topleft topright

Main Menu

Home
Rules
Links
Mailing Lists
Search
Blog
FAQs
Contact Us
Documentation Wiki
CVS Web

My Account

Account






Lost Password?
No account yet? Register

Feeds

 
Snortsam 2.53 out -- Significant Adds PDF Print E-mail
Written by Matt Jonkman   
Tuesday, 29 April 2008

Frank Knobbe has put a good deal of time into Snortsam and solved a few lingering issues and made some great new additions. If you use Snortsam or want to, this is the version to get going.

 

The new source is available at http://www.snortsam.net/files/snortsam/snortsam-src-2.55.tar.gz  

 

More from Frank:

 

 

Greetings,

I just committed to CVS what I consider to be a significant update,
which includes the following changes:

*   Increased stability of the Forwarder plugin in regards to persistent
connection handling. In the past, dropped connections (lost remote
Snortsams) would cause a crash which could lead to cascading crashes
along the Snortsam chain. Very aggravating  :)   That's been fixed and so
far I have not observed anymore crashes when either the sending or
receiving Snortsam resets the persistent TCP connection or goes offline.
Looks pretty stable. I highly recommend persistent TCP connections
between Snortsams now.


*   Changed DONTBLOCK and OVERRIDE such that they now properly recognize
all associated IP addresses for a given host name. So, when you
white-list, for example, www.cnn.com, it no longer white-lists only the
first IP address, but all of them.


*   Wrapped certain thread-unsafe functions (for example usleep) into
mutex locks. This should hopefully fix any threading errors on Linux and
other platforms. 

PLEASE, try this out. Remove and 'nothreads' from the config, and add
'forcethreads'. Then see if Snortsam runs fine, or if it locks up again
after a while. It should do well now, but it if still locks up, I'd like
to hear about it.


*   The PIX plugin, as well as the Cisco Null Route and Email plugins,
have been extended such that they will check (after the first
block/email) if there are more block/unblock requests in the queue. If
so, they will leave their connection to the PIX/router/mailserver open
and logged in. They will skip the login part on the next block and reuse
the existing session. Only if there are no more requests in the queue
will they logoff and disconnect.

So they don't complete a full logon-block-logoff-logon-block-logoff
sequence if more than one IP address is to be blocked. Instead they
perform a logon-block-block-logoff sequence. This is especially helpful
for reloads (USR1 signal) where potentially thousands of IP's are
reblocked in one session. They now all get shunned in one logon session,
dramatically improving speed and efficiency.

The Block function of all plugins have been modified to accept a
"read-pointer" to the queue (it's actually not a pointer, but it sounds
better). Telnet-based plugins can use the boolean function
moreinqueue(readpointer) to check if more requests are waiting in the
queue, and then act accordingly. This is enabled only for
multi-threading plugins. For example, if you change the threading-model
of the PIX plugin from TH_MULTI to TH_SINGLE or TH_NONE, the function
will always return FALSE so that only one action is performed per Block
invocation. (This is to conform with the functionality that TH_SINGLE
describes, to complete one device of the given plugin type at a time.
That includes a complete logon-logoff cycle.)



I highly recommend everyone upgrades to this version (2.55). 
 
 
 
Next >
[ Back ]
Joomla Templates by JoomlaShack Joomla Templates