This morning I updated our Snort_inline codebase with SourceFire’s just released 2.8.2.1 version. See the original changelogs here: 2.8.1, 2.8.2, 2.8.2.1.
Also Richard Bejtlich and Nr have good posts about the improvements of the last versions. See Richards post about a fixed frag3 vulnerability here and see Nr’s post here.
Please note that our SVN code has seen limited testing so far, so be careful! Please report any issues!
A while ago I wrote about porting Snort_inline to 2.8.0.1. That worked well, however we are still trying to resolve some issues. Especially in stickydrop, that is just broken right now. Also, SourceFire released 2.8.0.2 last week, so we need to update to that too.
First however, I will be traveling to California this week. I will be meeting Will there, so I’ll try to get him to fix that damn code 
I’ve just committed an update to Snort_inline’s SVN. It brings it to the Snort 2.8.0.1 level. It supports both IPv4 and IPv6 on IPQ and NFQ. I have not been able to test IPFW on IPv6, so I don’t think that will work currently.
This update removes the libdnet dependency and replaces it with libnet 1.1. To be able to send ICMPv6 unreachable packets you will need the libnet 1.1 patch I wrote a while ago. You can find that here. Get the latest Snort_inline by checking out SVN:
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
Consider the code to be of beta quality for now, so be careful with it. Please report any problems with it!
Again, a big thank you to NitroSecurity for funding this work!
Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ‘normal’ diff. Here is the patch: http://www.inliniac.net/files/snortsam-2.8.0.1.diff
Here are the instructions for getting your Snort 2.8.0.1 source patched:
Make sure you have a clean Snort 2.8.0.1 tree, then patch it:
cd snort-2.8.0.1
patch -p1 < ../snortsam-2.8.0.1.diff
Next, run ‘autojunk.sh’ to update the build system (you need to have libtoolize, aclocal, autoheader, autoconf and automake installed). After this, configure and build Snort normally:
./configure <your configure options>
make
make install
Thats it.
Thanks to Matt Jonkman of Emerging Threats for paying me to do this and CunningPike for doing the first iterations of the patch!
The last week I’ve been working on bringing Snort_inline to the Snort 2.8.0.1 level, including it’s IPv6 support. I’m almost ready to commit it to SVN, there are just some issues I need to fix in the inline specific code. The code will get rid of libdnet and use libnet 1.1 for sending reset/reject packets for both IPv4 and IPv6. After committing I will start working on getting the IPv6 features I wrote for NitroSecurity into this tree. This includes more matches, tunnel decoding (including for example the freenet6 tunnel, etc). So stay tuned!
Matt Jonkman is stepping out of the Bleeding Edge project. He announced this here. Apparently Sensory Networks, one of the sponsors of the project, now owns it. It will be interesting to see if they will continue it, and if so, how. Honestly, I’m a bit skeptical, since to my knowledge not many Sensory people are directly involved at this moment. Still I believe Sensory consists of good people. I did a contract job for them about a year ago, and enjoyed working with them.
I think I speak for many if I say “Thanks” for all the hard work Jonkman has done for Bleeding, and I really look forward to new projects he will start or get involved in! Thanks Matt!
Libnet is a cool packet crafting tool, used by Snort to send TCP reset packets and ICMP unreachable packets as part of active responses. Libnet 1.1 supports IPv6 which is what I needed for my work. After some reading and testing there were a few problems. First, while possible to send TCP reset packets, the packets didn’t have a correct checksum and debugging this with valgrind showed lots of memory errors. Second, ICMPv6 was only partly implemented. The libnet_build_* functions for it are missing. This is, by the way, quite a common picture. Many libraries and projects have some support for IPv6, but generally incomplete and less well tested.
For my work on a IPv6 enabled Snort_inline I’ve only fixed the checksum issue and added a libnet_build_icmpv6_unreach() function. The patch against libnet 1.1.3-RC-01 can be found here. It’s development was funded by the great people of NitroSecurity Inc., who are funding my work to bring IPv6 to Snort_inline. The work is not based on Sourcefire’s recent IPv6 implementation, so it will be interesting to see if and how those codebases can be used to improve each other. The changes to Snort_inline will be made available as well later, WhenItsDone(tm) 
Like with the support for NFQueue, NitroSecurity gives back to the community, which I really appreciate!
The patch: http://www.inliniac.net/files/libnet-1.1.3-RC-01-ipv6.diff.gz
Recently I wrote about the idea to log all HTTP transactions into Sguil using my Modsec2sguil agent. I’ve implemented this in the current 0.8-dev5 release and it works very well. All events go into Sguil smoothly and I’ve not experienced slowdowns on the webserver. I’ve been running it for almost a week now, like to share the first experiences here.
I find it to be quite useful. When receiving an alert, it is perhaps more interesting to see what else was done from that ipaddress than to see what was blocked (unless you are suspecting a false positive of course). One area I find to be useful is when I’m creating rules against comment spam on this blog. By seeing all properties of a spam message I can create better rules. For example on broken user-agents or weird codes inserted into the comment field of Wordpress.
It’s easy to search and filter on HTTP response codes because the code is a part of the RT message. For example, when searching for all HTTP 500 error codes, add the following ‘WHERE’ clause to a query:
WHERE event.signature like “%MSc 500%”
This works quite fast although you best limit the query on properties like date and port as well. To get all the HTTP code 500 alerts from the last days do something like:
WHERE event.timestamp > ‘2007-08-18′ AND (event.dst_port = 80 OR event.dst_port = 443) AND event.signature like “%MSc 500%”
One thing that is disappointing is the inabillity to search in the event payloads stored in the database. Technically it’s possible to create mysql queries that search for certain strings, but this process is so slow that it’s hardly usable in practice. The problem here is that the database field containing the payload is not indexed. I’ll show the query I used here (ripped from David Bianco’s blog)
WHERE event.timestamp >= ‘2007-08-18′ AND (event.dst_port = 80 OR event.dst_port = 443) AND data.data_payload like CONCAT(”%”, HEX(”Mozilla/5.0″), “%”)
If you know a more efficient query, please let me know!
Today I noticed that Snort 2.7.0 was quietly released on July 12th. I have a problem with this release, a licensing problem. I have written about my issues with Sourcefires Snort licensing before here and on the mailinglist as well, here. They seem to have listened a little bit, since they are no longer claiming copyright of Todd C. Millers BSD licensed strlcpy and strlcat implementation. Sadly, our other complaints are completely ignored.
Sourcefire claims that Snort is governed by the GPLv2 only. There is a problem with this claim. It’s actually a license change from the recent past. Snort used to be under “GPLv2 or (at your option) any later version”. Now it isn’t anymore. Thats a license change. Now don’t get me wrong, I don’t have any problem with Sourcefire relicensing their code. It’s their right do so. But only for their code. Not for my code, not for code they don’t own the copyright from. In other words, not for all of Snort.
Sourcefire changed the license also for the parts of Snort they don’t own. But, the funny thing is, Sourcefire isn’t even claiming full copyright on Snort. For example in src/inline.c they state “Portions Copyright (C) 1998-2006 Sourcefire, Inc.”. In another example, the file src/preprocessors/spp_arpspoof.c states “Copyright (C) 2001-2004 Jeff Nathan <jeff@snort.org>”. There are many more files where Sourcefire doesn’t claim the (full) copyright for an obvious reason. They don’t own it for these files.
Sourcefire says it is distributing Snort under the GPLv2 so that’s the license governing it. Yes it’s true: Snort until this day is and was distributed with a copy of the GPLv2 license. But their site until very recently clearly stated “This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.” (source). How recent is recently? Well the newest archived version of the Snort site in the wayback machine is from May 9th, 2007. It has the above text, thats less than three months ago. This was no accident, this line of text has been on the Snort site as long as the wayback machine takes us back, which is until the year 2000. But wait, there is more: Many, I estimate the majority, of the source files of the Snort source code of Snort 2.6.1.5 contain that same line as well.
So now Sourcefires claims that “SNORT is an open source project that is governed exclusively by the GPL V2 and any third party desiring to use, modify or distribute SNORT must do so by strictly following the terms and conditions of GPL V2. Anyone using, modifying or distributing SNORT does not have the option to choose to use, modify or distribute SNORT under any revised or new version of the GPL, including without limitation, the GNU General Public License Version 3.” (source) This is clearly a license change because under the conditions active until at least May 9th, 2007, the user was free to select a newer version of the license as well. The funny thing is, the original page stating this is still online at snort.org. And that STILL says “GPLv2 or (at your option) any later version”.
I draw two conclusions from this. First, there was a license change. It’s clear that Snort used to be under the “GPLv2 or (at your option) any later version.” The page claiming that until at least May 9th of this year is even still online. Until 2.6.1.5 (and possibly 2.7.0rc1) most of the source code contained the same language. Second, Sourcefire had no right to relicense all of Snort. They have no right because they don’t own all of the copyright. What can they do about it? Simple: remove the current 2.7.0 release, and replace it by one that respects everyones rights!
Disclaimer: I’m not a lawyer, nor do I look like one or am I married to one. But I believe my point of view is correct. If you believe it’s not, please let me know.
Today the final version of the GPL version 3 was released. This is interesting from many perspectives, and one of them is Snort licensing. Much has been written about Snort and the GPL lately, but that was all about new license language introduced with Snort 3.0 alpha and not about the currently maintained and developed 2.6 and 2.7 branches. When I’m talking about Snort here and now, I mean those versions prior to 3.0.
Snort, like many other OSS projects (including my own Vuurmuur and Modsec2Sguil) comes with many files (but not all) that are distributed with the following lines in the copyright notice:
** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by ** the Free Software Foundation; either version 2 of the License, or ** (at your option) any later version.
What it says, is that the GPLv2 license applies to this file, but that if there is a newer GPL license available (GPLv3 in this case), you may choose to ‘redistribute it and/or modify it’ under that later version. So it appears that this means that the files in Snort that contain this header can be distributed under the GPLv3 as well.
SourceFire however, disagrees. Martin Roesch wrote on Snort.org that SourceFire has chosen not to do the transition to the GPLv3 yet. He points to a page on the snort.org site where it is explained why SourceFire thinks that despite the ‘(at your option) any later version’ line, only the GPLv2 applies to Snort.
The reasoning is rather simple, Snort is governed by the GPLv2 because it is governed by the GPLv2. Here is how SourceFire said it:
“SNORT is an open source project that is governed exclusively by the GPL V2 and any third party desiring to use, modify or distribute SNORT must do so by strictly following the terms and conditions of GPL V2. Anyone using, modifying or distributing SNORT does not have the option to choose to use, modify or distribute SNORT under any revised or new version of the GPL, including without limitation, the GNU General Public License Version 3.” (source)
I think this is an impossible position. For years the Snort source code has been distributed leaving the option to developers to pick a new version of the GPL when it would become available. But now that this time has come, they are coming back to that. Here is what they say:
“For ease of reference, the comparable notice that is used with SNORT (contained in the ‘README’ file) is as follows:
“This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License.”” (source)
Note however, that future versions of Snort may hold this notice, but currently released code does not. Apparently, SourceFire has no trust in their own explanation of the ‘(at your option) any later version’ line, so they are going to remove it altogether.
In my opinion this is effectively a licensing change. It changes from GPLv2+ to GPLv2. This has a couple of implications. First of all, all code already out there is licensed as it is. The language in the source files is clear. Second of all, while SourceFire has certainly written the vast majority of code, not all code in Snort is copyrighted by them. Copyright of the Snort_inline project was not transferred to SourceFire when they incorporated our inline patch in 2.3.0RC1. There may be other contributions by others without copyright transfer.
Many projects have chosen to change the licensing language long ago to remove the ‘(at your option) any later version’ line. SourceFire hasn’t done this. It is my believe that by deliberately spreading the code with this clause for many years, SourceFire is allowing anyone to ‘redistribute it and/or modify’ the affected source files under the GPL version 3.
Disclaimer: this is my personal opinion, not (necessarily) the opinion of other Snort_inline developers.