Snort mailing list archives
Re: Snort 2.3.0 RC2 released
From: sekure <sekure () gmail com>
Date: Thu, 16 Dec 2004 08:38:52 -0500
I know it's bad form to reply to myself, but after a little more digging I realized that before 2.3RC2 snort never logged the initialization of thresholding and suppression module into syslog when being daemonized. Now it does, only it takes up lots of room in syslog. i guess I can live with that, it's just not very pretty. On Wed, 15 Dec 2004 15:31:49 -0500, sekure <sekure () gmail com> wrote:
Did anyone else notice something interesting in snort's logging to syslog where all the suppress/threshold messages are now broken up, and take up 6 lines for each statement. For example: Dec 15 15:27:51 snort-box snort: | gen-id=1 Dec 15 15:27:51 snort-box snort: sig-id=1411 Dec 15 15:27:51 snort-box snort: type=Limit Dec 15 15:27:51 snort-box snort: tracking=dst Dec 15 15:27:51 snort-box snort: count=1 Dec 15 15:27:51 snort-box snort: seconds=300 And still, snort's process id doesn't show up on each line that it logs to syslog. Hrm... On Wed, 15 Dec 2004 11:17:56 -0500, Jeremy Hewlett <jh () sourcefire com> wrote:Hello all! Thanks to everyone who tested and commented on the Snort 2.3.0 RC1 release. Your support is, as always, very much appreciated. Since Snort 2.3.0 RC1 was released, we've added some new functionality, and wanted to go ahead and do another Release Candidate once more before final. The main features of this release are some new rule option features to byte_jump that can be used for advanced SMB exploit detection. New rules that use this functionality will be available shortly from http://www.snort.org. So without further delay, we're pleased to announce the availability of Snort 2.3.0 RC2. The following bulleted items are the complete release notes for RC2: * Added from_beginning and multiplier options for byte_jump. from_beginning skips bytes from the beginning of the content, instead of from the location immediately following the number of bytes to skip. multiplier takes a numeric argument, and skips x times that number of bytes. Thanks Steve Sturges. * Updated documentation on flow_depth and HTTP headers per conversations with Joe Patterson. Thanks Joe! * Small performance improvement to arpspoof and also fixed a problem where the list of configured IP/MAC entries would contain only one entry and leaked memory. Thanks Jeff Nathan. * Fixed a problem affecting MacOS X where linking may fail with non-standard libraries when global symbols are encountered multiple times. Thanks Jeff Nathan. * Ignore RST|ACK midstream pickup case so we don't get an evasive TCP alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. * Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the logdir config will work if the default or command-line logdir does not exist on the system. Thanks Dan Roelker. * Fixed bug when setting the doe_ptr on a successful pcre match. It is now set relative to base_ptr. Thanks Steve Sturges for the fix. * In "fast" output, now log only actual packet contents when UDP data length is greater than actual data length. Thanks Brian Caswell for spotting this, and Andrew Mullican for working on the fix. Further details can be found in the ChangeLog. Thanks again for the support, and please let us know what you think of this release. Cheers, The Snort Team ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.3.0 RC2 released Jeremy Hewlett (Dec 15)
- Re: Snort 2.3.0 RC2 released sekure (Dec 15)
- Re: Snort 2.3.0 RC2 released sekure (Dec 16)
- Snort 2.3.0 RC2 with INLINE compilation problems Julio E. Gonzalez P. (Dec 16)
- Message not available
- Re: Snort 2.3.0 RC2 with INLINE compilation problems Jeremy Hewlett (Dec 16)
- Re: Snort 2.3.0 RC2 released sekure (Dec 16)
- Re: Snort 2.3.0 RC2 released Jeremy Hewlett (Dec 17)
- Re: Snort 2.3.0 RC2 released sekure (Dec 15)