As you may, or may not, have noticed … Snort 2.8.5 has finally arrived! This has introduced some interesting things into the unified2 file format most notably of which is recording of vlan id tags when compiled with the appropriate flags.

In order to support the best support these new features, we’ve taken the time to merge all pertitent changes from the Snort 2.8.4.1 to 2.8.5 transition into our code base.

There is bound to be some form of breakage because it’s hard to test every compiler/argument/config option combination, until I finally get around to writing the unit testing framework. Fortunately, you guys are quick to point out any issues so I’m happy to get things moving.

Grab the latest beta and let us know how you go!

This beta 3 release was a little later than anticipated and I blame the Oktoberfest for that.

In short this beta release has the following:

1. Some issues with the tcpdump logging output addressed and ready for testing.
2. A new RPM spec has been applied thanks to Tom McLaughlin.
3. Initial packet/event caching mechanism to better handle reading alerts based on streams (to be completed by 1.7 stable).

With the snort 2.8.5 just released we will be extending the 1.7 beta to align the codebase to the new version and also sort out the aforementioned item 3 and hopefully make Jonathan a happy man.

You know the drill – download, use, abuse, flame

The last month has seen some interesting additions to the code base (motivated by Doug Burks) which will ultimately aid are non-Debian brethren. The 1.5 series sees the initial completed feature set for Fedora, RHEL and CentOS systems. This is excellent news for those who have wanted to have, use, test an NSM configuration for themselves but were daunted by the process of doing from scratch.

With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.

Happy NSM’ing!

Ok, so there’s been some interesting feedback over the past few weeks which has of course manifested itself into more updates. I love updates, and how code evolves over time in the attempt to become the most structured and stable thing it can be.

Enough of the philosophical talk and onto what this beta release provides. I’m not going to say it but hopefully the last of the waldo file issues (record index not being saved on exit) has been solved. My fingers are crossed. There has also been some attention played to the output plugins, namely the alert_cef plugin which was crapped on from a great height on a recent merge. IPv6 is getting a little attention lately courtesy of Breno Silva and the input processing is now accepting IPv6 unified logs.

If you want to help with the IPv6 development (ie. you have a test IPv6 enviornment to play on) then shoot us an email. Other than that, go grab the beta and let us know how you get on.

Nothing noteworthy in this installment. The barnyard2 links have been updated to point to the new version 1.6.

We do have a few exciting things planned for the next release thanks to the contrubtions provided by you guys. So stay tuned for that …

It’s been a number of weeks since the last beta release and so the time has come to release the 1.6 stable. There was not a lot of significant updates in this series but more importantly a number of small usability issues were addressed and rectified.

A quick summary of the inclusions for the 1.6 series are:

1. Waldo files are now honoured appropriately.
2. Reference files can NOW be specified on the command line via the “-R” option.
3. Map files parsing has been reworked.
4. Database output plugin is now more resilient to signal interrupts.

If you have any feedback, issues or requests then please let us know.

Grab the latest from the barnyard2 download page.

Enjoy!

This small release fixes the automake horror that was preventing the host from being correctly identified during the configuration. Suffice to say that as good as the automake tools can be they also have the ability to become your worst nightmare and forever chasing your tail.

I caught my tail and have update the link on  the download page to the new beta.

Enjoy!

This release is the first round of 1.6 and has a number of bug fixes that address the following issues:

1. Waldo files not being created or updated as expected.
2. MySQL reconnect issues and obscure looping.
3. The reference system file can now be explicitly set at the command line via “-R”.

There is still a known issue with compilation on FreeBSD (and I’m guessing *BSD/Mac machines) which has been tracked down to the autoconf files, configure.in and config.guess. That being said if you are an autoconf wizard and know why the barnyard2 configure does not call config.guess to ascertain the correct host then we want to hear from you. In the meantime you can explicitly set the host using:

# ./configure --host=`./config.guess`

Head over to the download page and test the new beta out. Your feedback is most welcome!

This release of NSMnow is primarily an update for the links to barnyard2 and Snort (due to it’s new site structure).

A bug with the automatic process management of  multiple sensors has been addressed and patched accordingly, thanks to Jon. B. Bayer for finding that one for us.

Some of the team will be looking at the adminstration a little closer over the next few months so if there are any pressing administrative features you believe should be included then be sure to let the dev team know about them.

Until then, grab the latest copy from the NSMnow download page and give it a spin.

With the end of the month nearing and all submitted bugs quashed we though it time to push out a final release of 1.5.

A number of beta’s were released throughout this cycle and we are very grateful to those who have taken the time to test the patches to make this push possible. Given the improved quality of response to this format we will continue to follow this for future releases.

A quick summary of the inclusions for the 1.5 series is:

1. all, but one (alert_sf_socket), Snort plugins supported
2. Snort 2.8.4.1 alignment
3. reference system configuration
4. updated PID file handling
5. improved spo_database handling of mysql server connection drop outs.

Grab the latest from the barnyard2 download page.

Enjoy!