Friday, November 19, 2004

Snort 2.3.0 RC1 Released

Jeremy Hewlett announced the release of Snort 2.3.0 RC1. The major additions are the snort_inline code and the new sfportscan portscan detector.

Sguil users should recognize that alerts from the new portscan detector are not yet fully integrated, due to lack of support in Barnyard. Bamm is working on a modified op_sguil Barnyard component to support sfportscan output. If you enable sfportscan with Sguil, you'll see the alerts appear in the Sguil interface. However, they will not be inserted into the alerts database. This means sfportscan alerts will not be available for review once they are cleared from the display. Below is an example of how the new sfportscan alerts appear in Sguil.

The interesting aspect of the new sfportscan system is the creation of a "pseudo-packet" with the alert details. The alert above shows sfportscan believes ports 21 through 80 were scanned, although the activity which generated this report was directed at ports 21 through 25:

nmap -v -p 21-25

A look at the first Open Port alert shows sfportscan found port 21 open:

A look at the other Open Port alerts accurately reflects what the scan results showed.

No comments: