.c, preprocessors/perf_indicators.h: Resolved snort build issue with "--disable-perfprofiling" configure option. * src/: decode.c, decode.h: Added Double VLAN tagging support. * src/file-process/file_mime_process.c: Enhanced mime parsing by adding support for detecting files after unknown headers and no headers. * src/preprocessors/HttpInspect/server/hi_server.c: Fixed memory leak. * src/preprocessors/HttpInspect/utils/hi_paf.c: Fixed issue with gzip decompression. If the server response specifies Content-Encoding as GZIP, but no Content-Length field for HTTP version 1.0. * doc/snort_manual.pdf, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c: Fixed Snort memory leak in parsing HTTP xff options. * src/preprocessors/spp_httpinspect.c: Fixed Coverity issues. * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h, HttpInspect/include/hi_paf.h, HttpInspect/server/hi_server.c, HttpInspect/utils/hi_paf.c: Improved End of Header(EOH) identification for response header spanning multiple reassembled packets. * src/preprocessors/: HttpInspect/utils/hi_paf.c, Stream6/snort_stream_tcp.c, Stream6/stream_paf.c: Improved packet reassembly for HTTP, added code to purge segment correctly when PAF decides to ignore packet upon reaching paf_max. * src/fpdetect.c: Fixed to use outer header callback functions when checking IP rule against outer IPs and inner header callback when checking against inner IPs. * src/preprocessors/spp_httpinspect.c: Fixed an issue where http_inspect current and default config had different file depth. * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c: Handled malformed DNS host in AppId. * src/file-process/: file_api.h, file_segment_process.c, file_service.c: Prevented access to file contexts which are pruned when memcap is reached. * src/dynamic-preprocessors/appid/: app_forecast.c, app_forecast.h, flow.h, fw_appid.c, spp_appid.c, thirdparty_appid_types.h: Performance improvements to AppID. * src/dynamic-preprocessors/appid/luaDetectorApi.c: Created a future-flow API for lua detector. Exposed DNS API to lua detector. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fixed an issue where unexpected SSL negotiation starts for FTP with explicit SSL. * src/preprocessors/HttpInspect/utils/hi_paf.c: Updated HTTP PAF to accept all tokens between method and version string in request URI. * src/preprocessors/HttpInspect/files/file_decomp_SWF.c: Fixed Flash LZMA decompression issue. * src/preprocessors/spp_httpinspect.c: Fixed file_depth intialization issue during Snort reload.
|snort-openappid-220.127.116.11-1.fc20.x86_64 [6.5 MiB]||
by Lawrence R. Rogers (2015-11-17):
- Release 18.104.22.168-1 [*] New additions * SMBv2/SMBv3 support for file inspection. * Port override for metadata service in IPS rules. * AppID Lua detector performance profiling. * Perfmon dumps stats at fixed intervals from absolute time. * New preprocessor alert (120:18) to detect SSH tunneling over HTTP * New config option |disable_replace| to disable replace rule option. * New Stream configuration |log_asymmetric_traffic| to control logging to syslog. * New shell script in tools to create simple Lua detectors for AppID. [*] Improvements * sfip_t refactored to use struct in6_addr for all ip addresses. * Post-detection callback for preprocessors. * AppID support for multiple server/client detectors evaluating on same flow. * AppID API for DNS packets. * Memory optimizations throughout. * Support sending UDP active responses. * Fix perfmon tracking of pruned packets. * Stability improvements for AppID. * Stability improvements for Stream6 preprocessor. * Added improved support to block malware in FTP preprocessor. * Added support to differentiate between active and passive FTP connections. * Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue. * Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured. * Added support for multiple expected sessions created per packet * Active response now supports MPLS