Wednesday, June 02, 2004

Good News from Snort Land

I have two good pieces of news from the Snort development team. First, Snort 2.1.3 has been released. The big deal with this new release is multi event logging via event queue. This feature lets Snort generate multiple alerts per packet or stream, rather than alerting once and then moving on to the next packet or stream. It was introduced to address what H.D. Moore calls event masking.

The second good piece of news is the appearance of Sguil in several publications and presentations. First, Marty Roesch's AUSCERT 204 presentation (.pdf) includes Sguil along with ACID as two consoles for Snort. Sguil also appears in two new books, Syngress' Snort 2.1 and O'Reilly's Network Security Hacks. Both books spend most of their time explaining how to install older versions of Sguil, but it's the thought that counts.

Now that Snort 2.1.3 has been released, I plan to upgrade my Sguil for FreeBSD installation guide to use the new Snort, plus Barnyard 0.2.0, Sguil 0.4.0, MySQL 4.0.20, and other updated supporting applications.

No comments: