Problem solve Get help with specific problems with your technologies, process and projects.

How to find new features in Snort 2.8.2

Each version of Snort brings new features, but they aren't always immediately obvious or clearly documented. Using the release candidate of Snort 2.8.2 as an example, learn how to interpret Snort's release notes, README file and the snort.conf configuration file to locate new Snort features to deploy at customer sites.

Service provider takeaway: Service providers will learn about new features in Snort 2.8.2 that they can deploy at customer sites.

The last time we looked at new Snort options occurred with Snort 2.8.0, released in late September 2007. Since then, Snort, and 2.8.1 have been published. At the time of writing, Snort 2.8.2-8-rc1 is the latest version, although release candidate versions should generally not be deployed in production environments. However, RC editions do provide a look at the newest elements of Snort available to the general public. This Snort Report provides an overview of some of the new features in the latest editions of Snort while explaining how to identify these new features.

More information on Snort
Snort 2.8.0 new features: IPv6 and port lists

Snort's Stream5 and TCP overlapping fragments

How to test Snort

Release notes

The first place to look for news on recent Snort features is the release notes. I recommend reviewing all of the release notes since the version you last used in production. In this case, we will use Snort 2.8.0 as our last version. Usually the release notes show all of the details for a particular branch, such as Snort 2.8.0.x. I've combined notes from all of the releases since 2.8.0 and provided comments after each entry:

2007-11-20 - Snort
[*] Improvements
* Updates to build with new versions of libPCRE.

* Fix Stream5 debugging output to actually compile and have correct output
for normal & IPv6 enabled builds.

* Correct perfmonitor statistic calculation for pattern matcher percentage.

This edition was mainly a bug-fix release. You won't find any changes in the snort.conf file if comparing versions 2.8.0 and

2008-02-12 - Snort
[*] Improvements
* Add ability for dynamic rules to store and retrieve data on stream

Snort appears to add a feature, but this isn't likely going to appear in the snort.conf file.

2008-03-31 - Snort 2.8.1
[*] New Additions
* Target-based support to allow rules to use an attribute table
describing services running on various hosts on the network.
Eliminates reliance on port-based rules.

* Support for GRE encapsulation for both IPv4 & IPv6.

* Support for IP over IP tunneling for both IPv4 & IPv6.

* SSL preprocessor to allow ability to not inspect encrypted traffic.

* Ability to read multiple PCAPs from the command line.

* Support for new CVS rule detection options.

[*] Improvements
* Update to HTTP Inspect to identify overly long HTTP header fields.

* Updates to IPv6 support, including changes to avoid namespace
conflicts for certain Operating systems.

* Updates to address issues seen on various Sparc platforms.

* Stricter enforcement of shared object versions to avoid API

Snort 2.8.1 is the first edition with release notes that show "New Additions." You can expect some of these features to appear in the snort.conf shipped with 2.8.1 and/or at the command line. The "Improvements" section will not likely be reflected in the snort.conf file.

2008-05-05 - Snort 2.8.2 RC1

[*] New Additions
* Performance improvements in fast pattern matcher CPU caching and rules
processing for common rule options.

Finally, Snort 2.8.2 offers "Performance Improvements," but these are likely not to appear in the snort.conf file.

Snort.conf configuration file

Why all of the attention to the snort.conf file in the previous section? I've found that scrutinizing this file is one of the fastest ways to identify new features and bring them to life on the network. In the following example I use the diff utility to show changes between the snort.conf shipped with Snort 2.8.0 and that appearing with 2.8.2.rc1.

taosecurity:/usr/local/src# diff snort-2.8.0/etc/snort.conf snort-2.8.2.rc1/etc/snort.conf | less
< # Snort 2.8.0 Ruleset
> # Snort 2.8.2.rc1 Ruleset
< # preallocated fragment eats ~1550 bytes.
> # preallocated fragment typically eats ~1550 bytes. However,
> # the exact amount is determined by the snaplen, and this can
> # go as high as 64K so beware!
< #preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
> #preprocessor frag3_global: max_frags 65536, prealloc_frags 65536
< # 111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521,
< # and 3306
> # 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
> # 2401, and 3306
> # SSL
> #----------------------------------------
> # Encrypted traffic should be ignored by Snort for both performance reasons
> # and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
> # inspects SSL traffic and optionally determines if and when to stop
> # inspection of it.
> #
> # Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to
> # inspect port 443, only the SSL handshake of each connection will be
> # inspected. Once the traffic is determined to be encrypted, no further
> # inspection of the data on the connection is made.
> #
> # Important note: Stream4 or Stream5 should be explicitly told to reassemble
> # traffic on the ports that you intend to inspect SSL
> # encrypted traffic on.
> #
> # To add reassembly on port 443 to Stream5, use 'port both 443' in the
> # Stream5 configuration.
> preprocessor ssl: noinspect_encrypted

This output displays five sets of changes. Items preceded by < appear in the old file (Snort 2.8.0). Items preceded by > appear in the new file (Snort 2.8.2rc1).

The first change reflects the new version.

In order to understand the second change, we need to look at the context for the difference. We could have acquired this using diff, but I preferred to limit the amount of lines reproduced here. If we inspect the snort.conf for 2.8.2rc1, we see the new material falls in the prealloc_frags option of the Frag3 IP defragmentation preprocessor. It's a warning concerning the "[m]aximum number of individual fragments that may be processed at once."

The third change has altered the default value for prealloc_frags from 262144 to a much lower 65536. This is a safer value, but under the right conditions increasing the value is acceptable.

The fourth change involves an option for the Stream4 stateful inspection mechanism. It shows that port 514 has been added to the ports considered to be "default." Many readers will now be using Stream5, so this change will not affect you.

The final change is one of the more interesting aspects of Snort since 2.8.0. As of 2.8.1, Snort can be told to stop inspecting SSL-encrypted traffic on specified ports, after the SSL Dynamic Preprocessor (SSLPP) identifies a flow as SSL-encrypted. This feature helps Snort run faster, since it can ignore encrypted traffic after the SSL handshake is completed.

README files

The new SSLPP section of the 2.8.2rc1 snort.conf file mentions changing the configuration of the Stream5 preprocessor. The following appears in the snort.conf file:

# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# Stream5 is a target-based stream engine for Snort. Its functionality
# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously. Comment out the stream4 configurations
# above to use Stream5.
# See README.stream5 for details on the configuration options.
# Example config (that emulates Stream4 with UDP support compiled in)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules

It's not immediately clear just where "port both 443" should be added in order to help SSLPP. This situation leads us to the third place we should look for information on new Snort features -- the README files.

A look at the README.stream5 file shows the stream5_tcp preprocessor has a "ports" option that fits our needs:

ports [all|space separated port list]
- Specify the client, server, or both and list of
ports in which to perform reassembly. This can
appear more than once in a given config.
For example:
ports both 80 23
ports server 37
ports client 21 25
The default settings are:
ports client 21 23 25 42 53 80 110 111 135 136 \
137 139 143 445 513 514 1433 1521 2401 3306
The minimum port allowed is "1" and the maximum
allowed is "65535".

A look at the default settings shows that only traffic from a client to the designated ports (21, 23, etc.) are reassembled by Stream5. This means assisting SSLPP requires, at a minimum, this entry in snort.conf, if you want SSLPP to ignore SSL-encrypted traffic to port 443 TCP:

preprocessor stream5_tcp: policy first, use_static_footprint_sizes, ports both 443

Note that including a "ports" option has cancelled the default ports list. To re-enable it, you could do the following:

preprocessor stream5_tcp: policy first, use_static_footprint_sizes, \
ports both 443, \
ports client 21 23 25 42 53 80 110 111 135 136 \
137 139 143 445 513 514 1433 1521 2401 3306

If you decide not to perform stream reassembly for traffic destined to be inspected by SSLPP, an attacker could introduce layer 4 fragmentation to evade SSLPP.

Reviewing README.ssl reveals that SSLPP can watch any specified port. The default snort.conf entry, e.g.:

preprocessor ssl: noinspect_encrypted

watches the following:

989 FTPS
992 TelnetS
994 IRCS
995 POPS

However, to enable Stream5, you should explicitly configure the preprocessor stream5_tcp option to watch all of those ports. Alternatively, you can tell SSLPP to only watch port 443 TCP by instructing it thus:

preprocessor ssl: ports { 443 }, noinspect_encrypted

I hope this article has shown you a new feature introduced since Snort 2.8.0, and more importantly, shown you how to find and understand new capabilities as they are introduced.

Note: Thanks to beenph in #snort on for help with the ports client default option.

About the author
Richard Bejtlich is the founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.