mysql linux Python Firefox google nginx php 微软 java centos wordpress Ubuntu 程序员 开源 linux命令 HTML5 shell Windows apache Android

入侵检测系统:Snort 2.9.2 发布

Snort 可以用来监测各种数据包如端口扫描等之外,还提供了以XML形式或数据库形式记录日志的各种插件。

Snort有 三种工作模式:嗅探器、数据包记录器、网络入侵检测系统模式。嗅探器模式仅仅是从网络上读取数据包并作为连续不断的流显示在终端上。数据包记录器模式把数 据包记录到硬盘上。网路入侵检测模式分析网络数据流以匹配用户定义的一些规则,并根据检测结果采取一定的动作。网络入侵检测系统模式是最复杂的,而且是可 配置的。

Snort 发布了 2.9.2版,主要改变:

[*] New Additions
 * SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors
   to support writing rules for detecting attacks for control systems.
   New rule keywords are supported, and DNP3 leverages Stream5 PAF
   support for TCP reassembly.  See the Snort Manual, README.dnp3 and
   README.modbus for details of the configurations and new rule

 * GTP decoding and preprocessor.  Updated the Snort packet decoders
   and added a preprocessor to support detecting attacks over GTP (GPRS
   Tunneling Protocol).  Snort's GTP support handles multiple versions
   of GTP and has a rich configuration set.  See the Snort Manual and
   README.GTP for details.

 * Updates to the HTTP preprocessor to normalize HTTP responses that
   include javascript escaped data in the HTTP response body.  This
   expands Snort's coverage in detecting HTTP client-side attacks.
   See the Snort Manual and README.http_inspect for configuration

 * Added Protocol-Aware Flushing (PAF) support for ftp.

[*] Improvements
 * Updates to Stream preprocessor to be able to track and store
   "stream" data for non TCP/UDP flows.  Also improvements to handle
   when memory associated with a blocked stream is released and usable
   for other connections.

 * Updates to dce_stub_data to make it act the same as file_data
   and pkt_data rule option keywords in how it interacts with
   subsequent content/pcre/etc rule options.

 * Updates to how Snort handles and processes signals received
   from the OS.

 * Enabled logging of normalized JavaScript to unified2 without the
   use of the --enable-sourcefire configuration option.

 * Improved handling of gaps and overlaps for "first" and "vista"
   policies in Stream5.

 * Added support for signal handler customization. at compile-time,
   Snort can be customized to use different signal numbers.
   This allows problems with overlapping signals to be fixed on a
   per-platform basis, which is especially helpful for the BSDs.
   See the Snort Manual for more details.

 * Perfmonitor's output files ("now" files) are now created after
   Snort drops privileges. Output files will now be owned by the
   user and group specified with "-u" and "-g" at the command line.