Friday, February 6, 2009

Important Snort rule changes and the new dcerpc preprocessor

In the very near future, the release of Snort 2.8.4 is going to bring about some major changes to the way that NetBIOS traffic is handled. This is because of the new dcerpc preprocessor.

This preprocessor handles all the decoding functions that were previously taken care of using rules and flowbits in a lot of those rules. The upshot is that the number of netbios rules released for any vulnerability that can be exploited over dcerpc is going to be reduced greatly. The number of netbios rules previously released is also going to be reduced in a similar manner.

The downside is that this functionality is only available in Snort 2.8.4 with the dcerpc2 preprocessor. There is no backwards compatibility. Also, a number of netbios rules will be deleted and replaced.

In order to keep up with current detection, upgrading Snort is the only option. A release candidate version of Snort 2.8.4 is about to be released "real soon now", during this RC period for Snort 2.8.4 and dcerpc2, the VRT will provide a replacement netbios.rules file to be used in place of the existing netbios.rules. Thus, every one of you who decides to help out with the RC will have something to work with and it will give you a nice preview of what is going to happen with the rules. Once Snort 2.8.4 is released, this file will become the new netbios.rules.

It is very important to note that the dcerpc2 preprocessor will have to be used in order to get detection using these rules. The old preprocessor will be completely deprecated, all new rules moving forward will use the new preprocessor and the keywords it provides.

The bottom line is, if you want to stay current with detection, you will have to upgrade to Snort 2.8.4 and use the dcerpce2 preprocessor. We will not be maintaining the old rules from the netbios category and we will not release any new detection using the old format.
Add to Technorati Favorites Digg! This
Post a Comment