Sguil 0.7 is getting shape quite nicely. One of the most interesting new features is the splitting up of different types of agents and the option to create ’net groups’. This are groups of agents that Sguil considers part of the same network. You can use this to spread the agents over multiple servers, but still use it from Sguil as if it was one single sensor. For example, this way you can easily create a Snort sensor and a separate full content logging capture server. When you request the full content for a Snort event in Sguil, it will know that it needs to request the packet data from the capture server. This way you can also have multiple Snort agents without the need for capturing the same sancp and full content data over and over again.

…

Finally, after many months of development and testing, Snort_inline 2.6.1.5 has been released. It’s the first stable release in almost a year and also the first stable release based on Snort 2.6. William sent the announcement:

snort_inline-2.6.1.5 released

List,

I know it has been a long time since we have had a non-beta release,
but what can I say? Victor and I have both been busy in our personal
and professional lives. If you have been running the version of code
in SVN, there are no major updates with this release other than a
memleak fix for stream4inline. I don't think this gets said often
enough, so I would like to thank Sourcefire for all the hard work they
put into snort and the snort rule sets for which I and the rest of the
community greatly benefit.

Regards,

Will

snort_inline-2.6.1.5
http://snort-inline.sourceforge.net/download.html

Differences between snort in inline mode and snort_inline
http://www.inliniac.net/blog/?p=74

Go and get it! :)

…

This may be a little off-topic for this weblog, but since I spend quite some time researching this, I’ve decided to write about it anyway. When preparing a new release for Vuurmuur, I wanted to create an Autopackage as well. For those that are unaware of it Autopackage is a distribution independent installer for Linux binaries. Because creating packages for every distro including flavor and versions is way out of my reach, a general installer can save the day.

…

A few days ago William told me that if he enabled stream4inline on a busy gateway, Snort_inline would consume all memory within hours. The problem went away when disabling stream4inline, so it made sense that the problem would be in there somewhere.

The first suspect was the reassembly cache. The reassembly cache is used to keep a per stream copy of the reassembled packet in memory. While being memory expensive, it greatly speeds up the sliding window stream reassembly process, especially with small packets. The reason for this being the first and primary suspect is that this is the only place where stream4inline code allocates memory. Reviewing the code however, showed no leaks and adding a debug counter to monitor the memory usage also showed that the leak was not in that code.

…

Vuurmuur supported the QUEUE target for a while already, even though it needed a little bit of a hack to handle the state. This is because the iptables ruleset Vuurmuur creates is quite simple: after a few general protection rules it starts by accepting traffic with the state established. Since there is no way to say ‘queue established traffic that was queued before’ in iptables I decided to use traffic marking to distinguish between traffic to be queued or accepted. But there was a problem with this approach. I didn’t want to cripple the marking of traffic for other purposes, such as traffic shaping and routing, so I decided to use mark-ranges to either queue or accept:

…

Since a few weeks there is an active IRC channel for ModSecurity. It’s hosted on the Freenode network. The channelname is #modsecurity.

Join us there! :)

…

SourceFire just released Snort 2.6.1.5 so I have updated our patch to that. You can get it by checking out SVN with the following command:

svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk

Check it out! :)

…

Every few weeks the same question comes up: what is the difference between Snort in inline mode and Snort_inline. This makes sense, because the Snort_inline documentation and website fail to explain it. In this post I will try to highlight the main differences. In general I can say that we try to develop Snort_inline as a patchset on top of Snort. Snort_inline is focused at improving the inline part of Snort. Originally of course, Snort’s inline capabilities were developed in the Snort_inline project. With Snort 2.3.0RC1 they were merged into mainline Snort.

…

For version control for Vuurmuur development I have been using Bazaar and Bazaar-NG. I’ve never really gotten used to Bazaar-NG. I admit that this is mostly due to lack of trying. For the Snort_inline project I have gotten used to Subversion, for which I even bought a book (Practical Subversion by Garrett Rooney, great book!). So recently I decided to move Vuurmuur also to SVN, for these three reasons:

• this way I need to work with only one tool
• people in the OSS community are more used to SVN so it’s easier for users and people interested in contributing
• Bazaar-NG doesn’t support SVN-style tags, except (I think) for the latest version which is not in my distro

So the SVN repository is now open. It is hosted at SourceForge at:

…

After moving, which went fine, I now finally have some real coding time again. The last week I have been updating and fixing various parts of Snort_inline. The most important change was the update to Snort version 2.6.1.4, which contains security fixes. William also found an issue with the Stream4inline code. The issue was that the memcap that the admin sets to limit the amount of memory used by stream4 wasn’t properly enforced.

…